[no-ci] Trust any collaborator in restricted-paths guard (#2010)

rwgk · cursoragent · web-flow · commit 64e2e6a9d4e3 · 2026-05-04T09:52:04.000-07:00
* Trust any collaborator in restricted-paths guard Restricted-paths review is only meant for authors outside the collaborator set, so read and triage access should count as trusted signals too. Co-authored-by: Cursor <cursoragent@cursor.com> * Post PR comment when restricted-paths review is required Make it easier to discover why Needs-Restricted-Paths-Review was applied by posting a short PR comment with a link to the workflow run summary whenever the label is newly added. Co-authored-by: Cursor <cursoragent@cursor.com> * TEMPORARY: Switch to pull_request trigger for testing This commit is for testing the collaborator permission check and must be reverted before merge: 1. Changes trigger from pull_request_target to pull_request so this branch's workflow definition runs instead of main's. 2. Adds a dummy change to cuda_bindings/pyproject.toml to trigger the restricted-paths detection. REVERT THIS COMMIT BEFORE MERGE. Made-with: Cursor * TEMPORARY: Exclude write permission from trusted collaborators This commit is for testing the label-and-comment path and must be reverted before merge. It temporarily treats write access as untrusted so the current PR will exercise Needs-Restricted-Paths-Review assignment again. Co-authored-by: Cursor <cursoragent@cursor.com> * Revert "TEMPORARY: Exclude write permission from trusted collaborators" This reverts commit 31ddac2. * Revert "TEMPORARY: Switch to pull_request trigger for testing" This reverts commit 9b2fcd8. --------- Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml
@@ -29,6 +29,7 @@ jobs:
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_URL: ${{ github.event.pull_request.html_url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
           # Workflow policy inputs
           REVIEW_LABEL: Needs-Restricted-Paths-Review
@@ -113,9 +114,25 @@ jobs:
             echo '```'
           }
 
+          post_review_label_comment() {
+            local comment_body
+            printf -v comment_body '%s\n\n%s\n' \
+              "\`$REVIEW_LABEL\` was assigned by \`CI: Restricted Paths Guard\`." \
+              "For details, open [this workflow run]($RUN_URL) and click **Summary**."
+
+            if gh api "repos/$REPO/issues/$PR_NUMBER/comments" \
+              -f body="$comment_body" >/dev/null; then
+              COMMENT_ACTION="posted"
+            else
+              COMMENT_ACTION="failed (non-fatal)"
+              echo "::warning::Failed to post PR comment about newly added $REVIEW_LABEL."
+            fi
+          }
+
           HAS_TRUSTED_SIGNAL=false
           LABEL_ACTION="not needed (no restricted paths)"
           TRUSTED_SIGNALS="(none)"
+          COMMENT_ACTION="not needed"
 
           if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
             # Distinguish a legitimate 404 "not a collaborator" response from
@@ -149,13 +166,13 @@ jobs:
             fi
 
             case "$COLLABORATOR_PERMISSION" in
-              admin|maintain|write)
+              admin|maintain|write|triage|read)
                 HAS_TRUSTED_SIGNAL=true
                 LABEL_ACTION="not needed (collaborator permission is a trusted signal)"
                 TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION"
                 ;;
               *)
-                # triage, read, or none: not a trusted signal
+                # none: not a trusted signal
                 ;;
             esac
           fi
@@ -189,6 +206,7 @@ jobs:
               exit 1
             else
               LABEL_ACTION="added"
+              post_review_label_comment
             fi
           elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
             LABEL_ACTION="left in place (manual removal required)"
@@ -203,6 +221,7 @@ jobs:
             echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
             echo "- **Trusted signals**: $TRUSTED_SIGNALS"
             echo "- **Label action**: $LABEL_ACTION"
+            echo "- **Comment action**: $COMMENT_ACTION"
             if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
               echo ""
               write_matching_restricted_paths
