Skip to content

Gate CI on sync PRs to require committer authorship#423

Merged
holly-cummins merged 1 commit intoquarkusio:mainfrom
holly-cummins:ci-gate-sync-prs
Apr 9, 2026
Merged

Gate CI on sync PRs to require committer authorship#423
holly-cummins merged 1 commit intoquarkusio:mainfrom
holly-cummins:ci-gate-sync-prs

Conversation

@holly-cummins
Copy link
Copy Markdown
Collaborator

@holly-cummins holly-cummins commented Apr 9, 2026

See discussion in #423.

This updates the 'main' workflow to ensure that 'mirrors' of PRs created from forks don't automatically run. It uses labels, so it's easily bypassed, but only by people with label permissions on the repo.

  • Adds a ci-gate job that checks whether sync PR commit authors have write access to the repo
  • If the author is not a committer, CI is blocked unless a ci-approved label is manually added
  • Non-sync PRs, pushes, and workflow_dispatch are unaffected

How it works

  1. The ci-gate job runs first on every PR
  2. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions
  3. CI proceeds if the author has write/admin/maintain access or the ci-approved label is present
  4. Adding ci-approved to a blocked PR re-triggers the workflow (via the new labeled event type)

It's pretty complex code, so as ever with workflow changes, we may not really be able to test it until merging.

Sync PRs from non-committers could run CI on untrusted code. This adds
a ci-gate job that checks the original commit author's repo permissions
and blocks CI unless they have write access or the `ci-approved` label
is added manually.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@edeandrea
Copy link
Copy Markdown
Collaborator

  1. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

@edeandrea
Copy link
Copy Markdown
Collaborator

Also, this PR would be instead of #422, correct?

@holly-cummins
Copy link
Copy Markdown
Collaborator Author

Also, this PR would be instead of #422, correct?

No, in addition. They're sort of orthogonal and can be merged in either order, but merging this one first would be marginally more secure.

@holly-cummins
Copy link
Copy Markdown
Collaborator Author

  1. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

That's not the intention. This is what comes of rushing a PR before a forced machine reboot. Will fix, thank you!

@holly-cummins
Copy link
Copy Markdown
Collaborator Author

  1. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

That's not the intention. This is what comes of rushing a PR before a forced machine reboot. Will fix, thank you!

Nevermind, I'd already done that and forgotten. :) It's here:

NEW_PR=$(gh pr create --base $TARGET_BRANCH --head $SYNC_BRANCH --title "$PR_TITLE" --body "$PR_BODY" --label "sync")

@edeandrea
Copy link
Copy Markdown
Collaborator

  1. For PRs with the sync label, it queries the GitHub API for the commit author's repo permissions

How does the sync label get added? Does the PR author have to manually add it?

That's not the intention. This is what comes of rushing a PR before a forced machine reboot. Will fix, thank you!

Nevermind, I'd already done that and forgotten. :) It's here:

NEW_PR=$(gh pr create --base $TARGET_BRANCH --head $SYNC_BRANCH --title "$PR_TITLE" --body "$PR_BODY" --label "sync")

Aha! I read/commented on the text before I looked at any of the changes (you know, make sure the flow matches expectations....) :)

@edeandrea
Copy link
Copy Markdown
Collaborator

Also, this PR would be instead of #422, correct?

No, in addition. They're sort of orthogonal and can be merged in either order, but merging this one first would be marginally more secure.

I'd rather wait on #422 until this is done, then rebase it on top of this one.

@holly-cummins holly-cummins merged commit 9b29e5e into quarkusio:main Apr 9, 2026
24 checks passed
@holly-cummins holly-cummins deleted the ci-gate-sync-prs branch April 9, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants