chore: add PR approval gate for new contributors

- Add APPROVED_CONTRIBUTORS file with existing contributors - Add pr-gate.yml workflow to close PRs from unapproved contributors - Add approve-contributor.yml workflow to approve via lgtm on issues - Add CONTRIBUTING.md with guidelines - Update README.md to point to CONTRIBUTING.md
2026-04-15 23:01:30 +00:00 · 2026-01-18 12:26:45 +01:00 · 2026-01-18 12:26:45 +01:00 · 3eded2c146
commit 3eded2c146
parent 632495338f
5 changed files with 321 additions and 64 deletions
--- a/.github/workflows/pr-gate.yml
+++ b/.github/workflows/pr-gate.yml
@ -0,0 +1,88 @@
+name: PR Gate
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  check-contributor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Check if contributor is approved
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prAuthor = context.payload.pull_request.user.login;
+            const defaultBranch = context.payload.repository.default_branch;
+
+            // Skip bots
+            if (prAuthor.endsWith('[bot]') || prAuthor === 'dependabot[bot]') {
+              console.log(`Skipping bot: ${prAuthor}`);
+              return;
+            }
+
+            // Check if user is a collaborator (has write access)
+            try {
+              const { data: permissionLevel } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: prAuthor
+              });
+              if (['admin', 'write'].includes(permissionLevel.permission)) {
+                console.log(`${prAuthor} is a collaborator with ${permissionLevel.permission} access`);
+                return;
+              }
+            } catch (e) {
+              // User is not a collaborator, continue with check
+            }
+
+            // Fetch approved contributors list
+            const { data: fileContent } = await github.rest.repos.getContent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              path: '.github/APPROVED_CONTRIBUTORS',
+              ref: defaultBranch
+            });
+
+            const content = Buffer.from(fileContent.content, 'base64').toString('utf8');
+            const approvedList = content
+              .split('\n')
+              .map(line => line.trim().toLowerCase())
+              .filter(line => line && !line.startsWith('#'));
+
+            if (approvedList.includes(prAuthor.toLowerCase())) {
+              console.log(`${prAuthor} is in the approved contributors list`);
+              return;
+            }
+
+            // Not approved - close PR with comment
+            console.log(`${prAuthor} is not approved, closing PR`);
+
+            const message = `Hi @${prAuthor}, thanks for your interest in contributing!
+
+We ask new contributors to open an issue first before submitting a PR. This helps us discuss the approach and avoid wasted effort.
+
+**Next steps:**
+1. Open an issue describing what you want to change and why (keep it concise, write in your human voice, AI slop will be closed)
+2. Once a maintainer approves with \`lgtm\`, you'll be added to the approved contributors list
+3. Then you can submit your PR
+
+This PR will be closed automatically. See https://github.com/${context.repo.owner}/${context.repo.repo}/blob/${defaultBranch}/CONTRIBUTING.md for more details.`;
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: message
+            });
+
+            await github.rest.pulls.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              state: 'closed'
+            });