Nightt
100 lines
3.6 KiB
YAML
100 lines
3.6 KiB
YAML
name: Contribution gate - issues
|
|
|
|
on:
|
|
issues:
|
|
types: [opened, reopened]
|
|
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
|
|
env:
|
|
# Keep new gates observable first. Switch to "enforce" only after maintainers
|
|
# have seeded active contributors and reviewed the dry-run signal.
|
|
CONTRIBUTION_GATE_MODE: dry-run
|
|
|
|
jobs:
|
|
gate:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Gate unapproved external issues
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const issue = context.payload.issue;
|
|
const owner = context.repo.owner;
|
|
const repo = context.repo.repo;
|
|
const privileged = new Set(['OWNER', 'MEMBER', 'COLLABORATOR']);
|
|
const gateMode = (process.env.CONTRIBUTION_GATE_MODE || 'dry-run').trim().toLowerCase();
|
|
const enforceGate = gateMode === 'enforce';
|
|
|
|
if (!['dry-run', 'enforce'].includes(gateMode)) {
|
|
core.warning(`Unknown CONTRIBUTION_GATE_MODE "${gateMode}"; defaulting to dry-run.`);
|
|
}
|
|
|
|
if (privileged.has(issue.author_association)) return;
|
|
if (issue.user.login === 'github-actions[bot]') return;
|
|
|
|
function parseAllowlist(content) {
|
|
return new Set(
|
|
content
|
|
.split(/\r?\n/)
|
|
.map(line => line.replace(/#.*/, '').trim().toLowerCase())
|
|
.filter(Boolean)
|
|
);
|
|
}
|
|
|
|
async function readAllowlist() {
|
|
try {
|
|
const { data } = await github.rest.repos.getContent({
|
|
owner,
|
|
repo,
|
|
path: '.github/APPROVED_CONTRIBUTORS',
|
|
ref: context.payload.repository.default_branch,
|
|
});
|
|
if (Array.isArray(data) || data.type !== 'file') return new Set();
|
|
return parseAllowlist(
|
|
Buffer.from(data.content, data.encoding || 'base64').toString('utf8')
|
|
);
|
|
} catch (error) {
|
|
if (error.status === 404) return new Set();
|
|
throw error;
|
|
}
|
|
}
|
|
|
|
const allowlist = await readAllowlist();
|
|
const login = issue.user.login.toLowerCase();
|
|
if (
|
|
allowlist.has(`all:${login}`) ||
|
|
allowlist.has(`issue:${login}`)
|
|
) {
|
|
return;
|
|
}
|
|
|
|
const gateMessage = enforceGate
|
|
? 'This repository currently uses a maintainer-managed contribution gate, so issues from contributors who are not listed in `.github/APPROVED_CONTRIBUTORS` are closed automatically.'
|
|
: 'This repository is currently observing a maintainer-managed contribution gate in dry-run mode, so this issue is staying open. When enforcement is enabled, issues from contributors who are not listed in `.github/APPROVED_CONTRIBUTORS` will be closed automatically.';
|
|
|
|
await github.rest.issues.createComment({
|
|
owner,
|
|
repo,
|
|
issue_number: issue.number,
|
|
body: [
|
|
`Thanks @${issue.user.login} for the report.`,
|
|
'',
|
|
gateMessage,
|
|
'',
|
|
'Please read `CONTRIBUTING.md` for the expected issue shape. A maintainer can grant issue access by commenting `/lgtmi` on an issue.',
|
|
].join('\n'),
|
|
});
|
|
|
|
if (!enforceGate) return;
|
|
|
|
await github.rest.issues.update({
|
|
owner,
|
|
repo,
|
|
issue_number: issue.number,
|
|
state: 'closed',
|
|
state_reason: 'not_planned',
|
|
});
|