codewhale/.github/workflows/pr-gate.yml

name: Contribution gate - pull requests

on:
  pull_request_target:
    types: [opened, reopened]

permissions:
  contents: read
  issues: write
  pull-requests: write

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - name: Close unapproved external pull requests
        uses: actions/github-script@v7
        with:
          script: |
            const pr = context.payload.pull_request;
            const owner = context.repo.owner;
            const repo = context.repo.repo;
            const privileged = new Set(['OWNER', 'MEMBER', 'COLLABORATOR']);

            if (privileged.has(pr.author_association)) return;
            if (pr.user.login === 'github-actions[bot]') return;

            function parseAllowlist(content) {
              return new Set(
                content
                  .split(/\r?\n/)
                  .map(line => line.replace(/#.*/, '').trim().toLowerCase())
                  .filter(Boolean)
              );
            }

            async function readAllowlist() {
              try {
                const { data } = await github.rest.repos.getContent({
                  owner,
                  repo,
                  path: '.github/APPROVED_CONTRIBUTORS',
                  ref: pr.base.ref,
                });
                if (Array.isArray(data) || data.type !== 'file') return new Set();
                return parseAllowlist(
                  Buffer.from(data.content, data.encoding || 'base64').toString('utf8')
                );
              } catch (error) {
                if (error.status === 404) return new Set();
                throw error;
              }
            }

            const allowlist = await readAllowlist();
            const login = pr.user.login.toLowerCase();
            if (
              allowlist.has(`all:${login}`) ||
              allowlist.has(`pr:${login}`)
            ) {
              return;
            }

            await github.rest.issues.createComment({
              owner,
              repo,
              issue_number: pr.number,
              body: [
                `Thanks @${pr.user.login} for taking the time to contribute.`,
                '',
                'This repository currently uses a maintainer-managed contribution gate, so pull requests from contributors who are not listed in `.github/APPROVED_CONTRIBUTORS` are closed automatically.',
                '',
                'Please read `CONTRIBUTING.md` for the expected contribution shape. A maintainer can grant PR access by commenting `/lgtm` on a pull request.',
              ].join('\n'),
            });

            await github.rest.pulls.update({
              owner,
              repo,
              pull_number: pr.number,
              state: 'closed',
            });