Skip to content

[no-ci] Trust any collaborator in restricted-paths guard #2010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rwgk wants to merge 6 commits into
base: main
Choose a base branch
from
+21 −2
Open

[no-ci] Trust any collaborator in restricted-paths guard #2010

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f00ef3c
Trust any collaborator in restricted-paths guard
rwgk May 2, 2026
779c18b
Post PR comment when restricted-paths review is required
rwgk May 2, 2026
9b2fcd8
TEMPORARY: Switch to pull_request trigger for testing
rwgk Apr 16, 2026
31ddac2
TEMPORARY: Exclude write permission from trusted collaborators
rwgk May 2, 2026
b530fab
Revert "TEMPORARY: Exclude write permission from trusted collaborators"
rwgk May 2, 2026
c8431de
Revert "TEMPORARY: Switch to pull_request trigger for testing"
rwgk May 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 21 additions & 2 deletions .github/workflows/restricted-paths-guard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ jobs:
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_URL: ${{ github.event.pull_request.html_url }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

# Workflow policy inputs
REVIEW_LABEL: Needs-Restricted-Paths-Review
Expand Down Expand Up @@ -113,9 +114,25 @@ jobs:
echo '```'
}

post_review_label_comment() {
local comment_body
printf -v comment_body '%s\n\n%s\n' \
"\`$REVIEW_LABEL\` was assigned by \`CI: Restricted Paths Guard\`." \
"For details, open [this workflow run]($RUN_URL) and click **Summary**."

if gh api "repos/$REPO/issues/$PR_NUMBER/comments" \
-f body="$comment_body" >/dev/null; then
COMMENT_ACTION="posted"
else
COMMENT_ACTION="failed (non-fatal)"
echo "::warning::Failed to post PR comment about newly added $REVIEW_LABEL."
fi
}

HAS_TRUSTED_SIGNAL=false
LABEL_ACTION="not needed (no restricted paths)"
TRUSTED_SIGNALS="(none)"
COMMENT_ACTION="not needed"

if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
# Distinguish a legitimate 404 "not a collaborator" response from
Expand Down Expand Up @@ -149,13 +166,13 @@ jobs:
fi

case "$COLLABORATOR_PERMISSION" in
admin|maintain|write)
admin|maintain|write|triage|read)
HAS_TRUSTED_SIGNAL=true
LABEL_ACTION="not needed (collaborator permission is a trusted signal)"
TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION"
;;
*)
# triage, read, or none: not a trusted signal
# none: not a trusted signal
;;
esac
fi
Expand Down Expand Up @@ -189,6 +206,7 @@ jobs:
exit 1
else
LABEL_ACTION="added"
post_review_label_comment
fi
elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
LABEL_ACTION="left in place (manual removal required)"
Expand All @@ -203,6 +221,7 @@ jobs:
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo "- **Trusted signals**: $TRUSTED_SIGNALS"
echo "- **Label action**: $LABEL_ACTION"
echo "- **Comment action**: $COMMENT_ACTION"
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
echo ""
write_matching_restricted_paths
Expand Down
Loading