Use repo permission to skip contribution quality (#2956)

GitHub did not report trusted authors in a stable way on pull requests. Some Miden team members showed up as CONTRIBUTORS, so role checks could not tell team PRs from outside PRs. That pushed the workflow to skip too much.\n\nThis change uses the author's repo permission instead. The workflow now skips only authors with admin, maintain, or write access.

Author: huitseeker

.github/workflows/contribution-quality.yml

@@ -1,8 +1,8 @@
 name: Contribution Quality
 
-# Use pull_request_target to get write permissions for fork PRs.
-# IMPORTANT: This workflow runs in the context of the BASE branch, not the PR branch.
-# Do NOT checkout or run code from the PR itself, only inspect PR metadata via the API.
+# Use pull_request_target so the workflow can safely comment/label on PRs.
+# IMPORTANT: This runs in the context of the BASE branch, not the PR branch.
+# Do NOT checkout or run code from the PR itself; only inspect PR metadata via the API.
 on:
   pull_request_target:
     types: [opened, reopened, edited, synchronize, ready_for_review]
@@ -28,8 +28,7 @@ jobs:
   gate:
     if: >
       github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request' &&
-       github.event.pull_request.head.repo.fork == true)
+      github.event_name == 'pull_request_target'
     runs-on: ubuntu-latest
     env:
       DISPATCH_PR_NUMBER: ${{ inputs.pr_number }}
@@ -64,24 +63,46 @@ jobs:
               repo: context.repo.repo,
               pull_number: prNumber
             });
-            core.setOutput('author_association', pr.author_association || 'NONE');
+            core.setOutput('author_login', pr.user?.login || '');
             core.setOutput('draft', pr.draft ? 'true' : 'false');
             core.setOutput('body', (pr.body || '').replace(/\r/g,''));
             core.setOutput('number', String(pr.number));
 
-      - name: Skip trusted or drafts (unless forced)
+      - name: Resolve author permission
+        id: perm
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const login = "${{ steps.pr.outputs.author_login }}".toLowerCase();
+            let permission = 'none';
+            try {
+              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: login,
+              });
+              permission = (data.permission || 'none').toLowerCase();
+            } catch (error) {
+              if (error.status !== 404) {
+                core.warning(`Failed to resolve collaborator permission for ${login}: ${error.message}`);
+              }
+            }
+
+            const skip = ['admin', 'maintain', 'write'].includes(permission);
+            core.info(`author=${login} permission=${permission} skip=${skip}`);
+            core.setOutput('permission', permission);
+            core.setOutput('skip', skip ? 'true' : 'false');
+
+      - name: Skip trusted authors or drafts (unless forced)
         id: gate
         run: |
-          assoc="${{ steps.pr.outputs.author_association }}"
           draft="${{ steps.pr.outputs.draft }}"
           force="${{ steps.ctx.outputs.force_all }}"
+          skip_by_permission="${{ steps.perm.outputs.skip }}"
           if [ "$force" = "true" ]; then
             echo "skip=false" >> "$GITHUB_OUTPUT"
           else
-            case "$assoc" in
-              OWNER|COLLABORATOR|MEMBER) echo "skip=true"  >> "$GITHUB_OUTPUT" ;;
-              *)                         echo "skip=false" >> "$GITHUB_OUTPUT" ;;
-            esac
+            [ "$skip_by_permission" = "true" ] && echo "skip=true" >> "$GITHUB_OUTPUT" || echo "skip=false" >> "$GITHUB_OUTPUT"
             [ "$draft" = "true" ] && echo "skip=true" >> "$GITHUB_OUTPUT" || true
           fi