From dcf8350ff86c472cf62c0359ae37282b37cd8c20 Mon Sep 17 00:00:00 2001 From: Nightt <87569709+nightt5879@users.noreply.github.com> Date: Tue, 2 Jun 2026 10:39:48 +0800 Subject: [PATCH] fix: harden contribution gate bypasses --- .github/workflows/approve-contributor.yml | 9 +++++++++ .github/workflows/issue-gate.yml | 1 - .github/workflows/pr-gate.yml | 2 -- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/approve-contributor.yml b/.github/workflows/approve-contributor.yml index 2818786f..6c773751 100644 --- a/.github/workflows/approve-contributor.yml +++ b/.github/workflows/approve-contributor.yml @@ -42,6 +42,15 @@ jobs: }); return; } + if (scope === 'issue' && issue.pull_request) { + await github.rest.issues.createComment({ + owner, + repo, + issue_number: issue.number, + body: '`/lgtmi` grants issue access and must be used on an issue. Use `/lgtm` to grant PR access.', + }); + return; + } const path = '.github/APPROVED_CONTRIBUTORS'; const targetLogin = issue.user.login; diff --git a/.github/workflows/issue-gate.yml b/.github/workflows/issue-gate.yml index 70fe83eb..6966fdf6 100644 --- a/.github/workflows/issue-gate.yml +++ b/.github/workflows/issue-gate.yml @@ -55,7 +55,6 @@ jobs: const allowlist = await readAllowlist(); const login = issue.user.login.toLowerCase(); if ( - allowlist.has(login) || allowlist.has(`all:${login}`) || allowlist.has(`issue:${login}`) ) { diff --git a/.github/workflows/pr-gate.yml b/.github/workflows/pr-gate.yml index 4be1758a..428af059 100644 --- a/.github/workflows/pr-gate.yml +++ b/.github/workflows/pr-gate.yml @@ -24,7 +24,6 @@ jobs: if (privileged.has(pr.author_association)) return; if (pr.user.login === 'github-actions[bot]') return; - if ((pr.head.ref || '').startsWith('contribution-gate/')) return; function parseAllowlist(content) { return new Set( @@ -56,7 +55,6 @@ jobs: const allowlist = await readAllowlist(); const login = pr.user.login.toLowerCase(); if ( - allowlist.has(login) || allowlist.has(`all:${login}`) || allowlist.has(`pr:${login}`) ) {