Skip to content

fix(workflows): maintainer gate re-evaluation, head-SHA approval, pinned org checkout#8

Merged
imran-siddique merged 2 commits into
mainfrom
fix/maintainer-gate-review-trigger
Jun 11, 2026
Merged

fix(workflows): maintainer gate re-evaluation, head-SHA approval, pinned org checkout#8
imran-siddique merged 2 commits into
mainfrom
fix/maintainer-gate-review-trigger

Conversation

@imran-siddique

@imran-siddique imran-siddique commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes four issues from a security review of the org workflows.

require-maintainer-approval.yml

  • Gate never clears on approval: workflow only triggered on pull_request_target (opened/synchronize/reopened), so a maintainer approval did not re-run the failing status until someone pushed. Added pull_request_review: [submitted, dismissed] as a trigger. pull_request_review does not support a branches filter, so the base-branch check moved to the job-level if (github.event.pull_request.base.ref == 'main'). Both event payloads carry the PR at github.event.pull_request, so the script needed no event-type branching; it now reads the PR number once and re-fetches the PR for the head SHA at evaluation time.
  • Approve-then-swap: any historical APPROVED review used to count, so an author could push new commits after approval and a re-run still passed. Now only a maintainer''s most recent non-comment review counts, and it must be an APPROVED review whose commit_id equals the current PR head SHA.
  • Pagination: listReviews was unpaginated (first 30 reviews). Switched to github.paginate.

contributor-check-external-template.yml

  • Mutable ref: the template checks out agentrust-io/.github and runs its composite action with a write-capable token on pull_request_target, but was pinned to ref: main. Now pinned to commit 8a2b77b (main at time of this PR) with a comment that the SHA must be bumped deliberately. Note: after this PR merges, the pin should be bumped to include these fixes.

Testing

  • actionlint not available locally; both files validated with yaml.safe_load.

🤖 Generated with Claude Code

imran-siddique and others added 2 commits June 10, 2026 21:44
@imran-siddique @claude
fix(workflows): re-evaluate maintainer gate on reviews, require head-…
488a6bb 
…SHA approval

- Trigger on pull_request_review (submitted, dismissed) so an approval
  clears the failing status without waiting for a push; base-branch
  filter moved to the job-level if since pull_request_review does not
  support a branches filter
- Only count a maintainer approval whose commit_id matches the PR head
  SHA at evaluation time (prevents approve-then-swap)
- Paginate listReviews instead of reading only the first 30 reviews

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@imran-siddique @claude
fix(workflows): pin org checkout to commit SHA in contributor-check t…
fb55902 
…emplate

The template runs on pull_request_target with a write-capable token but
checked out agentrust-io/.github at the mutable ref main. Pin to the
current main commit SHA so the executed code can only change via a
deliberate bump.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@imran-siddique imran-siddique mentioned this pull request Jun 11, 2026
Closed
@imran-siddique imran-siddique merged commit 0b440ff into main Jun 11, 2026
2 of 3 checks passed
This was referenced Jun 11, 2026
Merged
Merged
Merged
Merged
Merged
imran-siddique added a commit to agentrust-io/agent-manifest that referenced this pull request Jun 11, 2026
@imran-siddique @claude
fix(workflows): re-evaluate maintainer gate on reviews, require head-…
c127aa3 
…SHA approval (#159)

Ports agentrust-io/.github#8. Refs agentrust-io/.github#9.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
imran-siddique added a commit to agentrust-io/trace-tests that referenced this pull request Jun 11, 2026
@imran-siddique @claude
fix(workflows): re-evaluate maintainer gate on reviews, require head-…
09c5eeb 
…SHA approval (#10)

Ports agentrust-io/.github#8. Refs agentrust-io/.github#9.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
imran-siddique added a commit to agentrust-io/trace-spec that referenced this pull request Jun 11, 2026
@imran-siddique @claude
fix(workflows): re-evaluate maintainer gate on reviews, require head-…
92779fc 
…SHA approval (#22)

Ports agentrust-io/.github#8. Refs agentrust-io/.github#9.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
imran-siddique added a commit to agentrust-io/examples that referenced this pull request Jun 11, 2026
@imran-siddique @claude
fix(workflows): re-evaluate maintainer gate on reviews, require head-…
1090e9e 
…SHA approval (#15)

Ports agentrust-io/.github#8. Refs agentrust-io/.github#9.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
imran-siddique added a commit to agentrust-io/cmcp that referenced this pull request Jun 11, 2026
@imran-siddique @claude
fix(workflows): re-evaluate maintainer gate on reviews, require head-…
b930008 
…SHA approval (#288)

Ports agentrust-io/.github#8. Refs agentrust-io/.github#9.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
@imran-siddique imran-siddique mentioned this pull request Jun 11, 2026
Merged
imran-siddique added a commit to agentrust-io/awesome-ai-governance that referenced this pull request Jun 11, 2026
@imran-siddique @claude
ci: add link checking, maintainer gate, and contributor reputation ch…
762f6e6 
…eck (#19)

* ci: add link checking, maintainer gate, and contributor reputation check

- links.yml: lychee over README.md on PRs touching it plus a weekly
  link-rot sweep; 403/429 accepted (bot-hostile sites), SPA anchors excluded.
- require-maintainer-approval.yml: the fixed gate (re-evaluates on review
  events, head-SHA-matched approvals, paginated) ported from
  agentrust-io/.github#8.
- contributor-check.yml: org reputation check with the .github checkout
  pinned by commit SHA.

The repo previously had no CI: community PRs merged with no link
validation or review gate.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: use TOML literal string for the exclude regex

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: drop exclude_mail (not a lychee v0.23 field; mail excluded by default)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: repair four dead links found by the new link checker

- CSA MCP Security Resource Center moved to modelcontextprotocol-security.io
- CyberSecEval directory renamed to CybersecurityBenchmarks in PurpleLlama
- Anthropic zero-trust URL never resolved; replaced with the real
  Trustworthy Agents in Practice research page and an accurate description
- Tuning Engines repo was deleted upstream; entry removed

Also pass GITHUB_TOKEN to lychee: API resolution avoids rate-limit
flakiness and covers org repos that are private until launch.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: exclude pre-launch private org repos and a slow host from lychee

The repo-scoped GITHUB_TOKEN cannot see other private repos in the org,
so the three pre-launch links 404 in CI until the 2026-06-23 launch
(dated removal note in the config). aisafety.camp regularly exceeds CI
timeouts despite being alive.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@imran-siddique