weecology · Copilot · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025
diff --git a/.github/scripts/check_annotations.sh b/.github/scripts/check_annotations.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# Helper script to check that no annotations.csv files are modified in a PR or commit.
+# Usage:
+#  - From CI: check against a base ref (e.g. git fetch origin main; check_annotations.sh origin/main HEAD)
+#  - From pre-commit / local: uses git diff --cached to inspect staged files.
+set -euo pipefail
+
+# If two args provided, treat them as base and head for comparison
+if [ "$#" -eq 2 ]; then
+  base_ref="$1"
+  head_ref="$2"
+  changed_files=$(git diff --name-only "$base_ref" "$head_ref" || true)
+else
+  # Default: check staged files (for pre-commit)
+  changed_files=$(git diff --cached --name-only || true)
+fi
+
+if printf '%s\n' "$changed_files" | grep -qE '(^|/)?annotations\.csv$'; then
+  echo "ERROR: You are modifying one or more annotations.csv files:"
+  printf '%s\n' "$changed_files" | grep -E '(^|/)?annotations\.csv$' || true
+  echo "These files are centrally maintained and should not be changed in PRs."
+  echo "If you need to update annotation data, please follow the project's data update process (open an issue or contact the maintainers)."
+  exit 1
+fi
+
+echo "OK: No annotations.csv files modified."
+exit 0
diff --git a/.github/workflows/annotations-protect.yml b/.github/workflows/annotations-protect.yml
@@ -0,0 +1,41 @@
+name: Protect annotations.csv
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  check-annotations:
+    name: Fail if annotations.csv changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run annotations check
+        env:
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          set -euo pipefail
+
+          # Fetch base branch so we can diff against it
+          git fetch origin "$PR_BASE_REF"
+
+          # List changed files between the PR base and the current HEAD
+          CHANGED=$(git diff --name-only "origin/$PR_BASE_REF" HEAD || true)
+
+          echo "Changed files in this PR:"
+          printf '%s\n' "$CHANGED"
+
+          # If any path is named annotations.csv anywhere in the tree, fail
+          if printf '%s\n' "$CHANGED" | grep -qE '(^|/)?annotations\.csv$'; then
+            echo "::error::Detected changes to one or more annotations.csv files. These files are centrally maintained and must not be modified in PRs."
+            echo "If you intended to update annotations data, please open an issue or follow the project's data update process."
+            exit 1
+          fi
+
+          echo "OK: No annotations.csv files modified."
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,8 @@
+repos:
+  - repo: local
+    hooks:
+      - id: prevent-annotations-change
+        name: Prevent changes to annotations.csv
+        entry: bash -c 'if git diff --cached --name-only | grep -qE "(^|/)?annotations\.csv$"; then echo "ERROR: staging changes to annotations.csv is not allowed."; git diff --cached --name-only | grep -E "(^|/)?annotations\.csv$"; exit 1; fi'
+        language: system
+        stages: [commit]