Skip to content

fix(ci): gate AI workflows behind org membership#681

Open
mihar-22 wants to merge 1 commit intomainfrom
fix/gate-ai-workflows
Open

fix(ci): gate AI workflows behind org membership#681
mihar-22 wants to merge 1 commit intomainfrom
fix/gate-ai-workflows

Conversation

@mihar-22
Copy link
Member

@mihar-22 mihar-22 commented Mar 2, 2026
edited
Loading

Summary

Prevent external contributors from triggering AI-powered workflows that consume Anthropic API credits.

Changes

  • issue-triage.yml: Gate AI triage behind author_association — only MEMBER/OWNER/COLLABORATOR get automatic AI triage. Non-members get a triage label added for manual review. Adding the agent:triage label triggers AI triage on demand (only triage+ permissions can add labels).
  • ci-diagnose.yml: Check videojs org membership via GitHub API before running Claude. Fork PR CI failures from non-members are skipped.
What was the risk?
  • issue-triage.yml could be triggered by any GitHub user opening or editing an issue — no author check, consuming Anthropic credits with each invocation
  • ci-diagnose.yml runs on workflow_run events which execute in the default branch context with secret access. A fork PR with intentionally broken code would trigger CI failure → AI diagnosis → Anthropic API cost

All other workflows were audited and are safe:

  • ci.yml, bundle-size.yml, website-tests.ymlpull_request event = read-only sandbox, no secret access
  • cd.yml — push to main only
  • issue-sync.yml — requires PR merge (maintainer action)
  • issue-to-pr.yml — requires agent:pr label (triage+ permissions only)
  • api-reference-sync.yml — requires merge to main or workflow_dispatch

Triage trigger paths

Event Who What happens
Issue opened/edited/reopened Non-member triage label added, no AI
Issue opened/edited/reopened Org member/collaborator AI triage runs automatically
agent:triage label added Anyone with triage+ permission AI triage runs on demand

Testing

  • Open an issue from a non-org-member account → should get triage label, no AI comment
  • Open an issue from an org member → AI triage runs as before
  • Add agent:triage label to any issue → AI triage runs
  • Fork PR with failing CI from non-member → diagnosis skipped

@netlify
Copy link

netlify bot commented Mar 2, 2026
edited
Loading

Deploy Preview for vjs10-site ready!

Name Link
🔨 Latest commit cf899b1
🔍 Latest deploy log https://app.netlify.com/projects/vjs10-site/deploys/69a5e9bce6e0f2000965a27b
😎 Deploy Preview https://deploy-preview-681--vjs10-site.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026
edited
Loading

📦 Bundle Size Report

Package Size Diff %
@videojs/core 10.28 kB 0 B ░░░░░░░░ 0%
@videojs/element 1.60 kB 0 B ░░░░░░░░ 0%
@videojs/html 18.36 kB 0 B ░░░░░░░░ 0%
@videojs/icons 3.79 kB 0 B ░░░░░░░░ 0%
@videojs/react 14.96 kB 0 B ░░░░░░░░ 0%
@videojs/store 1.95 kB 0 B ░░░░░░░░ 0%
@videojs/utils 2.81 kB 0 B ░░░░░░░░ 0%

Total: 53.75 kB · 0 B · 0%

Entry Breakdown

Subpath sizes are the additional bytes on top of the root entry point, measured by bundling root + subpath together and subtracting the root-only size.

@videojs/core
Entry Base PR Diff %
. 4.28 kB 4.28 kB 0 B 0%
./dom 6.01 kB 6.01 kB 0 B 0%
total 10.28 kB 10.28 kB 0 B 0%
@videojs/element
Entry Base PR Diff %
. 817 B 817 B 0 B 0%
./context 823 B 823 B 0 B 0%
total 1.60 kB 1.60 kB 0 B 0%
@videojs/html
Entry Base PR Diff %
. 15.20 kB 15.20 kB 0 B 0%
./video 1.06 kB 1.06 kB 0 B 0%
./audio 1.06 kB 1.06 kB 0 B 0%
./background 1.05 kB 1.05 kB 0 B 0%
total 18.36 kB 18.36 kB 0 B 0%
@videojs/icons
Entry Base PR Diff %
./react 2.27 kB 2.27 kB 0 B 0%
./html 1.52 kB 1.52 kB 0 B 0%
total 3.79 kB 3.79 kB 0 B 0%
@videojs/store
Entry Base PR Diff %
. 1.29 kB 1.29 kB 0 B 0%
./html 468 B 468 B 0 B 0%
./react 204 B 204 B 0 B 0%
total 1.95 kB 1.95 kB 0 B 0%
@videojs/utils
Entry Base PR Diff %
./array 104 B 104 B 0 B 0%
./dom 928 B 928 B 0 B 0%
./events 227 B 227 B 0 B 0%
./function 261 B 261 B 0 B 0%
./object 119 B 119 B 0 B 0%
./predicate 265 B 265 B 0 B 0%
./string 148 B 148 B 0 B 0%
./style 185 B 185 B 0 B 0%
./time 478 B 478 B 0 B 0%
./number 158 B 158 B 0 B 0%
total 2.81 kB 2.81 kB 0 B 0%
ℹ️ How to interpret

Sizes are minified + brotli, measured with esbuild.
Package totals are computed as root size + marginal subpath costs.
Subpath marginal cost = (root + subpath bundled together) − root alone.

Icon Meaning
No change
🔺 Increased ≤ 10%
🔴 Increased > 10%
🔽 Decreased
🆕 New (no baseline)

Run pnpm size locally to check current sizes.

@mihar-22 mihar-22 force-pushed the fix/gate-ai-workflows branch from 274cf37 to 846d362 Compare March 2, 2026 19:47
@mihar-22
fix(ci): gate AI workflows behind org membership
cf899b1 
issue-triage: only run AI triage for MEMBER/OWNER/COLLABORATOR.
Non-members get a 'triage' label added for manual review.
Adding agent:triage label triggers AI triage on demand.

ci-diagnose: check videojs org membership before running Claude
to prevent external contributors from triggering AI via fork PR
CI failures.
@mihar-22 mihar-22 force-pushed the fix/gate-ai-workflows branch from 846d362 to cf899b1 Compare March 2, 2026 19:49
@mihar-22 mihar-22 marked this pull request as ready for review March 2, 2026 19:52
@mihar-22 mihar-22 requested a review from decepulis March 2, 2026 19:52
@github-actions github-actions bot mentioned this pull request Mar 13, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@decepulis decepulis Awaiting requested review from decepulis

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mihar-22