From 5be4fd9138a1c75b76c40bc60f4d036bb4ab22b0 Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Tue, 17 Feb 2026 15:34:56 -0500
Subject: [PATCH] fix(ci): keep both workflow owners in approval allowlist
 (#652)

* fix(ci): always include both workflow owners in approval gate

* fix(ci): allow workflow-owner-authored PRs through owner gate
---
 .github/workflows/ci.yml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2c30159..854c135 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -220,27 +220,32 @@ jobs:
             - name: Require owner approval for workflow file changes
               uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
               env:
-                  WORKFLOW_OWNER_LOGINS: ${{ vars.WORKFLOW_OWNER_LOGINS || 'theonlyhennygod,willsarg' }}
+                  WORKFLOW_OWNER_LOGINS: ${{ vars.WORKFLOW_OWNER_LOGINS }}
               with:
                   script: |
                       const owner = context.repo.owner;
                       const repo = context.repo.repo;
                       const prNumber = context.payload.pull_request?.number;
+                      const prAuthor = context.payload.pull_request?.user?.login?.toLowerCase() || "";
                       if (!prNumber) {
                         core.setFailed("Missing pull_request context.");
                         return;
                       }
 
-                      const ownerAllowlist = (process.env.WORKFLOW_OWNER_LOGINS || "")
+                      const baseOwners = ["theonlyhennygod", "willsarg"];
+                      const configuredOwners = (process.env.WORKFLOW_OWNER_LOGINS || "")
                         .split(",")
                         .map((login) => login.trim().toLowerCase())
                         .filter(Boolean);
+                      const ownerAllowlist = [...new Set([...baseOwners, ...configuredOwners])];
 
                       if (ownerAllowlist.length === 0) {
-                        core.setFailed("WORKFLOW_OWNER_LOGINS is empty. Set a repository variable or use a fallback value.");
+                        core.setFailed("Workflow owner allowlist is empty.");
                         return;
                       }
 
+                      core.info(`Workflow owner allowlist: ${ownerAllowlist.join(", ")}`);
+
                       const files = await github.paginate(github.rest.pulls.listFiles, {
                         owner,
                         repo,
@@ -259,6 +264,11 @@ jobs:
 
                       core.info(`Workflow files changed:\n- ${workflowFiles.join("\n- ")}`);
 
+                      if (prAuthor && ownerAllowlist.includes(prAuthor)) {
+                        core.info(`Workflow PR authored by allowlisted owner: @${prAuthor}`);
+                        return;
+                      }
+
                       const reviews = await github.paginate(github.rest.pulls.listReviews, {
                         owner,
                         repo,
@@ -285,7 +295,7 @@ jobs:
                       const ownerApprover = approvedUsers.find((login) => ownerAllowlist.includes(login));
                       if (!ownerApprover) {
                         core.setFailed(
-                          `Workflow files changed. Approvals found (${approvedUsers.join(", ")}), but none match WORKFLOW_OWNER_LOGINS.`,
+                          `Workflow files changed. Approvals found (${approvedUsers.join(", ")}), but none match workflow owner allowlist.`,
                         );
                         return;
                       }