Skip to content

fix(automation): robust label enforcement with permission checks#16762

Merged
bdmorgan merged 2 commits into
mainfrom
fix/label-enforcer-permissions
Jan 15, 2026
Merged

fix(automation): robust label enforcement with permission checks#16762
bdmorgan merged 2 commits into
mainfrom
fix/label-enforcer-permissions

Conversation

@bdmorgan

@bdmorgan bdmorgan commented Jan 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes the label-enforcer workflow to properly handle maintainer permissions and avoid bot loops, while adding protection for the 🔒 maintainer only label.

Details

  1. Permission Check Fix: Switches from checking team membership to checking repository permission levels directly (admin or write). This is more robust as it doesn't require the GitHub App to have Organization-level read permissions and correctly handles anyone with write access to the repository.
  2. Bot Loop Prevention: Broadens the bot check to ignore all users ending in [bot]. This prevents the workflow from entering an infinite loop when interacting with other automated tools (like gemini-cli[bot]), which was causing hundreds of redundant comments.
  3. Label Protection: Adds 🔒 maintainer only to the list of protected labels.

Related Issues

Fixes #16205
Fixes #14139
Fixes #16741

How to Validate

  1. Permissions: Verify that a user with 'Write' access (like @bdmorgan) can modify protected labels without the workflow reverting them.
  2. Bot Loop: Verify that actions by gemini-cli[bot] or other bots are ignored.
  3. Label Enforcement: Verify that a non-maintainer cannot remove 🔒 maintainer only.

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
    • Windows
    • Linux

@bdmorgan bdmorgan requested a review from a team as a code owner January 15, 2026 19:26
@gemini-code-assist

gemini-code-assist Bot commented Jan 15, 2026

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@github-actions

github-actions Bot commented Jan 15, 2026
edited
Loading

Copy link
Copy Markdown

Size Change: -2 B (0%)

Total Size: 23.1 MB

ℹ️ View Unchanged
Filename Size Change
./bundle/gemini.js 23 MB -2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb 1.03 kB 0 B
./bundle/sandbox-macos-permissive-open.sb 890 B 0 B
./bundle/sandbox-macos-permissive-proxied.sb 1.31 kB 0 B
./bundle/sandbox-macos-restrictive-closed.sb 3.29 kB 0 B
./bundle/sandbox-macos-restrictive-open.sb 3.36 kB 0 B
./bundle/sandbox-macos-restrictive-proxied.sb 3.56 kB 0 B

compressed-size-action

@bdmorgan bdmorgan added this pull request to the merge queue Jan 15, 2026
Merged via the queue into main with commit 48fdb98 Jan 15, 2026
25 checks passed
@bdmorgan bdmorgan deleted the fix/label-enforcer-permissions branch January 15, 2026 20:00
Thomas-Shephard pushed a commit to Thomas-Shephard/gemini-cli that referenced this pull request Jan 21, 2026
@bdmorgan @Thomas-Shephard
fix(automation): robust label enforcement with permission checks (goo…
bf71797 
…gle-gemini#16762)
thacio added a commit to thacio/auditaria that referenced this pull request Jan 24, 2026
@thacio
Merge(Auto) Commit '48fdb9872': fix(automation): robust label enforce…
74a6e23 
…ment with permission checks (google-gemini#16762)
kuishou68 pushed a commit to iOfficeAI/gemini-cli-pro that referenced this pull request Feb 27, 2026
@bdmorgan
fix(automation): robust label enforcement with permission checks (goo…
fd5f919 
…gle-gemini#16762)
cocosheng-g pushed a commit that referenced this pull request May 6, 2026
@bdmorgan
fix(automation): robust label enforcement with permission checks (#16762
79aff58 
)
@sripasg sripasg added the size/s A small PR label Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scidomino scidomino scidomino approved these changes

Assignees

No one assigned

Labels

size/s A small PR

Projects

None yet

Milestone

No milestone

3 participants

@bdmorgan @scidomino @sripasg