only check fork on PR events

[haritamar]

null

Summary by CodeRabbit

• Chores
  • Updated CI workflow triggers to match all pull_request events (e.g., pull_request and pull_request_target) instead of a single event, ensuring the approval check runs more consistently across scenarios.
  • Maintains existing fork-detection logic and approval flag behavior; only the activation condition is broadened.
  • Improves reliability of contributor workflow by applying the same checks regardless of which pull request event initiates the run.

[linear]

ELE-5051 Only require approval on PRs from forks

[coderabbitai]

Walkthrough

Expanded the GitHub Actions workflow condition to trigger the approval check for all pull_request* events (e.g., pull_request, pull_request_target). The fork-detection logic and outputs remain unchanged. The step still writes requires_approval=true when the event matches and the PR originates from a fork; otherwise false.

Changes

Cohort / File(s)	Summary of changes
Workflow event condition update .github/workflows/test-warehouse.yml	Broadened event name check from strict equality to a regex-style match for any event starting with pull_request; retained fork detection and output assignment logic.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Event
  participant WF as Workflow: test-warehouse
  participant ST as Step: Approval Check

  GH->>WF: Trigger on event (pull_request*, push, etc.)
  WF->>ST: Run conditional step
  alt Event name starts with "pull_request"
    ST->>ST: Check if head.repo.full_name != repository (fork)
    alt From fork
      ST->>WF: Set requires_approval=true (GITHUB_OUTPUT)
    else Not from fork
      ST->>WF: Set requires_approval=false
    end
  else Other events
    ST->>WF: Set requires_approval=false
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• require approval only for fork PRs #2004 — Similar workflow edit computing requires_approval based on pull_request events and fork detection.

Suggested reviewers

• elazarlachkar

Poem

I twitch my ears at triggers bright,
pull_request stars the nightly flight.
From forks I pause and softly wait,
true or false decides my fate.
In YAML burrows, laws are clear—
approve the hop, or hold it here. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "only check fork on PR events" is concise and accurately summarizes the primary change: limiting the fork-detection logic to pull request events (e.g., pull_request and pull_request_target). It is specific and clear enough for a reviewer scanning PR history to understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ele-5051-only-require-approval-on-prs-from-forks-fix2

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 @haritamar
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/test-warehouse.yml (2)

87-91: Fork check now applies to all pull_request events; confirm scope and tighten/bash‑idioms.*

This regex will also match pull_request_review and pull_request_review_comment. If that’s intended, LGTM—otherwise narrow to only pull_request and pull_request_target. Also, prefer glob over regex here and quote $GITHUB_OUTPUT.

Option A (keep broad scope; simplify and harden):

-          if [[ "${{ github.event_name }}" =~ ^pull_request && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
-            echo "requires_approval=true" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          if [[ "${{ github.event_name }}" == pull_request* && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+            echo "requires_approval=true" >> "$GITHUB_OUTPUT"
             echo "requires_approval=false" >> $GITHUB_OUTPUT
-            echo "requires_approval=false" >> $GITHUB_OUTPUT
+            echo "requires_approval=false" >> "$GITHUB_OUTPUT"

Option B (restrict to only PR/PR_target):

-          if [[ "${{ github.event_name }}" =~ ^pull_request && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+          if [[ "${{ github.event_name }}" =~ ^pull_request(_target)?$ && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then

Please confirm which scope you want.

---

78-79: Update comment to reflect broadened condition.

Comment says “specifically with the pull_request_target event,” but the condition now handles all pull_request* events. Adjust for accuracy.

-  # PRs from forks require approval, specifically with the "pull_request_target" event as it contains repo secrets.
+  # PRs from forks require approval on pull_request* events; pull_request_target exposes repo secrets after environment approval.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 69c6cc9 and 9a798b8.

📒 Files selected for processing (1)

• .github/workflows/test-warehouse.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test / test
• GitHub Check: Cursor Bugbot