require approval only for fork PRs

[haritamar]

null

Summary by CodeRabbit

• Chores
  • CI updated to detect forked pull requests and conditionally require approval before using the protected test environment.
  • Test job now adapts environment selection automatically based on PR origin; tests run as before for internal contributors.
  • Enhances security for external contributions without changing product functionality or user-facing behavior.

[linear]

ELE-5051 Only require approval on PRs from forks

[coderabbitai]

Walkthrough

Adds a new job check-if-requires-approval that computes requires_approval when handling PRs from forks, and makes the existing test job depend on that job and conditionally set its environment to elementary_test_env when requires_approval is true. Other test steps unchanged.

Changes

Cohort / File(s)	Change Summary
Workflow: test-warehouse .github/workflows/test-warehouse.yml	Added check-if-requires-approval job that evaluates event and repo ownership and emits requires_approval via GITHUB_OUTPUT; updated test job to needs: [check-if-requires-approval] and to set environment conditionally using needs.check-if-requires-approval.outputs.requires_approval; retained existing test steps otherwise.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor GitHub as "GitHub Event"
    participant Checker as "check-if-requires-approval (job)"
    participant Test as "test (job)"

    GitHub->>Checker: Trigger (pull_request_target / workflow event)
    Checker->>Checker: Compare head repo vs base repo
    Note right of Checker #DDEBF7: sets outputs.requires_approval = "true" if head repo != base repo
    Checker-->>GitHub: outputs.requires_approval

    GitHub->>Test: Start (needs: check-if-requires-approval)
    Test->>Test: Read needs.check-if-requires-approval.outputs.requires_approval
    alt requires_approval == 'true'
        Note right of Test #E8F6E8: environment = elementary_test_env
    else requires_approval != 'true'
        Note right of Test #F9F0F0: no environment set
    end
    Test-->GitHub: Run remaining test steps (unchanged)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The description is simply “null” with a ticket metadata comment and does not explain or relate to any of the workflow changes introduced in this pull request.	Please add a descriptive summary in the pull request description that outlines the addition of the conditional approval check for forked pull requests and the corresponding workflow job and environment update.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “require approval only for fork PRs” succinctly captures the primary change of the workflow—applying the approval requirement conditionally on pull requests from forked repositories—and does so in a clear, concise manner without extraneous detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Poem

I twitch my whiskers, check the streams,
A forked path glows in PR dreams.
If distant code hops in to play,
I set the env, then run my way.
A rabbit nods: "Safe tests today."

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2c6d41d and b0f7358.

📒 Files selected for processing (1)

• .github/workflows/test-warehouse.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test-warehouse.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: code-quality

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ele-5051-only-require-approval-on-prs-from-forks

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 @haritamar
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 44f8f8a and 2c6d41d.

📒 Files selected for processing (1)

• .github/workflows/test-warehouse.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: code-quality

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Fork detection will always be false when invoked via workflow_call (security risk).

In reusable workflows, github.event_name is workflow_call, so your pull_request_target check never matches and requires_approval stays false even for fork PRs. That bypasses the protected environment and exposes secrets to forked code. Fix by accepting a boolean input from the caller (e.g., is-fork) and/or gating on the presence of a PR payload.

Apply one of these diffs (preferred: combine both for robustness):

Option A — rely on caller-provided flag:

@@
   workflow_call:
     inputs:
@@
       generate-data:
         type: boolean
         required: false
         default: false
+      is-fork:
+        type: boolean
+        required: false
+        default: false
@@
   detect-fork:
@@
       - name: Set fork output
         id: set-output
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
-            echo "requires_approval=true" >> $GITHUB_OUTPUT
-          else
-            echo "requires_approval=false" >> $GITHUB_OUTPUT
-          fi
+          if [[ "${{ inputs.is-fork }}" == "true" ]]; then
+            echo "requires_approval=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "requires_approval=false" >> "$GITHUB_OUTPUT"
+          fi

Option B — autodetect when PR payload exists (works when this workflow is triggered directly by PR events):

@@
       - name: Set fork output
         id: set-output
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+          if [[ -n "${{ github.event.pull_request.head.repo.full_name }}" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
             echo "requires_approval=true" >> $GITHUB_OUTPUT
           else
             echo "requires_approval=false" >> $GITHUB_OUTPUT
           fi

Option C — combined (use input when provided, else fallback to autodetect):

@@
       - name: Set fork output
         id: set-output
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+          if [[ "${{ inputs.is-fork }}" == "true" ]] || [[ -n "${{ github.event.pull_request.head.repo.full_name }}" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
             echo "requires_approval=true" >> $GITHUB_OUTPUT
           else
             echo "requires_approval=false" >> $GITHUB_OUTPUT
           fi

If you choose Option A/C, ensure the caller sets:

with:
  is-fork: ${{ github.event.pull_request.head.repo.full_name != github.repository }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	detect-fork:
	runs-on: ubuntu-latest
	outputs:
	requires_approval: ${{ steps.set-output.outputs.requires_approval }}
	steps:
	- name: Set fork output
	id: set-output
	run: |
	if [[ "${{ github.event_name }}" == "pull_request_target" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
	echo "requires_approval=true" >> $GITHUB_OUTPUT
	else
	echo "requires_approval=false" >> $GITHUB_OUTPUT
	fi
	detect-fork:
	runs-on: ubuntu-latest
	outputs:
	requires_approval: ${{ steps.set-output.outputs.requires_approval }}
	steps:
	- name: Set fork output
	id: set-output
	run: |
	if [[ "${{ inputs.is-fork }}" == "true" ]] || [[ -n "${{ github.event.pull_request.head.repo.full_name }}" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
	echo "requires_approval=true" >> $GITHUB_OUTPUT
	else
	echo "requires_approval=false" >> $GITHUB_OUTPUT
	fi

🤖 Prompt for AI Agents

In .github/workflows/test-warehouse.yml around lines 78–91, the current
fork-detection logic relies solely on github.event_name == "pull_request_target"
which always fails for reusable workflows (workflow_call) and leaves
requires_approval=false; change the step to accept a boolean input (e.g.,
is-fork) from the caller and/or fallback to autodetection: add an optional
workflow input named is-fork, set requires_approval=true when is-fork == "true";
if is-fork is not provided, detect a PR payload by checking for
github.event.pull_request and compare
github.event.pull_request.head.repo.full_name != github.repository to decide
requires_approval; ensure callers set is-fork when invoking workflow_call (with:
is-fork: ${{ github.event.pull_request.head.repo.full_name != github.repository
}}).

[coderabbitai]

🛠️ Refactor suggestion

environment: '' is invalid; job may fail or create an empty-named environment.

GitHub requires a non-empty environment name. Using '' risks a config error. Provide a safe fallback (an unprotected environment) or split into two jobs.

Minimal change (use an unprotected “ci” environment as the default):

-    environment: ${{ (needs.detect-fork.outputs.requires_approval == 'true' && 'elementary_test_env') || '' }}
+    environment: ${{ (needs.detect-fork.outputs.requires_approval == 'true' && 'elementary_test_env') || 'ci' }}

Make sure the “ci” environment exists (no required reviewers), or let GitHub auto-create it without protections.

Alternative (no fallback env, zero risk of accidental approvals): duplicate the job as test-protected (with environment: elementary_test_env and if: needs.detect-fork.outputs.requires_approval == 'true') and test-unprotected (no environment and if: ... != 'true'). I can draft that if you prefer.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	needs: [detect-fork]
	# PRs from forks require approval - so we use an environment that requires an approver from the team.
	environment: ${{ (needs.detect-fork.outputs.requires_approval == 'true' && 'elementary_test_env') || '' }}
	needs: [detect-fork]
	# PRs from forks require approval - so we use an environment that requires an approver from the team.
	environment: ${{ (needs.detect-fork.outputs.requires_approval == 'true' && 'elementary_test_env') || 'ci' }}

🤖 Prompt for AI Agents

.github/workflows/test-warehouse.yml lines 94-96: the conditional currently can
yield an empty string for environment which GitHub rejects; change the fallback
to a valid unprotected environment name (e.g., replace the empty string with
'ci' so the line reads use 'ci' as the default), and ensure a non-protected "ci"
environment exists (or is acceptable to be auto-created); alternatively, if you
prefer no fallback, split the job into two: one job for protected runs with
environment: elementary_test_env gated by
needs.detect-fork.outputs.requires_approval == 'true' and a second job without
any environment gated by the inverse condition.