From 850c26a3a2474b0d068abc89c905f536cca415de Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Fri, 12 Apr 2024 02:48:24 +0000
Subject: [PATCH] ci: validate source changes in PRs (#113)

---
 .github/checkSources.nix               | 11 +++++++++
 .github/workflows/validate-sources.yml | 32 ++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 .github/checkSources.nix
 create mode 100644 .github/workflows/validate-sources.yml

diff --git a/.github/checkSources.nix b/.github/checkSources.nix
new file mode 100644
index 0000000..db11586
--- /dev/null
+++ b/.github/checkSources.nix
@@ -0,0 +1,11 @@
+let
+  sourceFile = ../_sources/generated.json;
+  sources = builtins.fromJSON (builtins.readFile sourceFile);
+  isFromOrg = v: v.src.owner == "catppuccin";
+  badSources = builtins.filter (src: !(isFromOrg src)) (builtins.attrValues sources);
+in
+  # error if any sources are found that don't originate
+  # from the catppuccin org
+  if ((builtins.length badSources) == 0)
+  then "GOOD"
+  else builtins.throw "BAD"
diff --git a/.github/workflows/validate-sources.yml b/.github/workflows/validate-sources.yml
new file mode 100644
index 0000000..609b968
--- /dev/null
+++ b/.github/workflows/validate-sources.yml
@@ -0,0 +1,32 @@
+name: Validate sources
+# Per CONTRIBUTING.md, we do not accept unofficial ports. This enforces
+# that policy and ensures all sources are only from the official GitHub org
+
+on:
+  push:
+    paths:
+      - '_sources/**'
+      - 'nvfetcher.toml'
+  pull_request:
+    paths:
+      - '_sources/**'
+      - 'nvfetcher.toml'
+  workflow_dispatch:
+
+jobs:
+  check:
+    name: Check for external repositories
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v26
+
+      - name: Run check
+        run: |
+          set -e
+          nix eval --file ./.github/checkSources.nix