Skip to content

ci: Add workflow to close unvetted non-maintainer PRs #5895

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stephanie-anderson merged 5 commits into from
Mar 27, 2026

fix(ci): Check maintainer status against PR repo, not issue repo

4f91b11
Select commit
Loading
Failed to load commit list.
Merged

ci: Add workflow to close unvetted non-maintainer PRs #5895

fix(ci): Check maintainer status against PR repo, not issue repo
4f91b11
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: code-review completed Mar 27, 2026 in 1m 5s

2 issues

code-review: Found 2 issues (1 medium, 1 low)

Medium

Maintainer check uses PR repository instead of referenced issue's repository - `.github/workflows/close-unvetted-pr.yml:199`

On line 199, isMaintainer(repo.owner, repo.repo, user) checks if the user is a maintainer of the PR's target repository, not the issue's repository (ref.owner, ref.repo). The comment on lines 188-189 states 'Check each commenter (and issue author) for admin/maintain access on the issue's repo', but the implementation checks the PR's repo instead. For cross-repo issue references (e.g., getsentry/other-repo#123), this may incorrectly validate or reject PRs based on maintainer status in the wrong repository.

Low

Potential null access if PR author user is deleted - `.github/workflows/close-unvetted-pr.yml:29`

Line 29 accesses pullRequest.user.login without null-checking. If the PR author's GitHub account is deleted or suspended between PR creation and workflow execution, pullRequest.user could be null, causing a runtime error. The code already handles this pattern for issue users (line 183-184) but not for the PR author.

Duration: 57.1s · Tokens: 63.4k in / 2.3k out · Cost: $0.22 (+extraction: $0.00, +merge: $0.00, +fix_gate: $0.01)

Annotations

Check warning on line 199 in .github/workflows/close-unvetted-pr.yml

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: code-review

Maintainer check uses PR repository instead of referenced issue's repository 

On line 199, `isMaintainer(repo.owner, repo.repo, user)` checks if the user is a maintainer of the PR's target repository, not the issue's repository (`ref.owner`, `ref.repo`). The comment on lines 188-189 states 'Check each commenter (and issue author) for admin/maintain access on the issue's repo', but the implementation checks the PR's repo instead. For cross-repo issue references (e.g., `getsentry/other-repo#123`), this may incorrectly validate or reject PRs based on maintainer status in the wrong repository.
View more details on @sentry/warden