[no-ci] CI: stop trusting public read permission in restricted paths guard (#2105)

rwgk · web-flow · commit 42eecda08fcf · 2026-05-19T15:00:30.000-07:00
* [no-ci] CI: stop trusting public read permission in restricted paths guard Use the live pull request API for author association and treat collaborator read permission as untrusted because public repositories report read access for any GitHub user. * TEMPORARY: Switch to pull_request trigger for testing This commit is for testing the collaborator permission check and must be reverted before merge: 1. Changes trigger from pull_request_target to pull_request so this branch's workflow definition runs instead of main's. 2. Adds a dummy change to cuda_bindings/pyproject.toml to trigger the restricted-paths detection. REVERT THIS COMMIT BEFORE MERGE. Made-with: Cursor * TEMPORARY: Exclude write permission from trusted collaborators This commit is for testing the label-and-comment path and must be reverted before merge. It temporarily treats write access as untrusted so the current PR will exercise Needs-Restricted-Paths-Review assignment again. * Revert "TEMPORARY: Exclude write permission from trusted collaborators" This reverts commit 5226846. * Revert "TEMPORARY: Switch to pull_request trigger for testing" This reverts commit 5ede772.
diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml
@@ -24,8 +24,8 @@ jobs:
     steps:
       - name: Inspect PR author signals for restricted paths
         env:
-          # PR metadata inputs (author_association from event payload is
-          # unreliable for fork PRs, so we query the collaborator API directly)
+          # PR metadata inputs (the event payload's author_association can be
+          # stale for fork PRs, so restricted-path PRs query the live PR API).
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_URL: ${{ github.event.pull_request.html_url }}
@@ -42,6 +42,8 @@ jobs:
 
           COLLABORATOR_PERMISSION="not checked"
           COLLABORATOR_PERMISSION_API_ERROR=""
+          AUTHOR_ASSOCIATION="not checked"
+          AUTHOR_ASSOCIATION_API_ERROR=""
 
           if ! MATCHING_RESTRICTED_PATHS=$(
             gh api \
@@ -68,6 +70,7 @@ jobs:
               echo ""
               echo "- **Error**: Failed to inspect the PR file list."
               echo "- **Author**: $PR_AUTHOR"
+              echo "- **Author association**: $AUTHOR_ASSOCIATION"
               echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
               echo ""
               echo "Please update the PR at: $PR_URL"
@@ -88,6 +91,7 @@ jobs:
               echo ""
               echo "- **Error**: Failed to inspect the current PR labels."
               echo "- **Author**: $PR_AUTHOR"
+              echo "- **Author association**: $AUTHOR_ASSOCIATION"
               echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
               echo ""
               echo "Please update the PR at: $PR_URL"
@@ -114,6 +118,13 @@ jobs:
             echo '```'
           }
 
+          write_author_association_api_error() {
+            echo "- **Author association API error**:"
+            echo '```text'
+            printf '%s\n' "$AUTHOR_ASSOCIATION_API_ERROR"
+            echo '```'
+          }
+
           post_review_label_comment() {
             local comment_body
             printf -v comment_body '%s\n\n%s\n' \
@@ -135,46 +146,87 @@ jobs:
           COMMENT_ACTION="not needed"
 
           if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
-            # Distinguish a legitimate 404 "not a collaborator" response from
-            # actual API failures. The former is an expected untrusted case;
-            # the latter fails the workflow so it can be rerun later.
-            if COLLABORATOR_PERMISSION_RESPONSE=$(
-              gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" \
-                --jq '.permission' 2>&1
+            if AUTHOR_ASSOCIATION_RESPONSE=$(
+              gh api "repos/$REPO/pulls/$PR_NUMBER" \
+                --jq '.author_association // "NONE"' 2>&1
             ); then
-              COLLABORATOR_PERMISSION="$COLLABORATOR_PERMISSION_RESPONSE"
-            elif [[ "$COLLABORATOR_PERMISSION_RESPONSE" == *"(HTTP 404)"* ]]; then
-              COLLABORATOR_PERMISSION="none"
+              AUTHOR_ASSOCIATION="$AUTHOR_ASSOCIATION_RESPONSE"
             else
-              COLLABORATOR_PERMISSION="unknown"
-              COLLABORATOR_PERMISSION_API_ERROR="$COLLABORATOR_PERMISSION_RESPONSE"
-              echo "::error::Failed to inspect collaborator permission for $PR_AUTHOR."
+              AUTHOR_ASSOCIATION="unknown"
+              AUTHOR_ASSOCIATION_API_ERROR="$AUTHOR_ASSOCIATION_RESPONSE"
+              echo "::error::Failed to inspect live author association for PR #$PR_NUMBER."
               {
                 echo "## Restricted Paths Guard Failed"
                 echo ""
-                echo "- **Error**: Failed to inspect collaborator permission."
+                echo "- **Error**: Failed to inspect live author association."
                 echo "- **Author**: $PR_AUTHOR"
-                echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
+                echo "- **Author association**: $AUTHOR_ASSOCIATION"
                 echo ""
                 write_matching_restricted_paths
                 echo ""
-                write_collaborator_permission_api_error
+                write_author_association_api_error
                 echo ""
-                echo "Please retry this workflow. If the failure persists, inspect the collaborator permission API error above."
+                echo "Please retry this workflow. If the failure persists, inspect the author association API error above."
               } >> "$GITHUB_STEP_SUMMARY"
               exit 1
             fi
 
-            case "$COLLABORATOR_PERMISSION" in
-              admin|maintain|write|triage|read)
+            case "$AUTHOR_ASSOCIATION" in
+              MEMBER|OWNER)
                 HAS_TRUSTED_SIGNAL=true
-                LABEL_ACTION="not needed (collaborator permission is a trusted signal)"
-                TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION"
+                LABEL_ACTION="not needed (live author association is a trusted signal)"
+                TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION"
                 ;;
               *)
-                # none: not a trusted signal
+                # COLLABORATOR can still be too broad for this policy; use the
+                # collaborator permission API below for repo-level trust.
                 ;;
             esac
+
+            # Distinguish a legitimate 404 "not a collaborator" response from
+            # actual API failures. The former is an expected untrusted case;
+            # the latter fails the workflow so it can be rerun later.
+            if [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
+              if COLLABORATOR_PERMISSION_RESPONSE=$(
+                gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" \
+                  --jq '.permission' 2>&1
+              ); then
+                COLLABORATOR_PERMISSION="$COLLABORATOR_PERMISSION_RESPONSE"
+              elif [[ "$COLLABORATOR_PERMISSION_RESPONSE" == *"(HTTP 404)"* ]]; then
+                COLLABORATOR_PERMISSION="none"
+              else
+                COLLABORATOR_PERMISSION="unknown"
+                COLLABORATOR_PERMISSION_API_ERROR="$COLLABORATOR_PERMISSION_RESPONSE"
+                echo "::error::Failed to inspect collaborator permission for $PR_AUTHOR."
+                {
+                  echo "## Restricted Paths Guard Failed"
+                  echo ""
+                  echo "- **Error**: Failed to inspect collaborator permission."
+                  echo "- **Author**: $PR_AUTHOR"
+                  echo "- **Author association**: $AUTHOR_ASSOCIATION"
+                  echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
+                  echo ""
+                  write_matching_restricted_paths
+                  echo ""
+                  write_collaborator_permission_api_error
+                  echo ""
+                  echo "Please retry this workflow. If the failure persists, inspect the collaborator permission API error above."
+                } >> "$GITHUB_STEP_SUMMARY"
+                exit 1
+              fi
+
+              case "$COLLABORATOR_PERMISSION" in
+                admin|maintain|write|triage)
+                  HAS_TRUSTED_SIGNAL=true
+                  LABEL_ACTION="not needed (collaborator permission is a trusted signal)"
+                  TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION"
+                  ;;
+                *)
+                  # read or none: not a trusted signal. In a public repo, read
+                  # can be the effective permission for any GitHub user.
+                  ;;
+              esac
+            fi
           fi
 
           NEEDS_REVIEW_LABEL=false
@@ -197,6 +249,7 @@ jobs:
                 echo ""
                 echo "- **Error**: Failed to add the \`$REVIEW_LABEL\` label."
                 echo "- **Author**: $PR_AUTHOR"
+                echo "- **Author association**: $AUTHOR_ASSOCIATION"
                 echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
                 echo ""
                 write_matching_restricted_paths
@@ -216,6 +269,7 @@ jobs:
             echo "## Restricted Paths Guard Completed"
             echo ""
             echo "- **Author**: $PR_AUTHOR"
+            echo "- **Author association**: $AUTHOR_ASSOCIATION"
             echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
             echo "- **Touches restricted paths**: $TOUCHES_RESTRICTED_PATHS"
             echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
