From 880a85f40413dd3ea5b652d0d54a7e6be7cffe0f Mon Sep 17 00:00:00 2001
From: marco <marco@crowdsec.net>
Date: Fri, 9 May 2025 11:17:51 +0200
Subject: [PATCH] CI: ensure tests don't alter the repository

---
 .github/workflows/go-tests.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
index b0348c842..35a097837 100644
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@@ -181,7 +181,17 @@ jobs:
     - name: Unit tests
       run: |
         go install gotest.tools/gotestsum@v1.12.1
+        # make the repo read-only, with the exception of coverage output
+        touch coverage.out
+        chmod -R a-w .
+        chmod u+w coverage.out
         make testcover
+        # ignore/discard changes to codecov.yml
+        if [[ $(git status --porcelain -- . ":(exclude).github/codecov.yml" ]]; then
+          echo "Error: Unit tests should not create or alter files inside the repository. Please use the appropriate testing helpers or otherwise temporary locations."
+          git diff --name-only
+          exit 1
+        fi
 
     # check if some component stubs are missing
     - name: "Build profile: minimal"