codewhale/.github/workflows/issue-gate.yml

name: Contribution gate - issues

on:
  issues:
    types: [opened, reopened]

permissions:
  contents: read
  issues: write

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - name: Close unapproved external issues
        uses: actions/github-script@v7
        with:
          script: |
            const issue = context.payload.issue;
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const privileged = new Set(['OWNER', 'MEMBER', 'COLLABORATOR']);

            if (issue.pull_request) return;
            if (privileged.has(issue.author_association)) return;
            if (issue.user.login === 'github-actions[bot]') return;

            function parseAllowlist(content) {
              return new Set(
                content
                  .split(/\r?\n/)
                  .map(line => line.replace(/#.*/, '').trim().toLowerCase())
                  .filter(Boolean)
              );
            }

            async function readAllowlist() {
              try {
                const { data } = await github.rest.repos.getContent({
                  owner,
                  repo,
                  path: '.github/APPROVED_CONTRIBUTORS',
                  ref: context.payload.repository.default_branch,
                });
                if (Array.isArray(data) || data.type !== 'file') return new Set();
                return parseAllowlist(
                  Buffer.from(data.content, data.encoding || 'base64').toString('utf8')
                );
              } catch (error) {
                if (error.status === 404) return new Set();
                throw error;
              }
            }

            const allowlist = await readAllowlist();
            const login = issue.user.login.toLowerCase();
            if (
              allowlist.has(`all:${login}`) ||
              allowlist.has(`issue:${login}`)
            ) {
              return;
            }

            await github.rest.issues.createComment({
              owner,
              repo,
              issue_number: issue.number,
              body: [
                `Thanks @${issue.user.login} for the report.`,
                '',
                'This repository currently uses a maintainer-managed contribution gate, so issues from contributors who are not listed in `.github/APPROVED_CONTRIBUTORS` are closed automatically.',
                '',
                'Please read `CONTRIBUTING.md` for the expected issue shape. A maintainer can grant issue access by commenting `/lgtmi` on an issue.',
              ].join('\n'),
            });

            await github.rest.issues.update({
              owner,
              repo,
              issue_number: issue.number,
              state: 'closed',
              state_reason: 'not_planned',
            });