CI: harden restricted paths guard label handling

rwgk · rwgk · commit 66bd22eae87e · 2026-04-11T07:46:27.000-07:00
Fetch live PR labels to avoid stale event data, use pull-request label edits, and keep the restricted-paths review label in place until a maintainer removes it manually.

Made-with: Cursor
diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml
@@ -4,6 +4,7 @@
 name: "CI: Restricted Paths Guard"
 
 on:
+  # Run on drafts too so maintainers get early awareness on WIP PRs.
   # Label updates on fork PRs require pull_request_target permissions.
   pull_request_target:
     types:
@@ -18,14 +19,12 @@ jobs:
     if: github.repository_owner == 'NVIDIA'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: read
+      pull-requests: write
     steps:
       - name: Inspect PR author signals for restricted paths
         env:
           # PR metadata inputs
           AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association || 'NONE' }}
-          EXISTING_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_URL: ${{ github.event.pull_request.html_url }}
@@ -71,6 +70,26 @@ jobs:
             exit 1
           fi
 
+          # Fetch live PR labels to avoid stale event payload (race condition
+          # when labels are changed shortly before the workflow runs).
+          if ! LIVE_LABELS=$(
+            gh pr view "${PR_NUMBER}" --repo "${REPO}" \
+              --json labels \
+              --jq '[.labels[].name]'
+          ); then
+            echo "::error::Failed to inspect the current PR labels."
+            {
+              echo "## Restricted Paths Guard Failed"
+              echo ""
+              echo "- **Error**: Failed to inspect the current PR labels."
+              echo "- **Author**: $PR_AUTHOR"
+              echo "- **Author association**: $AUTHOR_ASSOCIATION"
+              echo ""
+              echo "Please update the PR at: $PR_URL"
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
           TOUCHES_RESTRICTED_PATHS=false
           if [ -n "$MATCHING_RESTRICTED_PATHS" ]; then
             TOUCHES_RESTRICTED_PATHS=true
@@ -97,15 +116,20 @@ jobs:
             esac
           fi
 
+          NEEDS_REVIEW_LABEL=false
+          if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
+            NEEDS_REVIEW_LABEL=true
+          fi
+
           LABEL_ALREADY_PRESENT=false
-          if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$EXISTING_LABELS" >/dev/null; then
+          if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$LIVE_LABELS" >/dev/null; then
             LABEL_ALREADY_PRESENT=true
           fi
 
-          if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
+          if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
             if [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
               LABEL_ACTION="already present"
-            elif ! gh issue edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then
+            elif ! gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then
               echo "::error::Failed to add the $REVIEW_LABEL label."
               {
                 echo "## Restricted Paths Guard Failed"
@@ -122,6 +146,8 @@ jobs:
             else
               LABEL_ACTION="added"
             fi
+          elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
+            LABEL_ACTION="left in place (manual removal required)"
           fi
 
           {
@@ -137,8 +163,11 @@ jobs:
               echo ""
               write_matching_restricted_paths
             fi
-            if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
+            if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
               echo ""
               echo "- **Manual follow-up**: No trusted signal was found, so \`$REVIEW_LABEL\` is required."
+            elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
+              echo ""
+              echo "- **Manual follow-up**: Existing \`$REVIEW_LABEL\` was left in place intentionally because this workflow does not inspect every commit. Remove it manually after reviewing the PR for restricted-paths policy compliance."
             fi
           } >> "$GITHUB_STEP_SUMMARY"
