fix(ci): keep both workflow owners in approval allowlist (#652)

* fix(ci): always include both workflow owners in approval gate * fix(ci): allow workflow-owner-authored PRs through owner gate
2026-02-17 15:34:56 -05:00 · 2026-02-17 15:34:56 -05:00 · 5be4fd9138
commit 5be4fd9138
parent a87ea84073
1 changed files with 14 additions and 4 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -220,27 +220,32 @@ jobs:
            - name: Require owner approval for workflow file changes
              uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
              env:
-                  WORKFLOW_OWNER_LOGINS: ${{ vars.WORKFLOW_OWNER_LOGINS || 'theonlyhennygod,willsarg' }}
+                  WORKFLOW_OWNER_LOGINS: ${{ vars.WORKFLOW_OWNER_LOGINS }}
              with:
                  script: |
                      const owner = context.repo.owner;
                      const repo = context.repo.repo;
                      const prNumber = context.payload.pull_request?.number;
+                      const prAuthor = context.payload.pull_request?.user?.login?.toLowerCase() || "";
                      if (!prNumber) {
                        core.setFailed("Missing pull_request context.");
                        return;
                      }

-                      const ownerAllowlist = (process.env.WORKFLOW_OWNER_LOGINS || "")
+                      const baseOwners = ["theonlyhennygod", "willsarg"];
+                      const configuredOwners = (process.env.WORKFLOW_OWNER_LOGINS || "")
                        .split(",")
                        .map((login) => login.trim().toLowerCase())
                        .filter(Boolean);
+                      const ownerAllowlist = [...new Set([...baseOwners, ...configuredOwners])];

                      if (ownerAllowlist.length === 0) {
-                        core.setFailed("WORKFLOW_OWNER_LOGINS is empty. Set a repository variable or use a fallback value.");
+                        core.setFailed("Workflow owner allowlist is empty.");
                        return;
                      }

+                      core.info(`Workflow owner allowlist: ${ownerAllowlist.join(", ")}`);
+
                      const files = await github.paginate(github.rest.pulls.listFiles, {
                        owner,
                        repo,
@ -259,6 +264,11 @@ jobs:

                      core.info(`Workflow files changed:\n- ${workflowFiles.join("\n- ")}`);

+                      if (prAuthor && ownerAllowlist.includes(prAuthor)) {
+                        core.info(`Workflow PR authored by allowlisted owner: @${prAuthor}`);
+                        return;
+                      }
+
                      const reviews = await github.paginate(github.rest.pulls.listReviews, {
                        owner,
                        repo,
@ -285,7 +295,7 @@ jobs:
                      const ownerApprover = approvedUsers.find((login) => ownerAllowlist.includes(login));
                      if (!ownerApprover) {
                        core.setFailed(
-                          `Workflow files changed. Approvals found (${approvedUsers.join(", ")}), but none match WORKFLOW_OWNER_LOGINS.`,
+                          `Workflow files changed. Approvals found (${approvedUsers.join(", ")}), but none match workflow owner allowlist.`,
                        );
                        return;
                      }