1 files changed, 29 insertions, 0 deletions

diff --git a/.github/workflows/system-file-changes.yml b/.github/workflows/system-file-changes.yml
new file mode 100644
index 0000000000..a4229007a9
--- /dev/null
+++ b/.github/workflows/system-file-changes.yml
@@ -0,0 +1,29 @@
+# This is a copy of the equivalent file in mdn/content.
+# See https://github.com/mdn/content/blob/main/.github/workflows/system-file-changes.yml
+# If you make changes here, make sure it first makes sense in that repo.
+
+name: System file changes
+
+on:
+  pull_request_target:
+    paths:
+      - '.github/workflows/**'
+      - '.github/CODEOWNERS'
+
+jobs:
+  block:
+    # This make sure it only runs on our origin repo
+    # and make an exception for Dependabot.
+    if: github.repository_owner == 'mdn' && github.event.pull_request.user.login != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop anything and everything
+        run: |
+          # It would be nice if we could disable this workflow if the PR
+          # was made from a branch within the origin repo. But it seems you
+          # can'd do that :(
+          # See https://github.community/t/how-do-you-figure-out-if-a-pr-is-from-a-work-in-pull-request-target-workflows/170001
+
+          echo "If you're an admin, you have you use your admin privileges to override."
+          echo "If you're not an admin, please ping someone for a review."
+          exit 1