fix: harden contribution gate bypasses

.github/workflows/approve-contributor.yml

@@ -42,6 +42,15 @@ jobs:
               });
               return;
             }
+            if (scope === 'issue' && issue.pull_request) {
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number: issue.number,
+                body: '`/lgtmi` grants issue access and must be used on an issue. Use `/lgtm` to grant PR access.',
+              });
+              return;
+            }
 
             const path = '.github/APPROVED_CONTRIBUTORS';
             const targetLogin = issue.user.login;

.github/workflows/issue-gate.yml

@@ -55,7 +55,6 @@ jobs:
             const allowlist = await readAllowlist();
             const login = issue.user.login.toLowerCase();
             if (
-              allowlist.has(login) ||
               allowlist.has(`all:${login}`) ||
               allowlist.has(`issue:${login}`)
             ) {

.github/workflows/pr-gate.yml

@@ -24,7 +24,6 @@ jobs:
 
             if (privileged.has(pr.author_association)) return;
             if (pr.user.login === 'github-actions[bot]') return;
-            if ((pr.head.ref || '').startsWith('contribution-gate/')) return;
 
             function parseAllowlist(content) {
               return new Set(
@@ -56,7 +55,6 @@ jobs:
             const allowlist = await readAllowlist();
             const login = pr.user.login.toLowerCase();
             if (
-              allowlist.has(login) ||
               allowlist.has(`all:${login}`) ||
               allowlist.has(`pr:${login}`)
             ) {