Accept reviewed external contributors via base-branch allowlist#343
Conversation
External contributions were mechanically blocked: verify-authors only accepts @nvidia.com or github-noreply emails, so a reviewed and approved external PR could not pass CI without the contributor rewriting their commits to a noreply address, which hides the real provenance instead of recording it. This adds .github/external-contributors.yml. After a maintainer runs the contribution review, they record the contributor's email scoped to specific PR numbers. verify-authors reads the allowlist from the BASE branch only, so a PR cannot allowlist itself, and accepts listed emails for their listed PRs. Seeds the list with the reviewed one-line docs fix in PR #76. Signed-off-by: Moshe Abramovitch <moshea@nvidia.com>
|
This is great, happy to see we are accepting external contribs now @mosheabr One question, not a blocker: are we ok adding a YAML entry for every external contributor going forward? For how rarely we get them today it's totally fine. I'm just thinking about the toil if it picks up — each one needs a new entry, a merge, and a re-trigger on the PR. Might be worth a note that this is a strict v1, and down the line a maintainer-applied external-approved label could do the same thing with less overhead. Curious what you think, happy to keep it as-is if you expect these to stay infrequent. A few things before this goes in: Does DCO still block #76? This teaches the authors check about external contributors, but if the sign-off check is separate, #76 might still be red until the commit has a Signed-off-by. Worth double-checking so we know this actually unblocks it. |
…e tip Per review feedback on #343: - Preflight the YAML parser and make an unparsable allowlist fail the job with a visible error, instead of silently granting nothing. - Read the allowlist from the tip of the base branch rather than the event's base SHA, so a re-run picks up entries merged after the PR was opened. Same security property: still base-branch content only. - Note in the allowlist header that per-entry flow is a deliberate v1. Signed-off-by: Moshe Abramovitch <moshea@nvidia.com>
|
Thanks Sayali, all three were good catches. On DCO and 76, I verified the commit already carries a Signed-off-by trailer, and the DCO check validates the trailer not the email domain. So only the authors check was blocking, and this PR fully unblocks it. On PyYAML, you were right that the fallback swallowed it. Pushed a fix that preflights the parser and makes an unparsable allowlist fail the job loudly with a visible error, so it can't silently reject reviewed externals. On re-runs, fixed properly rather than documented. The check now reads the allowlist from the tip of the base branch instead of the event's base SHA, so a plain re-run picks up entries merged after the PR was opened. A PR still can't allowlist itself. On the toil question, at current volume per-entry is fine and the friction doubles as the review record. I added a note in the file that this is a deliberate v1 and your maintainer-label idea is the likely v2 if volume grows. |
sayalinvidia
left a comment
There was a problem hiding this comment.
Thanks for addressing the issues @mosheabr
LGTM!! Approving!
Onboarding type
components.d/<slug>.ymlfile)What
Adds
.github/external-contributors.ymland teaches the verify-authors check to consult it.External contributions were mechanically blocked: verify-authors only accepts
@nvidia.comor github-noreply emails, so even a reviewed and approved external PR could not pass CI unless the contributor rewrote their commits to a noreply address — which hides real provenance instead of recording it.New flow: after a maintainer runs the contribution review, they record the contributor's email in the allowlist, scoped to specific PR numbers, with reviewer and date. The authors check then accepts that email for those PRs only.
Security properties
git show $BASE_SHA:...), never from the PR head.prsis required; an email is accepted only for its listed PR numbers.Tested locally
bash -n.Seed entry
wenyuchiou12@gmail.comscoped to PR #76 (one-line CONTRIBUTING.md anchor fix), reviewed 2026-07-13. Merging this unblocks #76 without the contributor rewriting history.Also replaces the failure-message wording with the maintainer-review flow.