mirror of
https://github.com/lucas-labs/claude-plugins.git
synced 2026-07-10 19:25:44 -03:00
* feat(ci): allow live external contributors to open scoped PRs Add an opt-in allowlist so a vetted external developer who already has a plugin live in this marketplace — but cannot use the submission form (e.g. an enterprise partner without a Claude account) — can open a reviewable PR instead of having it auto-closed. - .github/external-contributors.json: username -> allowed_sources map (doubles as the allowlist and the per-author source scope). - close-external-prs.yml: skip the auto-close for allowlisted authors (reads the list from the trusted base checkout). Grants ONLY the right to open a PR; CI + maintainer approval are unchanged. - external-pr-scope-guard.yml: required check for allowlisted external authors. Fails unless the PR touches ONLY marketplace.json and the delta is additions-only, with every added entry's source.url under that author's allowed_sources. Anthropic members are unrestricted. Reads head marketplace.json as data via the API (no untrusted checkout). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(ci): neutral wording in external-contributors allowlist note Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * refactor(ci): key external-PR allowlist on source org, not individuals Replace the per-username allowlist with a source-org allowlist so no individual is named in the repo. A non-member PR stays open only if it adds marketplace.json entries whose source.url is under an allowlisted prefix and changes nothing else; merge still requires CI + maintainer approval. - external-pr-allowed-sources.json: flat allowed_sources prefixes (no usernames) - scripts/external-pr-scope.js: shared additions-only / allowed-source logic - close-external-prs.yml + external-pr-scope-guard.yml: both use the shared module Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * refactor(ci): derive external-PR scope from live repos, no maintained list Replace the curated source-org allowlist with auto-derivation from the live marketplace. A non-member PR stays open only if it ADDS entries whose source.url repo ALREADY backs a live plugin here, additions-only, nothing else touched. No list to maintain, no individuals named. Trust is anchored in the source repo + pinned SHA (org-controlled), not the submitter's identity; merge still requires CI + maintainer approval. - remove external-pr-allowed-sources.json - scripts/external-pr-scope.js: derive allowed repos from base marketplace.json - both workflows drop the allowlist-file arg Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(ci): diff external-PR scope against the merge-base, not base tip Comparing base-branch-tip -> head made a fork that is behind main report all of main's later additions as phantom removals/modifications, which would wrongly fail the scope guard for a legitimate additions-only PR. Diff merge-base -> head (the PR's actual changes) instead; keep the "already live" check against the current base branch. Found by an end-to-end run of evaluate() against real PR data (#3298 stayed clean; #3044's phantom drift collapsed to its real one-line change). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
65 lines
2.7 KiB
YAML
65 lines
2.7 KiB
YAML
name: Close External PRs
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened]
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
issues: write
|
|
contents: read
|
|
|
|
jobs:
|
|
check-membership:
|
|
if: vars.DISABLE_EXTERNAL_PR_CHECK != 'true'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# pull_request_target: checks out the BASE repo (trusted), so the allowlist + shared
|
|
# script below are this repo's versions, never the fork's.
|
|
- uses: actions/checkout@v4
|
|
- name: Close PR unless author is a member or the PR is an in-scope external contribution
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const author = context.payload.pull_request.user.login;
|
|
|
|
const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
username: author
|
|
});
|
|
|
|
if (['admin', 'write'].includes(data.permission)) {
|
|
console.log(`${author} has ${data.permission} access, allowing PR`);
|
|
return;
|
|
}
|
|
|
|
// Non-member: allow the PR to stay open ONLY if it is an in-scope external
|
|
// contribution — it adds marketplace.json entries whose source repo ALREADY backs
|
|
// a live plugin here, and changes nothing else. (No maintained allowlist: the set
|
|
// of allowed repos is derived from the live marketplace.) This grants only the
|
|
// right to open a reviewable PR; the External PR Scope Guard required check and a
|
|
// maintainer approval still gate the merge.
|
|
const { evaluate } = require(`${process.env.GITHUB_WORKSPACE}/.github/scripts/external-pr-scope.js`);
|
|
const result = await evaluate({ github, context });
|
|
if (result.ok && result.added.length > 0) {
|
|
console.log(`In-scope external contribution (adds: ${result.added.join(', ')}) — allowing PR.`);
|
|
return;
|
|
}
|
|
|
|
console.log(`Closing PR from ${author}: ${result.problems.join('; ') || 'out of scope'}`);
|
|
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.payload.pull_request.number,
|
|
body: `Thanks for your interest! This repo only accepts contributions from Anthropic team members. If you'd like to submit a plugin to the marketplace, please submit your plugin [here](https://clau.de/plugin-directory-submission).`
|
|
});
|
|
|
|
await github.rest.pulls.update({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: context.payload.pull_request.number,
|
|
state: 'closed'
|
|
});
|