Merge branch 'main' into fix/complete-script-injection-hardening

Author: vaind

CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## Unreleased
+
+### Features
+
+- Validate PR - Action is advisory: it posts a single friendly comment on community PRs that don't reference an issue with maintainer discussion. PRs are not closed and no labels are applied. Recommended trigger is `types: [opened]`.
+- Validate PR - Skip validation for PRs with fewer than 100 lines changed, excluding common lock files (`Cargo.lock`, `yarn.lock`, `package-lock.json`, `Pipfile.lock`, etc.). Tiny PRs no longer go through the issue-discussion loop.
+- Add validate-pr composite action for validating non-maintainer PRs against contribution guidelines ([#153](https://github.com/getsentry/github-workflows/pull/153))
+
+### Fixes
+
+- Updater - Trigger CI for new PRs without changelog updates ([#166](https://github.com/getsentry/github-workflows/pull/166))
+- Updater - Select the first branch when multiple branches point at `HEAD` ([#165](https://github.com/getsentry/github-workflows/pull/165))
+
+### Dependencies
+
+- Bump Danger JS from v13.0.4 to v13.0.5 ([#160](https://github.com/getsentry/github-workflows/pull/160))
+  - [changelog](https://github.com/danger/danger-js/blob/main/CHANGELOG.md#1305)
+  - [diff](https://github.com/danger/danger-js/compare/13.0.4...13.0.5)
+
 ## 3.3.0
 
 ### Features

README.md

@@ -16,6 +16,12 @@ Runs DangerJS on Pull Requests with a pre-configured set of rules.
 
 **[📖 View full documentation →](danger/README.md)**
 
+### Validate PR
+
+Validates non-maintainer PRs against contribution guidelines and enforces draft status.
+
+**[📖 View full documentation →](validate-pr/README.md)**
+
 ## Legacy Reusable Workflows (v2)
 
 > ⚠️ **Deprecated**: Reusable workflows have been converted to composite actions in v3. Please migrate to the composite actions above.

danger/danger.properties

@@ -1,2 +1,2 @@
-version=13.0.4
+version=13.0.5
 repo=https://github.com/danger/danger-js

updater/action.yml

@@ -479,3 +479,32 @@ runs:
           Auto-generated by a [dependency updater](https://github.com/getsentry/github-workflows/blob/main/updater/action.yml).
           ${{ env.TARGET_CHANGELOG }}
         labels: dependencies
+
+    - name: Trigger PR workflows
+      if: ${{ (inputs.changelog-entry != 'true') && ( steps.create-pr.outputs.pull-request-operation == 'created' ) && ( steps.update.outputs.pull-request-head-sha == '' || steps.update.outputs.pull-request-head-sha == steps.create-pr.outputs.pull-request-head-sha ) }}
+      shell: bash
+      working-directory: caller-repo
+      env:
+        PR_BRANCH: ${{ steps.root.outputs.prBranch }}
+        PR_HEAD_SHA: ${{ steps.create-pr.outputs.pull-request-head-sha }}
+        API_TOKEN: ${{ inputs.api-token }}
+        SSH_KEY: ${{ inputs.ssh-key }}
+      run: |
+        git fetch origin "$PR_BRANCH"
+        git checkout --force -B "$PR_BRANCH" "origin/$PR_BRANCH"
+
+        current_head=$(git rev-parse HEAD)
+        if [ "$current_head" != "$PR_HEAD_SHA" ]; then
+          echo "::notice::PR branch changed from $PR_HEAD_SHA to $current_head; skipping synthetic CI trigger."
+          exit 0
+        fi
+
+        git config user.name "github-actions[bot]"
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+        git commit --amend --no-edit
+
+        if [ -n "$API_TOKEN" ] && [ -z "$SSH_KEY" ]; then
+          git remote set-url origin "https://x-access-token:${API_TOKEN}@github.com/${{ github.repository }}.git"
+        fi
+
+        git push --force-with-lease="refs/heads/$PR_BRANCH:$PR_HEAD_SHA" origin "HEAD:refs/heads/$PR_BRANCH"

updater/scripts/update-dependency.ps1

@@ -162,7 +162,7 @@ if ("$Tag" -eq '') {
         if ("$headRef" -eq '') {
             throw "Couldn't determine repository head (no ref returned by ls-remote HEAD"
         }
-        $mainBranch = (git ls-remote --heads $url | Where-Object { $_.StartsWith($headRef) }) -replace '.*\srefs/heads/', ''
+        $mainBranch = (git ls-remote --heads $url | Where-Object { $_.StartsWith($headRef) } | Select-Object -First 1) -replace '.*\srefs/heads/', ''
     }
 
     $url = $url -replace '\.git$', ''

updater/tests/update-dependency.Tests.ps1

@@ -220,7 +220,9 @@ switch ($action)
                 $output | Should -Contain 'latestTag=0.28.0'
                 $output | Should -Contain 'latestTagNice=v0.28.0'
                 $output | Should -Contain 'url=https://github.com/getsentry/sentry-cli'
-                $output | Should -Contain 'mainBranch=master'
+                # sentry-cli has both `main` and `master`; which one is reported depends on
+                # which currently points at HEAD upstream, so accept either.
+                ($output | Where-Object { $_ -like 'mainBranch=*' }) | Should -BeIn @('mainBranch=main', 'mainBranch=master')
             }
         }
 

validate-pr/README.md

@@ -0,0 +1,96 @@
+# Validate PR
+
+Advisory validation for non-maintainer pull requests against contribution guidelines. Posts a single friendly comment when a PR doesn't reference an issue with prior maintainer discussion. **PRs are never closed, and no labels are applied.**
+
+## What it does
+
+For PRs from non-maintainer authors, the action checks that the PR body references a GitHub issue where the PR author and a maintainer have discussed the approach. When that's not the case, the action posts one short advisory comment inviting the contributor to start with an issue. Maintainers (`admin` or `maintain` role) and a hard-coded list of trusted bots are exempt.
+
+Small PRs (< 100 lines changed, excluding lock files) are skipped entirely — typo fixes and tiny bug fixes don't need to go through the issue-discussion loop.
+
+## Usage
+
+Create `.github/workflows/validate-pr.yml` in your repository:
+
+```yaml
+name: Validate PR
+
+on:
+  pull_request_target:
+    types: [opened]
+
+jobs:
+  validate-pr:
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: getsentry/github-workflows/validate-pr@<sha>
+        with:
+          app-id: ${{ vars.SDK_MAINTAINER_BOT_APP_ID }}
+          private-key: ${{ secrets.SDK_MAINTAINER_BOT_PRIVATE_KEY }}
+```
+
+Pin to a specific commit SHA (consumers in `getsentry/*` already follow this convention). The `pull-requests: write` permission is needed because the action posts comments on the PR.
+
+## Inputs
+
+| Input | Required | Description |
+|-------|----------|-------------|
+| `app-id` | Yes | GitHub App ID for the SDK Maintainer Bot |
+| `private-key` | Yes | GitHub App private key for the SDK Maintainer Bot |
+
+## Validation rules
+
+### Skipped entirely
+
+- PR author is in the trusted-bot allowlist (Dependabot, Renovate, Codecov AI, etc.)
+- PR author has `admin`, `maintain`, `push`, or `write` access on the repo
+- PR has fewer than 100 lines changed (`additions + deletions`), excluding common lock files
+
+### Lock files excluded from line counts
+
+Matched by basename, case-insensitive:
+
+| Ecosystem | File |
+|-----------|------|
+| Rust | `Cargo.lock` |
+| JS | `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
+| Python | `Pipfile.lock`, `poetry.lock`, `uv.lock` |
+| Ruby | `Gemfile.lock` |
+| PHP | `composer.lock` |
+| Go | `go.sum` (`go.mod` is hand-edited and stays counted) |
+| Elixir | `mix.lock` |
+| Dart/Flutter | `pubspec.lock` |
+| .NET/NuGet | `packages.lock.json` |
+| CocoaPods | `Podfile.lock` |
+| Nix | `flake.lock` |
+
+### Issue reference check
+
+For PRs that reach validation, the action scans the PR body for issue references in these formats:
+
+- `#123` (same-repo)
+- `getsentry/repo#123` (cross-repo)
+- `https://github.com/getsentry/repo/issues/123` (full URL)
+- With optional keywords: `Fixes #123`, `Closes getsentry/repo#123`, etc.
+
+The PR is considered compliant if **any** referenced issue passes all of:
+
+- The issue is fetchable and in a `getsentry` repository
+- If the issue has assignees, the PR author is one of them
+- Both the PR author and a maintainer have participated in the issue discussion
+
+If no referenced issue passes, the action posts one advisory comment. The PR remains open and reviewable; no labels or status checks are applied. The comment is idempotent — workflow re-runs on the same PR will not produce duplicates.
+
+## Updating from earlier revisions
+
+Earlier revisions of this action closed non-compliant PRs and applied labels (`violating-contribution-guidelines`, `missing-issue-reference`, `missing-maintainer-discussion`, `issue-already-assigned`). The current version does neither — it only posts a comment.
+
+To update an existing consumer:
+
+- Bump the pinned commit SHA to the latest on `main`.
+- Change `types: [opened, reopened]` → `types: [opened]`.
+- Remove any code that reads the `was-closed` output (it no longer exists).
+
+Existing labels on old PRs are not removed automatically. Clean them up with a one-off script if desired.

validate-pr/action.yml

@@ -0,0 +1,32 @@
+name: 'Validate PR'
+description: 'Validates non-maintainer PRs against contribution guidelines'
+author: 'Sentry'
+
+inputs:
+  app-id:
+    description: 'GitHub App ID for the SDK Maintainer Bot'
+    required: true
+  private-key:
+    description: 'GitHub App private key for the SDK Maintainer Bot'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Generate GitHub App token
+      id: app-token
+      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+      with:
+        app-id: ${{ inputs.app-id }}
+        private-key: ${{ inputs.private-key }}
+
+    - name: Validate PR
+      id: validate
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      env:
+        APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
+      with:
+        github-token: ${{ steps.app-token.outputs.token }}
+        script: |
+          const script = require('${{ github.action_path }}/scripts/validate-pr.js');
+          await script({ github, context, core });