Skip to content

chore: skip CI for PRs opened by non-collaborators#100

Open
Rishavraaj wants to merge 4 commits into
mainfrom
chore/prevent-ci-for-non-collaborators
Open

chore: skip CI for PRs opened by non-collaborators#100
Rishavraaj wants to merge 4 commits into
mainfrom
chore/prevent-ci-for-non-collaborators

Conversation

@Rishavraaj

@Rishavraaj Rishavraaj commented Apr 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Added an if condition to the ci job in .github/workflows/ci.yml to skip CI
    for PRs opened by non-collaborators
  • CI runs for OWNER, MEMBER, COLLABORATOR, and CONTRIBUTOR author
    associations
  • Brand new / unknown contributors (FIRST_TIME_CONTRIBUTOR, FIRST_TIMER, NONE)
    will have CI skipped
  • Pushes to main always run CI regardless

Motivation

Without this guard, every PR from an unknown contributor triggers the full CI
pipeline — consuming runner minutes and potentially executing untrusted code in the
CI environment.

How it works

GitHub Actions exposes github.event.pull_request.author_association on
pull_request events:

Value Who CI runs?
OWNER Repository owner
MEMBER Org member
COLLABORATOR Explicitly added collaborator
CONTRIBUTOR Past contributor with merged PR
FIRST_TIME_CONTRIBUTOR First PR ever to this repo
FIRST_TIMER First PR ever on GitHub
NONE No prior relationship

Note: Org members with private membership are reported as CONTRIBUTOR by
GitHub, which is why CONTRIBUTOR is included in the allowlist.

Test plan

  • Open a PR as a collaborator/member → CI runs
  • Open a PR as a past contributor → CI runs
  • Open a PR from a brand new external account → CI is skipped
  • Push to main → CI always runs

Rishavraaj and others added 3 commits April 21, 2026 14:39
@Rishavraaj @claude
chore: skip CI for PRs opened by non-collaborators
2b575f2 
Add an if condition to the ci job so it only runs on pushes to main or
PRs from owners, members, or collaborators. External contributor PRs
will show the job as skipped rather than consuming CI minutes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Rishavraaj @claude
chore: add debug job to print PR author association
0361bf8 
Temporary debug step to diagnose why CI is being skipped for org members.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Rishavraaj @claude
chore: allow CI for returning contributors
48cdadc 
Add CONTRIBUTOR to the author_association allowlist so org members with
private membership can trigger CI. Remove temporary debug job.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Rishavraaj Rishavraaj self-assigned this Apr 21, 2026
@Rishavraaj @claude
fix: remove CONTRIBUTOR from CI allowlist
9b1ab57 
CONTRIBUTOR is assigned to anyone who has ever had a commit merged,
including one-time external contributors. Only OWNER, MEMBER, and
COLLABORATOR represent explicitly trusted collaborators.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Rishavraaj Rishavraaj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Rishavraaj