diff --git a/.github/workflows/close-external-prs.yml b/.github/workflows/close-external-prs.yml index 2e7db830..21b2e2c7 100644 --- a/.github/workflows/close-external-prs.yml +++ b/.github/workflows/close-external-prs.yml @@ -37,8 +37,9 @@ jobs: // contribution — it adds marketplace.json entries whose source repo ALREADY backs // a live plugin here, and changes nothing else. (No maintained allowlist: the set // of allowed repos is derived from the live marketplace.) This grants only the - // right to open a reviewable PR; the External PR Scope Guard required check and a - // maintainer approval still gate the merge. + // right to open a reviewable PR; the validate + scan checks and a maintainer + // approval still gate the merge (the External PR Scope Guard is advisory signal, + // not a required check). const result = await evaluate({ github, context }); if (result.ok && result.added.length > 0) { console.log(`In-scope external contribution (adds: ${result.added.join(', ')}) — allowing PR.`); diff --git a/.github/workflows/external-pr-scope-guard.yml b/.github/workflows/external-pr-scope-guard.yml index 10448756..3d67296f 100644 --- a/.github/workflows/external-pr-scope-guard.yml +++ b/.github/workflows/external-pr-scope-guard.yml @@ -1,14 +1,17 @@ name: External PR Scope Guard -# Required status check that constrains what a NON-MEMBER pull request may change. -# Members (write/admin) are unrestricted and skip this check. For a non-member PR this -# fails unless the PR is an in-scope external contribution per .github/scripts/external-pr-scope.js: -# it changes ONLY .claude-plugin/marketplace.json, the delta is additions-only (no existing -# entry modified or removed), and every ADDED entry's source.url is a repo that ALREADY backs -# a live plugin in this marketplace (the allowed set is derived from the live marketplace — -# there is no maintained allowlist). +# Advisory check that surfaces what a NON-MEMBER pull request may change. +# Members (write/admin) and the repo's own automation bot (bump SHA PRs) are unrestricted and +# skip this check. For a non-member PR this fails unless the PR is an in-scope external +# contribution per .github/scripts/external-pr-scope.js: it changes ONLY +# .claude-plugin/marketplace.json, the delta is additions-only (no existing entry modified or +# removed), and every ADDED entry's source.url is a repo that ALREADY backs a live plugin in +# this marketplace (the allowed set is derived from the live marketplace — there is no +# maintained allowlist). # -# Add the scope-guard job as a REQUIRED status check in branch protection for it to block merge. +# Do NOT add this job to branch protection as a required status check. The merge gate is the +# `validate` + `scan` checks plus a maintainer approval; this guard is advisory signal for the +# reviewer, not a hard gate. (Making it required would block the no-approval bump-merge path.) # # Security: runs on pull_request_target but checks out only the BASE repo (trusted) for the # shared script; the head marketplace.json is fetched as DATA via the API and parsed, never executed.