Gate CI on sync PRs to require committer authorship

[holly-cummins]

See discussion in #423.

This updates the 'main' workflow to ensure that 'mirrors' of PRs created from forks don't automatically run. It uses labels, so it's easily bypassed, but only by people with label permissions on the repo.

• Adds a ci-gate job that checks whether sync PR commit authors have write access to the repo
• If the author is not a committer, CI is blocked unless a ci-approved label is manually added
• Non-sync PRs, pushes, and workflow_dispatch are unaffected

How it works

1. The ci-gate job runs first on every PR
2. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions
3. CI proceeds if the author has write/admin/maintain access or the ci-approved label is present
4. Adding ci-approved to a blocked PR re-triggers the workflow (via the new labeled event type)

It's pretty complex code, so as ever with workflow changes, we may not really be able to test it until merging.

[edeandrea]

2. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

[edeandrea]

Also, this PR would be instead of #422, correct?

[holly-cummins]

Also, this PR would be instead of #422, correct?

No, in addition. They're sort of orthogonal and can be merged in either order, but merging this one first would be marginally more secure.

[holly-cummins]

2. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

That's not the intention. This is what comes of rushing a PR before a forced machine reboot. Will fix, thank you!

[holly-cummins]

2. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

That's not the intention. This is what comes of rushing a PR before a forced machine reboot. Will fix, thank you!

Nevermind, I'd already done that and forgotten. :) It's here:

spring-quarkus-perf-comparison/.github/workflows/syncbot.yml

Line 103 in 31f1bbd

NEW_PR=$(gh pr create --base $TARGET_BRANCH --head $SYNC_BRANCH --title "$PR_TITLE" --body "$PR_BODY" --label "sync")

[edeandrea]

2. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

That's not the intention. This is what comes of rushing a PR before a forced machine reboot. Will fix, thank you!

Nevermind, I'd already done that and forgotten. :) It's here:

spring-quarkus-perf-comparison/.github/workflows/syncbot.yml

Line 103 in 31f1bbd

NEW_PR=$(gh pr create --base $TARGET_BRANCH --head $SYNC_BRANCH --title "$PR_TITLE" --body "$PR_BODY" --label "sync")

Aha! I read/commented on the text before I looked at any of the changes (you know, make sure the flow matches expectations....) :)

[edeandrea]

Also, this PR would be instead of #422, correct?

No, in addition. They're sort of orthogonal and can be merged in either order, but merging this one first would be marginally more secure.

I'd rather wait on #422 until this is done, then rebase it on top of this one.