Add legal boilerplate validation for external contributors

[Copilot]

External contributors using gh pr create --body or similar tools bypass PR templates, potentially missing required legal notices in FSL-licensed repositories.

Implementation

• Organization membership detection: Uses GitHub API to identify external contributors; skips validation for org members
• Automatic template discovery: Searches standard PR template paths (.github/PULL_REQUEST_TEMPLATE.md, etc.)
• Opt-in validation: Only enforces if template contains a "Legal Boilerplate" section header (regex: /^#{1,6}\s+Legal\s+Boilerplate/im)
• Validation logic: Checks PR description for legal boilerplate header; fails with helpful guidance if missing
• Security: Extracted template content wrapped in markdown code blocks to prevent injection

Behavior

The check runs in checkLegalBoilerplate() as part of the Danger workflow:

async function checkLegalBoilerplate() {
  // Check org membership via GitHub API
  // Locate PR template and check for Legal Boilerplate section
  // Validate PR description contains the section
  // Fail with extracted boilerplate content if missing
}

Zero overhead for org members and repos without legal boilerplate sections in their templates.

Testing

Added comprehensive test suite with 15 test cases for the extractLegalBoilerplateSection function:

• Different markdown header levels (# through ######)
• Case-insensitive matching
• Multi-paragraph content with blank lines
• Special characters, unicode, and emoji
• Code blocks and lists within legal sections
• Edge cases (empty templates, section at end of file, etc.)

The extractLegalBoilerplateSection function is exported from dangerfile-utils.js for testability, following the existing pattern in the codebase.

All existing tests pass (20/20), and all new tests pass (15/15).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Optionally verify presence of required legal notices in PR descriptions</issue_title>
<issue_description>### Background

Many of our FSL-licensed repositories, like the Sentry CLI repo, have a legal notice like the following in the PR description template:

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

We need external contributors to include this notice in any PRs they open — Sentry employees and contractors don't need to include the notice, since their work is automatically Sentry's intellectual property based on employment/work contracts.

However, as opening PRs from agentic coding workflows become more common, some external contributors may never see the PR template, for example, if they open the PR with gh pr create --body.

The idea

Let's introduce a validation in this repository that we can use to verify that the legal boilerplate is intact in the PR description for any PRs from external contributors (i.e. people unaffiliated with the getsentry GitHub organization). The validation should be opt-in, for repositories where this notice is typically present. Or, alternatively, we could automatically check whether the PR template for the repo contains a "Legal Boilerplate" section, and if it does, we would require it to be present in the PR description.

If the boilerplate is missing, the action should fail, and a PR comment should be posted to direct the external contributor to add the boilerplate so we can accept their change.</issue_description>

Comments on the Issue (you are @copilot in this section)

@vaind > we could automatically check whether the PR template for the repo contains a "Legal Boilerplate" section, and if it does, we would require it to be present in the PR description.

I think this would be the most straightforward as well as as easy-to-setup (i.e. none really) course of action. We should look for such legal boilerplate sections in PR templates all public getsentry/* repos and make sure the section header is recognized by the the danger workflow rule.</comment_new>

• Fixes Optionally verify presence of required legal notices in PR descriptions #144

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vaind]

@copilot as usual, this needs tests...

[Copilot]

@copilot as usual, this needs tests...

Added comprehensive tests in commit 24ffc9f. The extractLegalBoilerplateSection function is now exported from dangerfile-utils.js and tested with 15 test cases covering:

• Different markdown header levels (# through ######)
• Case-insensitive matching
• Multi-paragraph content
• Special characters, unicode, and emoji
• Code blocks and lists
• Edge cases (empty templates, blank lines, etc.)

All 15 new tests pass, and existing tests remain unaffected.

[github-actions]

	Fails
🚫	Please consider adding a changelog entry for the next release.

	Messages
📖	Do not forget to update Sentry-docs with your feature once the pull request gets approved.
📖	✅ Custom dangerfile check: PR has a description
📖	✅ Custom dangerfile check: PR title length is reasonable
📖	📊 Custom check: This PR changes 4 file(s)

Instructions and example for changelog

Please add an entry to CHANGELOG.md to the "Unreleased" section. Make sure the entry includes this PR's number.

Example:

## Unreleased

### Features

- Add legal boilerplate validation for external contributors ([#145](https://github.com/getsentry/github-workflows/pull/145))

If none of the above apply, you can opt out of this check by adding #skip-changelog to the PR description or adding a skip-changelog label.

Generated by 🚫 dangerJS against 24ffc9f