From 28327c139dfaf77565bc77a1ac834e5cdd412fa3 Mon Sep 17 00:00:00 2001
From: Imran Siddique <imran.siddique@opaque.co>
Date: Tue, 9 Jun 2026 15:13:37 -0700
Subject: [PATCH] feat: add contributor reputation check and maintainer gate
 workflows

Borrowed from AGT under MIT License. Callers reference the composite
action in agentrust-io/.github so script updates happen in one place.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/contributor-check.yml       | 42 +++++++++++++++++++
 .../workflows/require-maintainer-approval.yml | 39 +++++++++++++++++
 2 files changed, 81 insertions(+)
 create mode 100644 .github/workflows/contributor-check.yml
 create mode 100644 .github/workflows/require-maintainer-approval.yml

diff --git a/.github/workflows/contributor-check.yml b/.github/workflows/contributor-check.yml
new file mode 100644
index 0000000..640d82c
--- /dev/null
+++ b/.github/workflows/contributor-check.yml
@@ -0,0 +1,42 @@
+name: Contributor reputation check
+
+on:
+  pull_request_target:
+    types: [opened]
+  issues:
+    types: [opened]
+  workflow_dispatch:
+    inputs:
+      username:
+        description: GitHub username to check
+        required: true
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    if: |
+      github.actor != 'dependabot[bot]' &&
+      github.actor != 'github-actions[bot]' &&
+      github.actor != 'copilot-swe-agent[bot]' &&
+      github.actor != 'claude-code[bot]' &&
+      github.actor != 'imran-siddique'
+    steps:
+      - name: Checkout org action
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          repository: agentrust-io/.github
+          ref: main
+          persist-credentials: false
+          sparse-checkout: |
+            scripts
+            .github/actions/contributor-check
+
+      - name: Run contributor check
+        uses: ./.github/actions/contributor-check
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/require-maintainer-approval.yml b/.github/workflows/require-maintainer-approval.yml
new file mode 100644
index 0000000..29c65ab
--- /dev/null
+++ b/.github/workflows/require-maintainer-approval.yml
@@ -0,0 +1,39 @@
+name: Require maintainer approval
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: read
+  statuses: write
+
+jobs:
+  gate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for maintainer approval
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const MAINTAINERS = ['imran-siddique'];
+            const { data: reviews } = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+            });
+            const association = context.payload.pull_request.author_association;
+            if (association === 'MEMBER' || association === 'OWNER') {
+              core.info(`Author is ${association} — skipping gate`);
+              return;
+            }
+            const approved = reviews.some(
+              r => r.state === 'APPROVED' &&
+                   r.user.type === 'User' &&
+                   MAINTAINERS.includes(r.user.login)
+            );
+            if (!approved) {
+              core.setFailed('Waiting for maintainer approval before merging.');
+            }