mirror of https://github.com/openfrontio/OpenFrontIO.git synced 2026-06-25 21:04:36 +00:00

Files

T

Evan c63bfb6d94 Exempt Dependabot PRs from the PR gate (#4395 )

## What

Adds a trusted-bot exception to the PR gate so Dependabot's PRs are no
longer auto-closed.

## Why

The PR gate (`scripts/pr-gate/`, run by `.github/workflows/pr-gate.yml`)
auto-closes PRs that don't fit the contribution workflow. Dependabot PRs
were getting closed because the bot:

- has no repo permission,
- links no `approved` issue, and
- opens dependency bumps that often exceed the 50-line small-fix cap.

## How

- `config.ts` — new `TRUSTED_BOT_AUTHORS` constant (currently
`["dependabot[bot]"]`), so the allowlist is easy to extend.
- `rules.ts` — new `checkTrustedBot()` rule, wired into `evaluate()`
right after the maintainer bypass and before the repo-access check.
- `tests/PrGateRules.test.ts` — unit tests for the rule plus an
`evaluate()`-level test proving a 5000-line Dependabot PR now passes
instead of closing.
- `README.md` — documented the new rule in the gate-logic ordering.

The match is exact, so a lookalike login (e.g. `not-dependabot[bot]`)
won't slip through. Add more bots (Renovate, etc.) to
`TRUSTED_BOT_AUTHORS` as needed.

## Testing

`npx vitest tests/PrGateRules.test.ts --run` → 39 passed. Lint +
prettier clean.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-23 15:45:26 -07:00

config.ts

Exempt Dependabot PRs from the PR gate (#4395 )

2026-06-23 15:45:26 -07:00

github.ts

Fix PR gate trusting author_association for org membership

2026-06-04 11:51:53 -07:00

index.ts

Fix PR gate trusting author_association for org membership

2026-06-04 11:51:53 -07:00

package-lock.json

Bump the npm_and_yarn group across 3 directories with 6 updates (#4384 )

2026-06-22 18:30:45 -07:00

package.json

github PR gate (#4070 )

2026-05-29 18:28:52 -07:00

README.md

Exempt Dependabot PRs from the PR gate (#4395 )

2026-06-23 15:45:26 -07:00

rules.ts

Exempt Dependabot PRs from the PR gate (#4395 )

2026-06-23 15:45:26 -07:00

tsconfig.json

github PR gate (#4070 )

2026-05-29 18:28:52 -07:00

README.md

PR Gate

Deterministic GitHub Action that auto-closes PRs that don't follow the project's contribution workflow. Trigger: pull_request_target: [opened, reopened].

Gate logic (first match wins)

Maintainer bypass — PR carries the bypass-pr-check label → pass. Apply this label and reopen if the gate closed something you wanted through.
Trusted-bot bypass — PR author is a trusted bot (e.g. dependabot[bot]) → pass. List is in TRUSTED_BOT_AUTHORS.
Org/repo member bypass — author_association is OWNER, MEMBER, or COLLABORATOR → pass.
Approved-work bypass — PR body links an issue (via Closes #N / Fixes #N / Resolves #N) that carries the approved label, and the PR author is in the issue's assignees → pass.
Small-fix bypass — additions + deletions ≤ 50 → pass + apply small-fix label.
Otherwise — apply auto-closed-needs-issue label, post rejection comment, close.

Local testing

cd scripts/pr-gate
npm install
export GITHUB_TOKEN=ghp_... # PAT with repo scope
npx tsx index.ts --pr 1234  # always dry-run unless --no-dry-run

The CLI prints the decision and exits without touching the PR.

Toggling dry-run in production

Go to repo Settings → Secrets and variables → Actions → Variables.
Edit PR_GATE_DRY_RUN.
Set to false to make the Action take real action; any other value (or unset) keeps it in dry-run mode.

The default is true — the gate logs decisions but does not act until the maintainer flips the variable.

Tweaking rules

Thresholds, labels, comment text → config.ts
Rule logic (pure functions) → rules.ts
GitHub API calls → github.ts
Orchestration → index.ts

Known limitations

Runs only on PR open/reopen — not on synchronize. A PR that grows past 50 lines after being passed will not be re-gated.
Cross-repo issue references (owner/repo#N) are not honored.
No LLM is called. This Action is fully deterministic.