alois/OpenFrontIO
1
0
Fork 0
mirror of https://github.com/openfrontio/OpenFrontIO.git synced 2026-06-25 18:22:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c63bfb6d9473b1808b9d9eb44b0909da7ab5b45d
OpenFrontIO/scripts/pr-gate/README.md
T
Evan c63bfb6d94 Exempt Dependabot PRs from the PR gate (#4395) 
## What

Adds a trusted-bot exception to the PR gate so Dependabot's PRs are no
longer auto-closed.

## Why

The PR gate (`scripts/pr-gate/`, run by `.github/workflows/pr-gate.yml`)
auto-closes PRs that don't fit the contribution workflow. Dependabot PRs
were getting closed because the bot:

- has no repo permission,
- links no `approved` issue, and
- opens dependency bumps that often exceed the 50-line small-fix cap.

## How

- `config.ts` — new `TRUSTED_BOT_AUTHORS` constant (currently
`["dependabot[bot]"]`), so the allowlist is easy to extend.
- `rules.ts` — new `checkTrustedBot()` rule, wired into `evaluate()`
right after the maintainer bypass and before the repo-access check.
- `tests/PrGateRules.test.ts` — unit tests for the rule plus an
`evaluate()`-level test proving a 5000-line Dependabot PR now passes
instead of closing.
- `README.md` — documented the new rule in the gate-logic ordering.

The match is exact, so a lookalike login (e.g. `not-dependabot[bot]`)
won't slip through. Add more bots (Renovate, etc.) to
`TRUSTED_BOT_AUTHORS` as needed.

## Testing

`npx vitest tests/PrGateRules.test.ts --run` → 39 passed. Lint +
prettier clean.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-23 15:45:26 -07:00

2.0 KiB
Raw Blame History

PR Gate

Deterministic GitHub Action that auto-closes PRs that don't follow the project's contribution workflow. Trigger: pull_request_target: [opened, reopened].

Gate logic (first match wins)

  1. Maintainer bypass — PR carries the bypass-pr-check label → pass. Apply this label and reopen if the gate closed something you wanted through.
  2. Trusted-bot bypass — PR author is a trusted bot (e.g. dependabot[bot]) → pass. List is in TRUSTED_BOT_AUTHORS.
  3. Org/repo member bypassauthor_association is OWNER, MEMBER, or COLLABORATOR → pass.
  4. Approved-work bypass — PR body links an issue (via Closes #N / Fixes #N / Resolves #N) that carries the approved label, and the PR author is in the issue's assignees → pass.
  5. Small-fix bypassadditions + deletions ≤ 50 → pass + apply small-fix label.
  6. Otherwise — apply auto-closed-needs-issue label, post rejection comment, close.

Local testing

cd scripts/pr-gate
npm install
export GITHUB_TOKEN=ghp_... # PAT with repo scope
npx tsx index.ts --pr 1234  # always dry-run unless --no-dry-run

The CLI prints the decision and exits without touching the PR.

Toggling dry-run in production

  1. Go to repo Settings → Secrets and variables → Actions → Variables.
  2. Edit PR_GATE_DRY_RUN.
  3. Set to false to make the Action take real action; any other value (or unset) keeps it in dry-run mode.

The default is true — the gate logs decisions but does not act until the maintainer flips the variable.

Tweaking rules

Known limitations

  • Runs only on PR open/reopen — not on synchronize. A PR that grows past 50 lines after being passed will not be re-gated.
  • Cross-repo issue references (owner/repo#N) are not honored.
  • No LLM is called. This Action is fully deterministic.
Reference in New Issue View Git Blame Copy Permalink