Address review: gate on token, real-time fork reviews, clearer docs

Make board-sync robust and fully real-time across origin and fork PRs, and
address Shannon's review comments:

- Gate the privileged github-script steps on HAS_TOKEN so a run without the
  bot token (a fork PR's head-context event on a public repo, or an
  unconfigured repo) skips cleanly instead of hard-failing github-script. This
  fixes the failing board-sync check.
- Add a workflow_run dispatch branch and a fork-review relay: pull_request_target
  and check_suite stay privileged for forks; origin reviews run directly; fork
  reviews route through pr-review-fork-bridge.yml (unprivileged) ->
  pr-review-fork-apply.yml (workflow_run, privileged) which resolves the PR by
  head SHA. No checkout anywhere, so the privileged path is not a pwn-request
  vector.
- Replace the two crowded state diagrams with one decision flowchart (status is
  recomputed each event, not transitioned, so a decision tree reads far better).
- Note the board is visible to org members (committers) only, in CONTRIBUTING.md
  and the maintainer guide.
- Clarify that Internal (write-access) authors identify and request their own
  reviewer.

Author: jhelferty-nv

.github/workflows/pr-board-sync.yml

@@ -36,10 +36,11 @@ name: PR Board Sync (reusable)
 # inlined into the Reconcile step (so this reusable workflow needs no checkout
 # when called from another repo). That inlined block is the single source of
 # truth; .github/scripts/{pr-signal,pr-assign}.test.js extract it from this YAML
-# (via extract-workflow-js.js) and unit-test it. scripts/pr_sweep.py (run on a
-# cadence) remains the idempotent safety net for events this workflow cannot see
-# -- e.g. fork-PR CI, missed webhooks, a manual issue link, or repos not yet
-# onboarded -- and for board drift reconciliation.
+# (via extract-workflow-js.js) and unit-test it. A periodic sweep (run on a
+# cadence; see pr-sweep-nightly.yml / mode: sweep) remains the idempotent safety
+# net for what events cannot deliver -- missed webhooks or failed runs, a
+# manually linked issue or post-hoc issue assignment, board drift, repos not yet
+# onboarded -- and reconciles the whole board.
 #
 # Cross-repo reuse: any shader-slang repo adds a thin caller workflow that
 # declares the PR event triggers and calls this one, mapping the single required
@@ -66,7 +67,17 @@ name: PR Board Sync (reusable)
 #
 # Safety: every job runs only on PR metadata / API calls and never checks out or
 # executes PR code, so `pull_request_target` (secrets available for fork PRs) is
-# safe here.
+# safe here. This is also why the privileged `workflow_run` path (below) is safe.
+#
+# Triggers and fork secrets (PUBLIC repo): callers drive this via privileged
+# events that DO receive the secret for fork PRs -- `pull_request_target` (PR
+# lifecycle/commits), `check_suite` (CI), `workflow_run` (the fork-review relay),
+# and `schedule` (the sweep). `pull_request_review` only receives the secret for
+# ORIGIN PRs; a fork review runs the fork head with no secret, so the caller
+# routes fork reviews through an unprivileged bridge whose completion fires a
+# privileged `workflow_run` here (see the dispatch's `workflow_run` branch). When
+# no token is delivered, every privileged step is gated off (HAS_TOKEN) and the
+# run skips cleanly; the sweep is the backstop.
 
 on:
   workflow_call:
@@ -156,11 +167,30 @@ jobs:
     concurrency:
       group: pr-board-sync-${{ github.event.pull_request.number || github.event.check_suite.head_sha || github.run_id }}
       cancel-in-progress: false
+    # HAS_TOKEN is false when SLANG_PR_BOT_TOKEN is not delivered to the run. On a
+    # PUBLIC repo, GitHub withholds secrets from fork-PR head-context events
+    # (pull_request_review / pull_request); it also fails to resolve for a repo
+    # that has not configured the secret. github-script hard-errors on an empty
+    # github-token, so every privileged step is gated on this and skips cleanly --
+    # the nightly sweep, a later pull_request_target event, or (for fork reviews)
+    # the workflow_run path reconciles instead. pull_request_target, check_suite,
+    # workflow_run, and schedule are privileged and DO receive the secret for forks.
+    env:
+      HAS_TOKEN: ${{ secrets.SLANG_PR_BOT_TOKEN != '' }}
     steps:
+      # --- No-token breadcrumb: explain a skipped run -------------------------
+      - name: Note skipped (no token)
+        if: ${{ env.HAS_TOKEN != 'true' }}
+        run: |
+          echo "Skipping board sync: SLANG_PR_BOT_TOKEN is not available to this run."
+          echo "(Fork-PR head-context event on a public repo, or unconfigured repo.)"
+          echo "The nightly sweep / a later pull_request_target / the workflow_run path will reconcile."
+
       # --- Classify Source (repo write-access read; opened/reopened only) ------
       - name: Classify PR Source
         id: classify
         if: >-
+          env.HAS_TOKEN == 'true' &&
           github.event_name == 'pull_request_target' &&
           (github.event.action == 'opened' || github.event.action == 'reopened')
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -209,6 +239,7 @@ jobs:
 
       # --- Board writes: add + Source + Status (ProjectsV2 PAT) ---------------
       - name: Reconcile board (add, Source, Status)
+        if: ${{ env.HAS_TOKEN == 'true' }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           MODE: ${{ inputs.mode }}
@@ -1137,6 +1168,29 @@ jobs:
               }
             }
 
+            // Resolve a commit SHA (and any pre-listed PRs) to its open PR(s) and
+            // reconcile each. check_suite and workflow_run are both commit-scoped
+            // and their pull_requests array is empty for fork PRs, so resolve via
+            // the API too. (One commit can head several PRs, hence a set.)
+            async function reconcileByCommit(headSha, prNodes) {
+              const numbers = new Set();
+              for (const p of (prNodes || [])) {
+                if (!p.state || p.state === "open") numbers.add(p.number);
+              }
+              if (headSha) {
+                try {
+                  const assoc = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+                    owner: context.repo.owner, repo: context.repo.repo, commit_sha: headSha });
+                  for (const p of (assoc.data || [])) {
+                    if (p.state === "open") numbers.add(p.number);
+                  }
+                } catch (error) {
+                  core.warning(`could not resolve PRs for ${headSha} (${error.status})`);
+                }
+              }
+              for (const number of numbers) await reconcileStatus(number, null);
+            }
+
             // --- Dispatch on the triggering event ----------------------------
             const ev = context.eventName;
             const action = context.payload.action;
@@ -1190,35 +1244,19 @@ jobs:
               const itemId = await ensureItem(pr.node_id);
               if (itemId) await reconcileStatus(pr.number, pr.node_id, itemId);
             } else if (ev === "check_suite") {
-              // check_suite is commit-scoped, not PR-scoped. GitHub only lists
-              // *same-repo* PRs in check_suite.pull_requests (it is empty for fork
-              // PRs), so also resolve the suite's head SHA to its open PR(s) via
-              // the API - that covers fork PRs - and union the two. A CI
-              // completion recomputes the target, so a green run also recovers a
-              // Snagged/Revising PR. (One commit can head several PRs, hence a set.)
+              // check_suite is commit-scoped: a CI completion recomputes the
+              // target, so a green run also recovers a Snagged/Revising PR. Its
+              // pull_requests array is empty for fork PRs, so resolve by head SHA.
               const suite = context.payload.check_suite || {};
-              const numbers = new Set();
-              for (const p of (suite.pull_requests || [])) {
-                if (!p.state || p.state === "open") numbers.add(p.number);
-              }
-              if (suite.head_sha) {
-                try {
-                  const assoc = await github.rest.repos.listPullRequestsAssociatedWithCommit({
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    commit_sha: suite.head_sha,
-                  });
-                  for (const p of (assoc.data || [])) {
-                    if (p.state === "open") numbers.add(p.number);
-                  }
-                } catch (error) {
-                  core.warning(
-                    `could not resolve PRs for ${suite.head_sha} (${error.status})`);
-                }
-              }
-              for (const number of numbers) {
-                await reconcileStatus(number, null);
-              }
+              await reconcileByCommit(suite.head_sha, suite.pull_requests);
+            } else if (ev === "workflow_run") {
+              // Stage 2 of the fork-review relay (see header): a fork PR's review
+              // can't get secrets, so an unprivileged caller bridge fires on the
+              // review and completes; this privileged run resolves the PR from the
+              // upstream run's head SHA and reconciles. Metadata only -- NEVER add a
+              // checkout here (the upstream ran fork-controlled context).
+              const wr = context.payload.workflow_run || {};
+              await reconcileByCommit(wr.head_sha, wr.pull_requests);
             }
 
       # --- Unrequest auto-assigned non-approver reviewers --------------------
@@ -1232,6 +1270,7 @@ jobs:
       # cadence sweep (scripts/pr_sweep.py) remains the backstop for both.
       - name: Unrequest ignored reviewers
         if: >-
+          env.HAS_TOKEN == 'true' &&
           github.event_name == 'pull_request_target' &&
           (github.event.action == 'opened' || github.event.action == 'reopened')
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8

.github/workflows/pr-maintenance.yml

@@ -7,7 +7,11 @@ name: PR Maintenance
 #
 #   uses: shader-slang/slang/.github/workflows/pr-board-sync.yml@master
 #
-# See .github/workflows/pr-board-sync.yml for the board IDs and required secrets.
+# pull_request_target and check_suite are privileged events that receive the
+# secret even for fork PRs, so they run here directly. pull_request_review only
+# receives the secret for ORIGIN PRs, so the job below skips it for forks; fork
+# reviews are handled by the pr-review-fork-bridge.yml -> pr-review-fork-apply.yml
+# (workflow_run) relay. See pr-board-sync.yml for the board IDs and the secret.
 
 on:
   pull_request_target:
@@ -30,6 +34,11 @@ on:
 
 jobs:
   board-sync:
+    # Run directly for everything except a fork PR's review (no secret there);
+    # fork reviews go through the workflow_run relay instead.
+    if: >-
+      github.event_name != 'pull_request_review' ||
+      github.event.pull_request.head.repo.fork == false
     uses: ./.github/workflows/pr-board-sync.yml
     secrets:
       SLANG_PR_BOT_TOKEN: ${{ secrets.SLANG_PR_BOT_TOKEN }}

.github/workflows/pr-review-fork-apply.yml

@@ -0,0 +1,28 @@
+name: PR Review Fork Apply
+
+# Stage 2 of the fork-review relay for the PR board sync. Triggered by the
+# completion of "PR Review Fork Bridge" (pr-review-fork-bridge.yml).
+#
+# A workflow_run workflow runs in the base repo's PRIVILEGED context with secrets
+# even when the upstream run was a fork PR's review -- which is the only way to
+# update the board for fork-PR reviews on a public repo. The reusable workflow's
+# workflow_run dispatch branch resolves the PR from the upstream run's head SHA
+# and reconciles. It does NO checkout (metadata only), so executing it in this
+# privileged context is not a pwn-request vector.
+#
+# (workflow_run only fires for workflow files on the default branch, so this
+# activates once the workflow is merged to the default branch.)
+
+on:
+  workflow_run:
+    workflows: ["PR Review Fork Bridge"]
+    types: [completed]
+
+jobs:
+  board-sync:
+    # Only when the bridge completed successfully (it always should; this guards
+    # against a cancelled/failed relay run).
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    uses: ./.github/workflows/pr-board-sync.yml
+    secrets:
+      SLANG_PR_BOT_TOKEN: ${{ secrets.SLANG_PR_BOT_TOKEN }}

.github/workflows/pr-review-fork-bridge.yml

@@ -0,0 +1,29 @@
+name: PR Review Fork Bridge
+
+# Stage 1 of the fork-review relay for the PR board sync.
+#
+# On a PUBLIC repo, a pull_request_review on a PR from a FORK runs the fork's
+# head with no secrets, so it cannot update the board directly. This workflow is
+# that unprivileged stage: for fork-PR reviews only, it does nothing but complete
+# successfully, which lets a privileged `workflow_run` workflow
+# (pr-review-fork-apply.yml) fire and do the board update with secrets.
+#
+# It deliberately runs NO board logic and checks out NO code -- it exists solely
+# to relay the event. Origin-PR reviews are handled directly by pr-maintenance.yml,
+# so this is gated to forks to avoid a redundant relay run.
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions: {}
+
+jobs:
+  bridge:
+    if: ${{ github.event.pull_request.head.repo.fork == true }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Relay fork PR review to the privileged apply workflow
+        run: |
+          echo "Fork PR #${{ github.event.pull_request.number }} review submitted."
+          echo "Completing so pr-review-fork-apply.yml (workflow_run) can reconcile with secrets."

CONTRIBUTING.md

@@ -286,7 +286,7 @@ Once a PR is created against `shader-slang/slang:master`, the PR will be merged
 
 When the conditions above are all met, you will have a chance to rewrite the commit message. Since the Slang repo uses the "squash" strategy for merging, multiple commits in your PR will become one commit. By default, GitHub will concatenate all of the commit messages sequentially, but often it is not readable. Please rewrite the final commit message in a way that people can easily understand what the purpose of the commit is.
 
-> **Maintainers:** PRs are tracked on a shared project board whose status is updated automatically as your PR progresses. If you are assigned to shepherd or review PRs, see [The Slang PR Tracking board](docs/maintainers/pr-review-board.md).
+> **Committers:** PRs are tracked on a shared project board whose status is updated automatically as a PR progresses. The board is an org project visible only to `shader-slang` org members, so outside contributors won't see it — that's expected. If you are a committer assigned to shepherd or review PRs, see [The Slang PR Tracking board](docs/maintainers/pr-review-board.md).
 
 There are two cases where the workflow may fail for reasons that are not directly related to the change:
 

docs/maintainers/pr-review-board.md

@@ -7,6 +7,10 @@ board. It explains what the board's fields mean, what each `Status` tells you,
 and when a PR actually needs your attention. (If you're just opening a PR, you
 don't need this — see [CONTRIBUTING.md](../../CONTRIBUTING.md).)
 
+> The board is a `shader-slang` org project, so it is only visible to **org
+> members (committers)**. Outside contributors can't see it — that's expected;
+> their PRs are still tracked on it by the committers who shepherd them.
+
 You never set the board fields by hand: they are maintained automatically from
 PR activity (open/close, pushes, reviews, CI results, merge-queue changes). Your
 job is to **read the state and act when it asks you to**.
@@ -16,7 +20,10 @@ job is to **read the state and act when it asks you to**.
 Every PR carries a **`Source`** — one of:
 
 - **Internal** — opened by someone with write access to the repo. The **author
-  drives it**; they're the assignee. No oversight is added.
+  drives it**; they're the assignee, and **they are expected to identify and
+  request their own reviewer** (no reviewer is auto-requested for Internal PRs).
+  If you're a newer committer and unsure who to ask, pick someone who has
+  recently touched the same files, or ask in the team channel.
 - **Community** — opened by an outside contributor. A maintainer (you) is
   assigned to shepherd it and arrange review.
 - **Bot** — opened by an automated coworker. A maintainer is assigned to
@@ -58,84 +65,36 @@ Two things worth knowing:
 - The **only** difference between the Bot and human flows is what a **CI failure**
   does (Bot → `Revising`, human → `Snagged`); everything else is identical.
 
-## State diagrams
-
-### Community / Internal (human) PRs
-
-```mermaid
-stateDiagram-v2
-    [*] --> InReview: opened (ready for review)
-    [*] --> Revising: opened as draft
-
-    InReview: In Review
-    Revising: Revising
-    Snagged: Snagged
-    Approved: Approved
-    Done: Done
-
-    InReview --> Revising: changes requested
-    InReview --> Snagged: CI failed / CI needs approval
-    InReview --> Approved: approved (CI pending or in queue)
-    InReview --> Snagged: approved + CI green + not queued
-
-    Revising --> InReview: new commit / marked ready
-    Revising --> Snagged: CI failed / CI needs approval
-    Revising --> Approved: approved (CI pending or in queue)
-
-    Snagged --> InReview: new commit / CI back to green
-    Snagged --> Revising: changes requested
-    Snagged --> Approved: approved (CI pending or in queue)
-
-    Approved --> Snagged: CI failed / dequeued / green + not queued
-    Approved --> Revising: changes requested
-    Approved --> InReview: new commit
-
-    InReview --> Done: closed
-    Revising --> Done: closed
-    Snagged --> Done: closed
-    Approved --> Done: closed
-    Done --> [*]
-```
+## The decision, as a flowchart
 
-### Bot PRs
+The board does not move a PR along edges between states — it **recomputes** the
+status from the PR's current signals on every event. So the priority rules above
+are best read as a decision tree (first match wins):
 
 ```mermaid
-stateDiagram-v2
-    [*] --> InReview: opened (incl. draft - kept visible)
-
-    InReview: In Review
-    Revising: Revising
-    Snagged: Snagged
-    Approved: Approved
-    Done: Done
-
-    InReview --> Revising: changes requested / CI failed
-    InReview --> Snagged: CI needs approval
-    InReview --> Approved: approved (CI pending or in queue)
-    InReview --> Snagged: approved + CI green + not queued
-
-    Revising --> InReview: new commit / CI back to green
-    Revising --> Approved: approved (CI pending or in queue)
-
-    Snagged --> InReview: new commit
-    Snagged --> Revising: changes requested / CI failed
-    Snagged --> Approved: approved (CI pending or in queue)
-
-    Approved --> Revising: changes requested / CI failed
-    Approved --> Snagged: dequeued / green + not queued
-    Approved --> InReview: new commit
-
-    InReview --> Done: closed
-    Revising --> Done: closed
-    Snagged --> Done: closed
-    Approved --> Done: closed
-    Done --> [*]
+flowchart TD
+  ev([PR event - recompute]) --> closed{"Closed?"}
+  closed -->|yes| done["Done"]
+  closed -->|no| cr{"Changes requested<br/>on current commit?"}
+  cr -->|yes| rev["Revising"]
+  cr -->|no| draft{"Draft?"}
+  draft -->|"yes (human)"| rev
+  draft -->|"yes (bot)"| inrev["In Review"]
+  draft -->|no| ciappr{"CI awaiting approval?"}
+  ciappr -->|yes| snag["Snagged"]
+  ciappr -->|no| cifail{"CI failed?"}
+  cifail -->|"yes (bot)"| rev
+  cifail -->|"yes (human)"| snag
+  cifail -->|no| appr{"Approved?"}
+  appr -->|"yes, green and not queued"| snag
+  appr -->|"yes, pending or queued"| approved["Approved"]
+  appr -->|no| inrev
 ```
 
 ## Source of truth
 
-These diagrams are an illustration. The authoritative rules live in the
+This flowchart is an illustration. The authoritative rules live in the
 `computeTarget` function in
 [`.github/workflows/pr-board-sync.yml`](../../.github/workflows/pr-board-sync.yml),
-which sets the board `Status` from PR events. If a diagram here ever disagrees
+which sets the board `Status` from PR events. If the diagram here ever disagrees
 with that function, the function is correct — please fix the diagram.