Correct stale "required status check" guidance in scope-guard comments

The scope guard is advisory, not a required status check — the merge gate is
validate + scan + a maintainer approval. The old header told operators to add
it to branch protection, which is now contra-indicated (it would block the
no-approval bump-merge path). Update both workflow comments to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Bryan Thompson 2026-06-25 21:50:37 -05:00
parent 63f2b164fb
commit beb6ec5d10
No known key found for this signature in database
GPG Key ID: 1D66D91917EE02E6
2 changed files with 14 additions and 10 deletions

View File

@ -37,8 +37,9 @@ jobs:
// contribution — it adds marketplace.json entries whose source repo ALREADY backs
// a live plugin here, and changes nothing else. (No maintained allowlist: the set
// of allowed repos is derived from the live marketplace.) This grants only the
// right to open a reviewable PR; the External PR Scope Guard required check and a
// maintainer approval still gate the merge.
// right to open a reviewable PR; the validate + scan checks and a maintainer
// approval still gate the merge (the External PR Scope Guard is advisory signal,
// not a required check).
const result = await evaluate({ github, context });
if (result.ok && result.added.length > 0) {
console.log(`In-scope external contribution (adds: ${result.added.join(', ')}) — allowing PR.`);

View File

@ -1,14 +1,17 @@
name: External PR Scope Guard
# Required status check that constrains what a NON-MEMBER pull request may change.
# Members (write/admin) are unrestricted and skip this check. For a non-member PR this
# fails unless the PR is an in-scope external contribution per .github/scripts/external-pr-scope.js:
# it changes ONLY .claude-plugin/marketplace.json, the delta is additions-only (no existing
# entry modified or removed), and every ADDED entry's source.url is a repo that ALREADY backs
# a live plugin in this marketplace (the allowed set is derived from the live marketplace —
# there is no maintained allowlist).
# Advisory check that surfaces what a NON-MEMBER pull request may change.
# Members (write/admin) and the repo's own automation bot (bump SHA PRs) are unrestricted and
# skip this check. For a non-member PR this fails unless the PR is an in-scope external
# contribution per .github/scripts/external-pr-scope.js: it changes ONLY
# .claude-plugin/marketplace.json, the delta is additions-only (no existing entry modified or
# removed), and every ADDED entry's source.url is a repo that ALREADY backs a live plugin in
# this marketplace (the allowed set is derived from the live marketplace — there is no
# maintained allowlist).
#
# Add the scope-guard job as a REQUIRED status check in branch protection for it to block merge.
# Do NOT add this job to branch protection as a required status check. The merge gate is the
# `validate` + `scan` checks plus a maintainer approval; this guard is advisory signal for the
# reviewer, not a hard gate. (Making it required would block the no-approval bump-merge path.)
#
# Security: runs on pull_request_target but checks out only the BASE repo (trusted) for the
# shared script; the head marketplace.json is fetched as DATA via the API and parsed, never executed.