feat: add centralized contributor governance workflow#3
Open
R-Lawton wants to merge 6 commits into
Open
Conversation
|
Warning Review limit reached
More reviews will be available in 17 minutes and 34 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a reusable contributor-governance workflow for issue labelling, triage-label protection, and PR checks, plus a workflow template and contributing guidance for using it. ChangesContributor Governance Workflow
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
R-Lawton
force-pushed
the
feat/contributor-governance
branch
from
70b691a to
ef0cdfc
Compare
eguzki
reviewed
Jun 19, 2026
eguzki
left a comment
eguzki
left a comment
There was a problem hiding this comment.
I wonder about adding some documentation in our contributors guides related to this governance workflow. Maybe some template in this repo so others can render their own?
Adds a reusable GitHub Actions workflow that enforces contributor governance across Kuadrant repos: - Auto-labels new issues with triage/needs-triage - Protects triage labels from non-org-members - Closes PRs without a linked, triaged issue Org members are exempt from all enforcement. Requires ORG_MEMBER_TOKEN secret with read:org and repo scope. Signed-off-by: R-Lawton <rlawton@redhat.com>
R-Lawton
force-pushed
the
feat/contributor-governance
branch
from
ef0cdfc to
4ed8c61
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/contributor-governance.yml:
- Around line 319-341: The duplicate PR check only examines
closingIssuesReferences for existing open PRs, but the current PR uses a regex
fallback to detect plain references like `#123` without closing keywords. To
ensure consistency, apply the same regex fallback pattern used for the current
PR to the otherPrIssues check. This involves extracting issue references from
the other PR's body text using the same regex logic, not just relying on
closingIssuesReferences, so that PRs with informal issue references are also
properly detected as duplicates.
- Around line 205-207: The issueRegex pattern in the contributor-governance.yml
workflow does not recognize full GitHub issue URLs in the format
https://github.com/Kuadrant/<repo>/issues/<number>. Update the issueRegex
pattern to also match and extract the issue number from these complete GitHub
URLs, not just shorthand references like `#123` or Kuadrant/repo#123. This will
ensure that PRs containing full GitHub URLs in their body are correctly
identified as having linked issues.
- Around line 308-310: The current loop skips PRs authored by the same actor
using the condition `if (otherPr.user.login === actor) continue;`, which
prevents the one-active-PR-per-external-contributor rule from being enforced.
Remove this condition so that the loop checks all other active PRs by the same
external contributor, allowing the validation logic to detect and block multiple
active PRs from a single external contributor. Keep only the check that skips
the current PR by its number while ensuring the logic properly identifies when
an external contributor has other active PRs already in the repository.
- Around line 88-115: The workflow currently removes an unauthorised triage
label but only restores it with a default 'triage/needs-triage' label instead of
restoring the exact label that was removed. When the action is 'unlabeled',
capture the removed label name from context.payload.label.name (which is a
triage label based on the conditional check), and instead of only adding
'triage/needs-triage' when no triage label remains, directly re-add that
specific removed label to preserve the original triage status. This ensures that
removing a triage label like 'triage/accepted' restores 'triage/accepted' rather
than downgrading it to 'triage/needs-triage'.
- Around line 14-16: The workflow_call trigger in the on section does not
declare the ORG_MEMBER_TOKEN secret that is required by the
protect-triage-labels and check-pr jobs. Add a secrets section under
workflow_call to explicitly declare ORG_MEMBER_TOKEN as a required secret so
that callers of this reusable workflow are aware of the dependency at invocation
time rather than failing at runtime when the jobs attempt to access
secrets.ORG_MEMBER_TOKEN.
- Around line 313-318: The organisation membership check for other PR authors
lacks error handling for non-204 responses, unlike the primary actor check and
protect-triage-labels check elsewhere in the file. After the fetch call in the
otherRes section (around line 313-318), add error handling that throws an error
if the response status is neither 204 (member confirmed) nor 404 (non-member).
This ensures that 401, 403, and 5xx error responses are properly caught and
reported instead of falling through as if the user is a non-member, which could
cause an organisation member's PR to incorrectly block an external contributor's
PR.
- Around line 134-158: The job condition currently only triggers on pull_request
events, which prevents it from running when callers use the pull_request_target
trigger pattern needed for fork pull requests to access secrets. Since this job
performs only API-level operations without checking out untrusted code, modify
the if condition to allow both pull_request and pull_request_target event types
while keeping the action checks for opened and reopened. Update the condition to
include both event names using OR logic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 350255b3-7261-41d4-ace0-8096ce615a61
📒 Files selected for processing (1)
.github/workflows/contributor-governance.yml
- CONTRIBUTING.md explains the triage process and PR requirements - workflow-templates/ provides a GitHub-native template that repos can adopt from the Actions > New Workflow page Signed-off-by: R-Lawton <rlawton@redhat.com>
- Declare ORG_MEMBER_TOKEN as required secret in workflow_call - Support pull_request_target for fork PRs accessing secrets - Match full GitHub issue URLs (github.com/.../issues/N) - Add error handling on anti-piggyback org membership check Signed-off-by: R-Lawton <rlawton@redhat.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
CONTRIBUTING.md (1)
15-15: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueUse British English phrasing.
"have a look" is more idiomatic in British English than "take a look".
-If you think an issue should be re-prioritised, leave a comment and a maintainer will take a look. +If you think an issue should be re-prioritised, leave a comment and a maintainer will have a look.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@CONTRIBUTING.md` at line 15, The wording in the maintainer guidance uses a phrase that is less idiomatic for British English. Update the triage-label sentence in CONTRIBUTING.md to use British phrasing by changing the “take a look” wording to “have a look,” keeping the rest of the guidance unchanged.workflow-templates/contributor-governance.yml (1)
13-13: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the reusable workflow to an immutable ref.
Using
@mainmeans every adopting repository picks up future governance changes immediately, including breaking ones. A release tag or commit SHA makes roll-outs reviewable and reproducible.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@workflow-templates/contributor-governance.yml` at line 13, The reusable workflow reference currently points to `@main`, which is mutable and can change behavior unexpectedly. Update the workflow reference in contributor-governance.yml to use an immutable ref such as a release tag or commit SHA instead of `@main`, so the adopted workflow remains reproducible and reviewable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@workflow-templates/contributor-governance.yml`:
- Around line 6-14: The workflow in contributor-governance.yml is triggering
twice and failing on forked PRs because both pull_request and
pull_request_target are enabled. Remove the pull_request trigger from the
top-level event list and keep pull_request_target for the governance job so the
reusable workflow invoked by governance still gets the required secrets through
secrets: inherit without duplicate or failing runs.
---
Nitpick comments:
In `@CONTRIBUTING.md`:
- Line 15: The wording in the maintainer guidance uses a phrase that is less
idiomatic for British English. Update the triage-label sentence in
CONTRIBUTING.md to use British phrasing by changing the “take a look” wording to
“have a look,” keeping the rest of the guidance unchanged.
In `@workflow-templates/contributor-governance.yml`:
- Line 13: The reusable workflow reference currently points to `@main`, which is
mutable and can change behavior unexpectedly. Update the workflow reference in
contributor-governance.yml to use an immutable ref such as a release tag or
commit SHA instead of `@main`, so the adopted workflow remains reproducible and
reviewable.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 735bb239-4e13-4219-ac82-d06726c2f72a
📒 Files selected for processing (4)
.github/workflows/contributor-governance.ymlCONTRIBUTING.mdworkflow-templates/contributor-governance.properties.jsonworkflow-templates/contributor-governance.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/contributor-governance.yml
Having both pull_request and pull_request_target causes duplicate runs. pull_request_target is needed for fork PRs to access secrets. Signed-off-by: R-Lawton <rlawton@redhat.com>
General contribution guidance lives on the website. This file now only covers the triage labels and PR requirements enforced by the governance automation. Signed-off-by: R-Lawton <rlawton@redhat.com>
R-Lawton
force-pushed
the
feat/contributor-governance
branch
from
c367ef1 to
6cbc69e
Compare
Triage is now just needs-triage → accepted. Removed milestone references — triage means the team has discussed, prioritised, and approved the issue for work. Signed-off-by: R-Lawton <rlawton@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
adds a reusable GitHub Actions workflow that enforces contributor governance across Kuadrant repos:
triage/needs-triagetarget repos adopt this via a thin caller workflow (~15 lines) with
secrets: inherit.TEST REPO https://github.com/Kuadrant/governance-test
requires
ORG_MEMBER_TOKENwithread:orgscope (done)triage/*labels created in target repos (separate rollout step)Summary by CodeRabbit