infra[notask]: add qvac-ci pending-approval workflow and CODEOWNERS#14
Open
sidj-thr wants to merge 4 commits into
Open
infra[notask]: add qvac-ci pending-approval workflow and CODEOWNERS#14sidj-thr wants to merge 4 commits into
sidj-thr wants to merge 4 commits into
Conversation
Proletter
previously approved these changes
Jun 16, 2026
Remove the `labeled` trigger type from pull_request_target and the associated `verified` label guard from the if condition. The check now fires on opened and synchronize only, without requiring a label.
sidj-thr
changed the title
Proletter
approved these changes
Jun 17, 2026
GSServita
approved these changes
Jun 17, 2026
sidj-thr
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎯 What problem does this PR solve?
PAT_TOKEN. GitHub does not expose repository secrets topull_request_reviewworkflows from forks, making the solution operationally risky and hard to validate safely before merge (QIP: tier-1-approval-change).Check Approvalsworkflow (QIP step 3) and a correctly scopedCODEOWNERSfile (QIP step 1).📝 How does it solve it?
.github/CODEOWNERSwith management and team-lead teams only, per QIP step 1 — removes team-member groups so native code-owner approval requirements are enforced correctly..github/workflows/check-pending-approval.yml: theCheck Approvalsworkflow using@qvac/ci@0.1.0 pending-approvals, triggered onissue_comment(pending_reviews) andpull_request_target(opened,labeled/verified,synchronize). Usespull_request_targetso repo secrets are accessible from fork-originated PRs. Implements QIP step 3.--min-approvalsis set to2to match this repo's branch ruleset (see ruleset note below).🧪 How was it tested?
Validated on
tetherto/qvac-internalagainst a 3-case matrix before rollout:qvac-internal-mergeapproved → workflow passed, PR mergeable. ✅qvac-internal-merge+ 1qvac-internal-devapproved → workflow passed, PR mergeable (code-owner approval satisfied). ✅qvac-internal-devmembers approved → workflow reported pending, PR blocked by CODEOWNERS ruleset (no code-owner approval). ✅ (expected failure)🛡️ Permissions changes
contents: read,pull-requests: write,issues: writepull-requests: writeandissues: writeare required for@qvac/cito post approval-count comments on PRs.pull_request_targetruns in the base repo context, granting access to repo secrets from fork-originated PRs.