mirror of
https://github.com/lucas-labs/claude-plugins.git
synced 2026-07-10 11:15:45 -03:00
* Exempt the bump bot from the external-PR scope guard The External PR Scope Guard (#3353) and the auto-closer both look up the PR author's collaborator permission and, for anyone who is not write/admin, require the PR to ADD marketplace.json entries (additions-only). Internal bump PRs are authored by github-actions[bot], which is not reported as a member, so a SHA-bump — a legitimate MODIFY of an existing entry — fails the guard (e.g. #3391 "modifies existing entry: astronomer-data-agents"). Add a shared isExemptAuthor() helper that exempts both org members and the repo's own automation bot, and route both workflows through it. Safe under pull_request_target: a fork PR cannot author as github-actions[bot] (only the org's own GITHUB_TOKEN workflow can), and the member path is still a real permission lookup. The helper also wraps getCollaboratorPermissionLevel in try/catch — previously a non-collaborator/unknown-user lookup threw and errored the job instead of falling through to scope evaluation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Correct stale "required status check" guidance in scope-guard comments The scope guard is advisory, not a required status check — the merge gate is validate + scan + a maintainer approval. The old header told operators to add it to branch protection, which is now contra-indicated (it would block the no-approval bump-merge path). Update both workflow comments to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
64 lines
2.7 KiB
YAML
64 lines
2.7 KiB
YAML
name: Close External PRs
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened]
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
issues: write
|
|
contents: read
|
|
|
|
jobs:
|
|
check-membership:
|
|
if: vars.DISABLE_EXTERNAL_PR_CHECK != 'true'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
# pull_request_target: checks out the BASE repo (trusted), so the allowlist + shared
|
|
# script below are this repo's versions, never the fork's.
|
|
- uses: actions/checkout@v4
|
|
- name: Close PR unless author is a member or the PR is an in-scope external contribution
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const author = context.payload.pull_request.user.login;
|
|
|
|
const { evaluate, isExemptAuthor } = require(`${process.env.GITHUB_WORKSPACE}/.github/scripts/external-pr-scope.js`);
|
|
|
|
// Members (write/admin) and the repo's own automation bot (bump SHA PRs) are never
|
|
// auto-closed.
|
|
const ex = await isExemptAuthor({ github, context });
|
|
if (ex.exempt) {
|
|
console.log(`${ex.reason} — allowing PR`);
|
|
return;
|
|
}
|
|
|
|
// Non-member: allow the PR to stay open ONLY if it is an in-scope external
|
|
// contribution — it adds marketplace.json entries whose source repo ALREADY backs
|
|
// a live plugin here, and changes nothing else. (No maintained allowlist: the set
|
|
// of allowed repos is derived from the live marketplace.) This grants only the
|
|
// right to open a reviewable PR; the validate + scan checks and a maintainer
|
|
// approval still gate the merge (the External PR Scope Guard is advisory signal,
|
|
// not a required check).
|
|
const result = await evaluate({ github, context });
|
|
if (result.ok && result.added.length > 0) {
|
|
console.log(`In-scope external contribution (adds: ${result.added.join(', ')}) — allowing PR.`);
|
|
return;
|
|
}
|
|
|
|
console.log(`Closing PR from ${author}: ${result.problems.join('; ') || 'out of scope'}`);
|
|
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.payload.pull_request.number,
|
|
body: `Thanks for your interest! This repo only accepts contributions from Anthropic team members. If you'd like to submit a plugin to the marketplace, please submit your plugin [here](https://clau.de/plugin-directory-submission).`
|
|
});
|
|
|
|
await github.rest.pulls.update({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: context.payload.pull_request.number,
|
|
state: 'closed'
|
|
});
|