Add GitHub Actions workflow and pre-commit hook to block annotations.csv changes

[Copilot]

Annotations.csv files are centrally maintained and should not be modified in pull requests. This adds CI enforcement and optional local checks.

Changes

• .github/workflows/annotations-protect.yml: Workflow that fails PRs modifying any annotations.csv file. Runs on PR open/update/reopen/edit events. Includes explicit permissions: contents: read for least privilege.

• .github/scripts/check_annotations.sh: Executable helper script supporting two modes:

  • No args: checks staged files (for pre-commit hooks)
  • Two args (base, head): compares refs (for CI)

• .pre-commit-config.yaml: Optional local hook preventing annotations.csv staging before commit.

Example

If a PR modifies app/data/annotations.csv, the workflow will fail with:

::error::Detected changes to one or more annotations.csv files. These files are centrally maintained and must not be modified in PRs.

The pre-commit hook provides the same protection locally before commit.

Original prompt

Add a GitHub Actions workflow and an optional pre-commit hook to block changes to any annotations.csv files in pull requests and local commits.

Files to add:

1. .github/workflows/annotations-protect.yml

---

name: Protect annotations.csv

on:
pull_request:
types: [opened, synchronize, reopened, edited]

jobs:
check-annotations:
name: Fail if annotations.csv changed
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

  - name: Run annotations check
    env:
      PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
    run: |
      set -euo pipefail

      # Fetch base branch so we can diff against it
      git fetch origin "$PR_BASE_REF"

      # List changed files between the PR base and the current HEAD
      CHANGED=$(git diff --name-only "origin/$PR_BASE_REF" HEAD || true)

      echo "Changed files in this PR:"
      printf '%s

' "$CHANGED"

      # If any path is named annotations.csv anywhere in the tree, fail
      if printf '%s

' "$CHANGED" | grep -qE '(^|/)?annotations.csv$'; then
echo "::error::Detected changes to one or more annotations.csv files. These files are centrally maintained and must not be modified in PRs."
echo "If you intended to update annotations data, please open an issue or follow the project's data update process."
exit 1
fi

      echo "OK: No annotations.csv files modified."

---

2. .github/scripts/check_annotations.sh

#!/usr/bin/env bash

Helper script to check that no annotations.csv files are modified in a PR or commit.

Usage:

- From CI: check against a base ref (e.g. git fetch origin main; check_annotations.sh origin/main HEAD)

- From pre-commit / local: uses git diff --cached to inspect staged files.

set -euo pipefail

If two args provided, treat them as base and head for comparison

if [ "$#" -eq 2 ]; then
base_ref="$1"
head_ref="$2"
changed_files=$(git diff --name-only "$base_ref" "$head_ref" || true)
else

Default: check staged files (for pre-commit)

changed_files=$(git diff --cached --name-only || true)
fi

if printf '%s
' "$changed_files" | grep -qE '(^|/)?annotations.csv$'; then
echo "ERROR: You are modifying one or more annotations.csv files:"
printf '%s
' "$changed_files" | grep -E '(^|/)?annotations.csv$' || true
echo "These files are centrally maintained and should not be changed in PRs."
echo "If you need to update annotation data, please follow the project's data update process (open an issue or contact the maintainers)."
exit 1
fi

echo "OK: No annotations.csv files modified."
exit 0

Make the script executable (mode 0755).

---

3. .pre-commit-config.yaml (optional, for local checks)

repos:

• repo: local
  hooks:
  • id: prevent-annotations-change
    name: Prevent changes to annotations.csv
    entry: bash -c 'if git diff --cached --name-only | grep -qE "(^|/)?annotations.csv$"; then echo "ERROR: staging changes to annotations.csv is not allowed."; git diff --cached --name-only | grep -E "(^|/)?annotations.csv$"; exit 1; fi'
    language: system
    stages: [commit]

---

Commit message: "Add CI workflow and pre-commit hook to prevent changes to annotations.csv"
Branch name: create a feature branch named "ci/prevent-annotations-changes" and open a PR against the repository's default branch.

Rationale:

• annotations.csv files are centrally maintained; accidental edits in PRs should be blocked.
• The workflow runs on pull_request and diffs the PR head against the PR base branch, failing if any file named annotations.csv is changed anywhere in the repository tree.
• The pre-commit hook gives local feedback to contributors before they commit.

Please create a pull request with these files added. Ensure the script is executable in the commit.

This pull request was created as a result of the following prompt from Copilot chat.

Add a GitHub Actions workflow and an optional pre-commit hook to block changes to any annotations.csv files in pull requests and local commits.

Files to add:

1. .github/workflows/annotations-protect.yml

---

name: Protect annotations.csv

on:
pull_request:
types: [opened, synchronize, reopened, edited]

jobs:
check-annotations:
name: Fail if annotations.csv changed
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

  - name: Run annotations check
    env:
      PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
    run: |
      set -euo pipefail

      # Fetch base branch so we can diff against it
      git fetch origin "$PR_BASE_REF"

      # List changed files between the PR base and the current HEAD
      CHANGED=$(git diff --name-only "origin/$PR_BASE_REF" HEAD || true)

      echo "Changed files in this PR:"
      printf '%s

' "$CHANGED"

      # If any path is named annotations.csv anywhere in the tree, fail
      if printf '%s

' "$CHANGED" | grep -qE '(^|/)?annotations.csv$'; then
echo "::error::Detected changes to one or more annotations.csv files. These files are centrally maintained and must not be modified in PRs."
echo "If you intended to update annotations data, please open an issue or follow the project's data update process."
exit 1
fi

      echo "OK: No annotations.csv files modified."

---

2. .github/scripts/check_annotations.sh

#!/usr/bin/env bash

Helper script to check that no annotations.csv files are modified in a PR or commit.

Usage:

- From CI: check against a base ref (e.g. git fetch origin main; check_annotations.sh origin/main HEAD)

- From pre-commit / local: uses git diff --cached to inspect staged files.

set -euo pipefail

If two args provided, treat them as base and head for comparison

if [ "$#" -eq 2 ]; then
base_ref="$1"
head_ref="$2"
changed_files=$(git diff --name-only "$base_ref" "$head_ref" || true)
else

Default: check staged files (for pre-commit)

changed_files=$(git diff --cached --name-only || true)
fi

if printf '%s
' "$changed_files" | grep -qE '(^|/)?annotations.csv$'; then
echo "ERROR: You are modifying one or more annotations.csv files:"
printf '%s
' "$changed_files" | grep -E '(^|/)?annotations.csv$' || true
echo "These files are centrally maintained and should not be changed in PRs."
echo "If you need to update annotation data, please follow the project's data update process (open an issue or contact the maintainers)."
exit 1
fi

echo "OK: No annotations.csv files modified."
exit 0

Make the script executable (mode 0755).

---

3. .pre-commit-config.yaml (optional, for local checks)

repos:

• repo: local
  hooks:
  • id: prevent-annotations-change
    name: Prevent changes to annotations.csv
    entry: bash -c 'if git diff --cached --name-only | grep -qE "(^|/)?annotations.csv$"; then echo "ERROR: staging changes to annotations.csv is not allowed."; git diff --cached --name-only | grep -E "(^|/)?annotations.csv$"; exit 1; fi'
    language: system
    stages: [commit]

---

Commit message: "Add CI workflow and pre-commit hook to prevent changes to annotations.csv"
Branch name: create a feature branch named "ci/prevent-annotations-changes" and open a PR against the repository's default branch.

Rationale:

• annotations.csv files are centrally maintained; accidental edits in PRs should be blocked.
• The workflow runs on pull_request and diffs the PR head against the PR base branch, failing if any file named annotations.csv is changed anywhere in the repository tree.
• The pre-commit hook gives local feedback to contributors before they commit.

Please create a pull request with these files added. Ensure the script is executable in the commit.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.