From 94b1472a5f9e90f5d3b0e19ba2a90f2d0d02dc0b Mon Sep 17 00:00:00 2001 From: nikolamilosa Date: Wed, 6 May 2026 09:59:07 +0000 Subject: [PATCH 1/5] wip --- .../ci-pr-close-feat-ai-on-engines.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/ci-pr-close-feat-ai-on-engines.yml diff --git a/.github/workflows/ci-pr-close-feat-ai-on-engines.yml b/.github/workflows/ci-pr-close-feat-ai-on-engines.yml new file mode 100644 index 000000000000..92eb3656cec3 --- /dev/null +++ b/.github/workflows/ci-pr-close-feat-ai-on-engines.yml @@ -0,0 +1,47 @@ +name: Close External PRs Targeting feat-ai-on-engines + +on: + pull_request_target: + types: [opened, reopened] + branches: + - feat-ai-on-engines + +permissions: + contents: read + pull-requests: write + +jobs: + close-pr: + name: Close fork PR targeting feat-ai-on-engines + runs-on: ubuntu-latest + # Only act on PRs from forks (external contributors). + if: github.event.pull_request.head.repo.full_name != github.repository + steps: + - name: Close PR with explanation + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 + with: + script: | + const message = [ + "Thanks for the contribution!", + "", + "Pull requests from forks targeting the `feat-ai-on-engines` branch are not accepted.", + "This branch is a feature branch managed internally; please retarget your PR to `master` instead.", + "", + "Closing this PR automatically. Feel free to open a new one against `master`.", + "", + "— The DFINITY Foundation" + ].join("\n"); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: message, + }); + + await github.rest.pulls.update({ + pull_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + state: 'closed', + }); From 548a4ef4f52fe7c5d78c3ee926534832c43219c6 Mon Sep 17 00:00:00 2001 From: nikolamilosa Date: Wed, 6 May 2026 10:09:11 +0000 Subject: [PATCH 2/5] wip --- .../ci-pr-close-feat-ai-on-engines.yml | 47 --------------- .../external-contrib-slack-notification.yaml | 59 +++++++++++++++++++ 2 files changed, 59 insertions(+), 47 deletions(-) delete mode 100644 .github/workflows/ci-pr-close-feat-ai-on-engines.yml diff --git a/.github/workflows/ci-pr-close-feat-ai-on-engines.yml b/.github/workflows/ci-pr-close-feat-ai-on-engines.yml deleted file mode 100644 index 92eb3656cec3..000000000000 --- a/.github/workflows/ci-pr-close-feat-ai-on-engines.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Close External PRs Targeting feat-ai-on-engines - -on: - pull_request_target: - types: [opened, reopened] - branches: - - feat-ai-on-engines - -permissions: - contents: read - pull-requests: write - -jobs: - close-pr: - name: Close fork PR targeting feat-ai-on-engines - runs-on: ubuntu-latest - # Only act on PRs from forks (external contributors). - if: github.event.pull_request.head.repo.full_name != github.repository - steps: - - name: Close PR with explanation - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 - with: - script: | - const message = [ - "Thanks for the contribution!", - "", - "Pull requests from forks targeting the `feat-ai-on-engines` branch are not accepted.", - "This branch is a feature branch managed internally; please retarget your PR to `master` instead.", - "", - "Closing this PR automatically. Feel free to open a new one against `master`.", - "", - "— The DFINITY Foundation" - ].join("\n"); - - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: message, - }); - - await github.rest.pulls.update({ - pull_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - state: 'closed', - }); diff --git a/.github/workflows/external-contrib-slack-notification.yaml b/.github/workflows/external-contrib-slack-notification.yaml index 72f88b8800dc..fcc8f4eb3820 100644 --- a/.github/workflows/external-contrib-slack-notification.yaml +++ b/.github/workflows/external-contrib-slack-notification.yaml @@ -4,6 +4,10 @@ on: pull_request_target: types: [opened, reopened] +permissions: + contents: read + pull-requests: write + jobs: notify-slack-new-pr: name: Notify Slack for new External Contributor PR @@ -18,3 +22,58 @@ jobs: slack-message: "External Contribution: <${{ github.event.pull_request.html_url }}>" env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_API_TOKEN }} + + check-external-branch-policy: + name: Check Unallowed Target Branch + runs-on: ubuntu-latest + if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository + steps: + - name: Check target branch + id: check_branch + run: | + set -euo pipefail + target_branch="${{ github.event.pull_request.base.ref }}" + # Branches that external contributors are not allowed to target. + blocked_branches=( + "feat-ai-on-engines" + ) + for branch in "${blocked_branches[@]}"; do + if [[ "${target_branch}" == "${branch}" ]]; then + echo "Target branch '${target_branch}' is not allowed for external contributors." + echo "blocked_branch=${branch}" >> "$GITHUB_OUTPUT" + exit 1 + fi + done + echo "Target branch '${target_branch}' is allowed." + shell: bash + + - name: Close PR + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 + if: ${{ !cancelled() && steps.check_branch.conclusion == 'failure' }} + with: + script: | + const blockedBranch = "${{ steps.check_branch.outputs.blocked_branch }}"; + const message = [ + "Thanks for the contribution!", + "", + `Pull requests from forks targeting the \`${blockedBranch}\` branch are not accepted.`, + "This branch is a feature branch managed internally; please retarget your PR to `master` instead.", + "", + "Closing this PR automatically. Feel free to open a new one against `master`.", + "", + "— The DFINITY Foundation" + ].join("\n"); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: message, + }); + + await github.rest.pulls.update({ + pull_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + state: 'closed', + }); From 31f86a4898b196d4e548b8ef7b3a7482bf299f30 Mon Sep 17 00:00:00 2001 From: nikolamilosa Date: Wed, 6 May 2026 10:36:02 +0000 Subject: [PATCH 3/5] moving to a separate file --- .../external-contrib-branch-policy.yaml | 65 +++++++++++++++++++ .../external-contrib-slack-notification.yaml | 55 ---------------- 2 files changed, 65 insertions(+), 55 deletions(-) create mode 100644 .github/workflows/external-contrib-branch-policy.yaml diff --git a/.github/workflows/external-contrib-branch-policy.yaml b/.github/workflows/external-contrib-branch-policy.yaml new file mode 100644 index 000000000000..a3417fecaf9e --- /dev/null +++ b/.github/workflows/external-contrib-branch-policy.yaml @@ -0,0 +1,65 @@ +name: External Contributor Branch Policy + +on: + pull_request_target: + types: [opened, reopened] + +permissions: + contents: read + pull-requests: write + +jobs: + check-external-branch-policy: + name: Check Unallowed Target Branch + runs-on: ubuntu-latest + if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository + steps: + - name: Check target branch + id: check_branch + run: | + set -euo pipefail + target_branch="${{ github.event.pull_request.base.ref }}" + # Branches that external contributors are not allowed to target. + blocked_branches=( + "feat-ai-on-engines" + ) + for branch in "${blocked_branches[@]}"; do + if [[ "${target_branch}" == "${branch}" ]]; then + echo "Target branch '${target_branch}' is not allowed for external contributors." + echo "blocked_branch=${branch}" >> "$GITHUB_OUTPUT" + exit 1 + fi + done + echo "Target branch '${target_branch}' is allowed." + shell: bash + + - name: Close PR + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 + if: ${{ !cancelled() && steps.check_branch.conclusion == 'failure' }} + with: + script: | + const blockedBranch = "${{ steps.check_branch.outputs.blocked_branch }}"; + const message = [ + "Thanks for the contribution!", + "", + `Pull requests from forks targeting the \`${blockedBranch}\` branch are not accepted.`, + "This branch is a feature branch managed internally; please retarget your PR to `master` instead.", + "", + "Closing this PR automatically. Feel free to open a new one against `master`.", + "", + "— The DFINITY Foundation" + ].join("\n"); + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: message, + }); + + await github.rest.pulls.update({ + pull_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + state: 'closed', + }); diff --git a/.github/workflows/external-contrib-slack-notification.yaml b/.github/workflows/external-contrib-slack-notification.yaml index fcc8f4eb3820..5c1dad5d8731 100644 --- a/.github/workflows/external-contrib-slack-notification.yaml +++ b/.github/workflows/external-contrib-slack-notification.yaml @@ -22,58 +22,3 @@ jobs: slack-message: "External Contribution: <${{ github.event.pull_request.html_url }}>" env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_API_TOKEN }} - - check-external-branch-policy: - name: Check Unallowed Target Branch - runs-on: ubuntu-latest - if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository - steps: - - name: Check target branch - id: check_branch - run: | - set -euo pipefail - target_branch="${{ github.event.pull_request.base.ref }}" - # Branches that external contributors are not allowed to target. - blocked_branches=( - "feat-ai-on-engines" - ) - for branch in "${blocked_branches[@]}"; do - if [[ "${target_branch}" == "${branch}" ]]; then - echo "Target branch '${target_branch}' is not allowed for external contributors." - echo "blocked_branch=${branch}" >> "$GITHUB_OUTPUT" - exit 1 - fi - done - echo "Target branch '${target_branch}' is allowed." - shell: bash - - - name: Close PR - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 - if: ${{ !cancelled() && steps.check_branch.conclusion == 'failure' }} - with: - script: | - const blockedBranch = "${{ steps.check_branch.outputs.blocked_branch }}"; - const message = [ - "Thanks for the contribution!", - "", - `Pull requests from forks targeting the \`${blockedBranch}\` branch are not accepted.`, - "This branch is a feature branch managed internally; please retarget your PR to `master` instead.", - "", - "Closing this PR automatically. Feel free to open a new one against `master`.", - "", - "— The DFINITY Foundation" - ].join("\n"); - - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: message, - }); - - await github.rest.pulls.update({ - pull_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - state: 'closed', - }); From 078a1f46351a8118dc12c1e51c7a8c38c1c995a3 Mon Sep 17 00:00:00 2001 From: nikolamilosa Date: Wed, 6 May 2026 10:36:43 +0000 Subject: [PATCH 4/5] reverting permissions --- .github/workflows/external-contrib-slack-notification.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/external-contrib-slack-notification.yaml b/.github/workflows/external-contrib-slack-notification.yaml index 5c1dad5d8731..72f88b8800dc 100644 --- a/.github/workflows/external-contrib-slack-notification.yaml +++ b/.github/workflows/external-contrib-slack-notification.yaml @@ -4,10 +4,6 @@ on: pull_request_target: types: [opened, reopened] -permissions: - contents: read - pull-requests: write - jobs: notify-slack-new-pr: name: Notify Slack for new External Contributor PR From b7d3ef40b0cab006f3a675f678bc8a9da08ccf52 Mon Sep 17 00:00:00 2001 From: nikolamilosa Date: Sun, 10 May 2026 09:17:06 +0000 Subject: [PATCH 5/5] adding edited event --- .github/workflows/external-contrib-branch-policy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/external-contrib-branch-policy.yaml b/.github/workflows/external-contrib-branch-policy.yaml index a3417fecaf9e..af0830e8c645 100644 --- a/.github/workflows/external-contrib-branch-policy.yaml +++ b/.github/workflows/external-contrib-branch-policy.yaml @@ -2,7 +2,7 @@ name: External Contributor Branch Policy on: pull_request_target: - types: [opened, reopened] + types: [opened, reopened, edited] permissions: contents: read