chore: add contribution gate workflows

[nightt5879]

Summary

• add a scoped .github/APPROVED_CONTRIBUTORS allowlist for PR, issue, and all-access entries
• add PR and issue gate workflows that default to dry-run / comment-only mode, with CONTRIBUTION_GATE_MODE: enforce as the explicit close switch
• add a maintainer approval workflow that opens an allowlist update PR from exact /lgtm / /lgtmi commands and avoids duplicate pending allowlist PRs across paginated open PRs
• document the contribution gate, dry-run rollout, active-contributor seeding expectation, and mistaken-gate restoration flow in CONTRIBUTING.md

Closes #2086
Closes #688

Testing

• Parsed .github/workflows/pr-gate.yml, .github/workflows/issue-gate.yml, and .github/workflows/approve-contributor.yml with PyYAML
• Ran node --check on each embedded actions/github-script block after wrapping it the way GitHub Script executes async code
• git diff --check
• git diff --cached --check
• cargo fmt --all -- --check
• PR CI Lint
• PR CI Test (ubuntu-latest)
• PR CI Test (macos-latest)
• PR CI Test (windows-latest)
• PR CI Mobile runtime smoke
• PR CI Version drift
• PR CI npm wrapper smoke (ubuntu-latest)
• PR CI GitGuardian Security Checks
• PR CI Greptile Review

Note: actionlint and Ruby were not installed on this Windows checkout, so local workflow validation used PyYAML plus Node syntax checks. The broader Rust validation is covered by the green PR CI jobs above.

Checklist

• Updated docs or comments as needed
• Added or updated tests where relevant
  • Covered by local workflow YAML parsing, embedded GitHub Script syntax checks, and green PR CI.
• Verified TUI behavior manually if UI changes
  • No TUI behavior changes.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: edd71b9519

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[nightt5879]

Follow-up review fixes are now in 0ebfcb7b and c70c350c:

• Removed the branch-prefix-only PR gate bypass; legitimate approval PRs are covered by the github-actions[bot] exemption.
• Added the reciprocal /lgtmi guard so issue approval commands used on pull requests produce a corrective hint instead of silently granting issue-only access.
• Removed undocumented bare-username allowlist checks from both gates.
• Aligned pr-gate.yml with issue-gate.yml by reading .github/APPROVED_CONTRIBUTORS from the repository default branch, matching where approve-contributor.yml writes updates.

Re-ran workflow YAML parsing, embedded GitHub Script node --check, git diff --check, staged diff check, and cargo fmt --all -- --check after the fixes.

[Hmbown]

Thanks @nightt5879. There is real effort here, and the /lgtm / /lgtmi approval flow is a thoughtful way to turn drive-by contribution control into a maintainable process instead of a hard-coded blocklist.

I am not pulling this into v0.8.50 because it changes community policy and can automatically close contributor work. For the next review pass, the path I would like to see is:

• Add a dry-run/comment-only mode first, so maintainers can observe the gate before it closes PRs/issues.
• Seed the allowlist broadly enough for existing active contributors before enabling enforcement.
• Keep reading the allowlist from the default branch, as the latest commit now does.
• Document exactly how a good external contributor gets restored if the gate fires incorrectly.

CI is green now, so this is not being skipped for code quality; it is being held for rollout safety.

[nightt5879]

Thanks, I adjusted the PR along that rollout-safety path.

Follow-up changes are now in 433a8eae and 22f602d0:

• The PR/issue gates now default to CONTRIBUTION_GATE_MODE: dry-run, so merge-time behavior is comment-only and does not close contributor work. Switching to enforce is now an explicit workflow change after maintainers are ready.
• The allowlist header and CONTRIBUTING.md now call out the active-contributor seeding step before enforcement is enabled.
• The gates continue reading .github/APPROVED_CONTRIBUTORS from the repository default branch.
• CONTRIBUTING.md now documents the mistaken-gate recovery path: approve with /lgtm or /lgtmi, merge the generated allowlist PR, then reopen or ask the contributor to resubmit if reopening is not available.
• I also handled the latest Greptile follow-up by paginating the pending allowlist PR lookup, so duplicate-PR suppression is not capped at the first 100 open PRs.

Validation after the changes:

• local workflow YAML parsing passed
• embedded GitHub Script node --check passed
• git diff --check and staged diff check passed
• cargo fmt --all -- --check passed
• PR CI is green across Lint, ubuntu/macos/windows tests, mobile smoke, version drift, npm wrapper smoke, GitGuardian, and Greptile

[Hmbown]

Hey @nightt5879 — the contribution gate workflows have been harvested into v0.8.50 (#2504)! The dry-run mode is a nice touch for testing without blocking real contributors. Thanks for building this — CI infrastructure is the kind of invisible work that keeps the project healthy. 🐋🔒