chore: add contribution gate workflows

2026-06-02 10:29:46 +08:00
parent f48e398ba5
commit 97c615ca9c
5 changed files with 377 additions and 0 deletions
@@ -0,0 +1,84 @@
+name: Contribution gate - issues
+
+on:
+  issues:
+    types: [opened, reopened]
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  gate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Close unapproved external issues
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const issue = context.payload.issue;
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const privileged = new Set(['OWNER', 'MEMBER', 'COLLABORATOR']);
+
+            if (issue.pull_request) return;
+            if (privileged.has(issue.author_association)) return;
+            if (issue.user.login === 'github-actions[bot]') return;
+
+            function parseAllowlist(content) {
+              return new Set(
+                content
+                  .split(/\r?\n/)
+                  .map(line => line.replace(/#.*/, '').trim().toLowerCase())
+                  .filter(Boolean)
+              );
+            }
+
+            async function readAllowlist() {
+              try {
+                const { data } = await github.rest.repos.getContent({
+                  owner,
+                  repo,
+                  path: '.github/APPROVED_CONTRIBUTORS',
+                  ref: context.payload.repository.default_branch,
+                });
+                if (Array.isArray(data) || data.type !== 'file') return new Set();
+                return parseAllowlist(
+                  Buffer.from(data.content, data.encoding || 'base64').toString('utf8')
+                );
+              } catch (error) {
+                if (error.status === 404) return new Set();
+                throw error;
+              }
+            }
+
+            const allowlist = await readAllowlist();
+            const login = issue.user.login.toLowerCase();
+            if (
+              allowlist.has(login) ||
+              allowlist.has(`all:${login}`) ||
+              allowlist.has(`issue:${login}`)
+            ) {
+              return;
+            }
+
+            await github.rest.issues.createComment({
+              owner,
+              repo,
+              issue_number: issue.number,
+              body: [
+                `Thanks @${issue.user.login} for the report.`,
+                '',
+                'This repository currently uses a maintainer-managed contribution gate, so issues from contributors who are not listed in `.github/APPROVED_CONTRIBUTORS` are closed automatically.',
+                '',
+                'Please read `CONTRIBUTING.md` for the expected issue shape. A maintainer can grant issue access by commenting `/lgtmi` on an issue.',
+              ].join('\n'),
+            });
+
+            await github.rest.issues.update({
+              owner,
+              repo,
+              issue_number: issue.number,
+              state: 'closed',
+              state_reason: 'not_planned',
+            });