Skip to content

ci: add verifiable contributor trust gate#91

Open
Neroxsh wants to merge 2 commits into
Open-Source-Bazaar:mainfrom
Neroxsh:feat/contributor-trust-gate
Open

ci: add verifiable contributor trust gate#91
Neroxsh wants to merge 2 commits into
Open-Source-Bazaar:mainfrom
Neroxsh:feat/contributor-trust-gate

Conversation

@Neroxsh

@Neroxsh Neroxsh commented Jul 13, 2026

Copy link
Copy Markdown

PR-91 PR-91 PR-91 Powered by Pull Request Badge

变更说明

引入基于可验证贡献信息的 PR 门禁,减少低质量 Agent/Bot 投稿,同时保留维护者判断空间:

  • PR 模板要求说明改动、关联任务、实际验证结果、责任声明和 AI 使用情况;
  • 奖励任务表单新增必填的前置 Discussion;奖励 PR 只有在 Issue 已指派给提交者或带有 implementation-approved 标签时才能通过;
  • 对外部贡献检查六项可验证信息,缺失时给出可操作的幂等评论并让检查失败;
  • 自动维护 contributor-check:passedneeds-contributor-infoneeds-maintainer-review 标签;
  • 机器人账号、超过 50 个文件或新增 1500 行以上的改动进入人工复核,不自动关闭;
  • pull_request_target 只检出受信任的 base SHA,不读取或执行外部 PR 代码;Action 均固定到完整提交 SHA;
  • 规则为纯函数并覆盖完整、缺失、维护者、草稿、大改动及奖励授权等八项测试。

GitHub 本身不能阻止用户创建 Issue 或 PR,因此门禁在合并前强制校验授权和证据,避免未讨论的奖励任务实现被合入。

关联任务

Closes #89

验证方式

  • node --test .github/scripts/contributor-trust/rules.test.mjs:8 项测试全部通过。
  • node --check .github/scripts/contributor-trust/run.mjs:通过。
  • git diff --check:通过。
  • 使用 Prettier 3.9.5 按仓库的单引号、尾逗号和 100 字符宽度格式化新增脚本。
  • pnpm install --frozen-lockfile 在执行项目测试前因现有 package.json 与锁文件的 patchedDependencies 配置不一致而停止;本 PR 未修改该配置或产品代码。

贡献声明

  • 我已阅读并理解本次改动,能够回答维护者的问题
  • 我已实际运行上方验证步骤,并如实记录结果

AI 使用情况:使用 Codex 辅助实现;已人工核对工作流权限、外部 PR 安全边界、标签/评论幂等逻辑,并运行上述测试。

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (6)
  • .github/ISSUE_TEMPLATE/reward-task.yml is excluded by none and included by none
  • .github/PULL_REQUEST_TEMPLATE.md is excluded by !**/*.md and included by none
  • .github/scripts/contributor-trust/rules.mjs is excluded by none and included by none
  • .github/scripts/contributor-trust/rules.test.mjs is excluded by none and included by none
  • .github/scripts/contributor-trust/run.mjs is excluded by none and included by none
  • .github/workflows/contributor-trust.yml is excluded by none and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: aec067c4-7bda-4cdb-b98c-713d02ae237d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Neroxsh Neroxsh mentioned this pull request Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Reward] Bot Killer

1 participant