chore: add PR approval gate for new contributors

- Add APPROVED_CONTRIBUTORS file with existing contributors - Add pr-gate.yml workflow to close PRs from unapproved contributors - Add approve-contributor.yml workflow to approve via lgtm on issues - Add CONTRIBUTING.md with guidelines - Update README.md to point to CONTRIBUTING.md
2026-04-15 14:03:49 +00:00 · 2026-01-18 12:26:45 +01:00 · 2026-01-18 12:26:45 +01:00 · 3eded2c146
commit 3eded2c146
parent 632495338f
5 changed files with 321 additions and 64 deletions
--- a/.github/APPROVED_CONTRIBUTORS
+++ b/.github/APPROVED_CONTRIBUTORS
@ -0,0 +1,84 @@
+# GitHub handles of users approved to submit PRs
+# One handle per line (without @)
+# Add new contributors by commenting lgtm on their issue
+aadishv
+airtonix
+aliou
+aos
+austinm911
+banteg
+ben-vargas
+butelo
+can1357
+CarlosGtrz
+cau1k
+cmf
+crcatala
+Cursivez
+cv
+dannote
+default-anton
+dnouri
+DronNick
+enisdenjo
+ferologics
+fightbulc
+ghoulr
+gnattu
+HACKE-RC
+hewliyang
+hjanuschka
+iamd3vil
+jblwilliams
+joshp123
+jsinge97
+justram
+kaofelix
+kiliman
+kim0
+lockmeister
+LukeFost
+lukele
+m-box-mr
+marckrenn
+markusylisiurunen
+mcinteerj
+melihmucuk
+mitsuhiko
+mrexodia
+nathyong
+nickseelert
+nicobailon
+ninlds
+ogulcancelik
+patrick-kidger
+paulbettner
+Perlence
+pjtf93
+prateekmedia
+prathamdby
+ribelo
+richardgill
+robinwander
+ronyrus
+roshanasingh4
+scutifer
+skuridin
+steipete
+svkozak
+tallshort
+theBucky
+thomasmhr
+tiagoefreitas
+timolins
+tmustier
+tudoroancea
+unexge
+vaayne
+VaclavSynacek
+vsabavat
+w-winter
+Whamp
+WismutHansen
+XesGaDeus
+yevhen
--- a/.github/workflows/approve-contributor.yml
+++ b/.github/workflows/approve-contributor.yml
@ -0,0 +1,101 @@
+name: Approve Contributor
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  approve:
+    if: !github.event.issue.pull_request
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+
+      - name: Add contributor to approved list
+        id: update
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const core = require('@actions/core');
+
+            const issueAuthor = context.payload.issue.user.login;
+            const commenter = context.payload.comment.user.login;
+            const commentBody = context.payload.comment.body || '';
+            const approvedFile = '.github/APPROVED_CONTRIBUTORS';
+
+            if (!/^\s*lgtm\s*$/i.test(commentBody)) {
+              console.log('Comment does not match lgtm');
+              core.setOutput('status', 'skipped');
+              return;
+            }
+
+            try {
+              const { data: permissionLevel } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: commenter
+              });
+
+              if (!['admin', 'write'].includes(permissionLevel.permission)) {
+                console.log(`${commenter} does not have write access`);
+                core.setOutput('status', 'skipped');
+                return;
+              }
+            } catch (error) {
+              console.log(`${commenter} does not have collaborator access`);
+              core.setOutput('status', 'skipped');
+              return;
+            }
+
+            let content = fs.readFileSync(approvedFile, 'utf8');
+            const approvedList = content
+              .split('\n')
+              .map(line => line.trim().toLowerCase())
+              .filter(line => line && !line.startsWith('#'));
+
+            if (approvedList.includes(issueAuthor.toLowerCase())) {
+              console.log(`${issueAuthor} is already approved`);
+              core.setOutput('status', 'already');
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: `@${issueAuthor} is already in the approved contributors list.`
+              });
+              return;
+            }
+
+            content = content.trimEnd() + '\n' + issueAuthor + '\n';
+            fs.writeFileSync(approvedFile, content);
+
+            console.log(`Added ${issueAuthor} to approved contributors`);
+            core.setOutput('status', 'added');
+
+      - name: Commit and push
+        if: steps.update.outputs.status == 'added'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .github/APPROVED_CONTRIBUTORS
+          git diff --staged --quiet || git commit -m "chore: approve contributor ${{ github.event.issue.user.login }}"
+          git push
+
+      - name: Comment on issue
+        if: steps.update.outputs.status == 'added'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const issueAuthor = context.payload.issue.user.login;
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: `@${issueAuthor} has been added to the approved contributors list. You can now submit PRs. Thanks for contributing!`
+            });
--- a/.github/workflows/pr-gate.yml
+++ b/.github/workflows/pr-gate.yml
@ -0,0 +1,88 @@
+name: PR Gate
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  check-contributor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Check if contributor is approved
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prAuthor = context.payload.pull_request.user.login;
+            const defaultBranch = context.payload.repository.default_branch;
+
+            // Skip bots
+            if (prAuthor.endsWith('[bot]') || prAuthor === 'dependabot[bot]') {
+              console.log(`Skipping bot: ${prAuthor}`);
+              return;
+            }
+
+            // Check if user is a collaborator (has write access)
+            try {
+              const { data: permissionLevel } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: prAuthor
+              });
+              if (['admin', 'write'].includes(permissionLevel.permission)) {
+                console.log(`${prAuthor} is a collaborator with ${permissionLevel.permission} access`);
+                return;
+              }
+            } catch (e) {
+              // User is not a collaborator, continue with check
+            }
+
+            // Fetch approved contributors list
+            const { data: fileContent } = await github.rest.repos.getContent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              path: '.github/APPROVED_CONTRIBUTORS',
+              ref: defaultBranch
+            });
+
+            const content = Buffer.from(fileContent.content, 'base64').toString('utf8');
+            const approvedList = content
+              .split('\n')
+              .map(line => line.trim().toLowerCase())
+              .filter(line => line && !line.startsWith('#'));
+
+            if (approvedList.includes(prAuthor.toLowerCase())) {
+              console.log(`${prAuthor} is in the approved contributors list`);
+              return;
+            }
+
+            // Not approved - close PR with comment
+            console.log(`${prAuthor} is not approved, closing PR`);
+
+            const message = `Hi @${prAuthor}, thanks for your interest in contributing!
+
+We ask new contributors to open an issue first before submitting a PR. This helps us discuss the approach and avoid wasted effort.
+
+**Next steps:**
+1. Open an issue describing what you want to change and why (keep it concise, write in your human voice, AI slop will be closed)
+2. Once a maintainer approves with \`lgtm\`, you'll be added to the approved contributors list
+3. Then you can submit your PR
+
+This PR will be closed automatically. See https://github.com/${context.repo.owner}/${context.repo.repo}/blob/${defaultBranch}/CONTRIBUTING.md for more details.`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: message
+            });
+
+            await github.rest.pulls.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              state: 'closed'
+            });