Skip to content

Add reusable PR spam-triage workflow + org CONTRIBUTING.md#3

Merged
asachs01 merged 1 commit intomainfrom
feat/pr-spam-triage
Apr 28, 2026
Merged

Add reusable PR spam-triage workflow + org CONTRIBUTING.md#3
asachs01 merged 1 commit intomainfrom
feat/pr-spam-triage

Conversation

@asachs01
Copy link
Copy Markdown
Contributor

@asachs01 asachs01 commented Apr 28, 2026

Summary

  • New reusable workflow pr-spam-triage.yml that auto-closes obvious promotional/badge-spam PRs (e.g. MseeP.ai "Add badge" PRs we keep getting on MCP server repos).
  • New org-level CONTRIBUTING.md that the close comment can authoritatively point at; also clarifies what we do/don't accept across org repos.

Why

We've been receiving spam PRs across MCP server repos asking us to add third-party "trust badges" to our READMEs. Closing each one by hand is annoying and not scaling. This automates the obvious cases and gives us a neutral ruleset to point at.

How it works

  • Triggered via workflow_call from each repo's own pr-triage.yml on pull_request_target — the only trigger with write perms on fork PRs.
  • Three signal types — author denylist, title regex, body regex. README-only tiny-diff is reinforcing only (never sole trigger), so legit doc PRs from new contributors aren't nuked.
  • Initial denylist covers mseep-ai / mseep-bot and the badge-PR templates they use. Patterns are extensible per-repo via JSON inputs.
  • dry-run: true mode just labels spam-suspected so we can tune patterns before flipping to auto-close.

Security review

  • Safe under pull_request_target: PR head is never checked out.
  • All PR-derived strings (title, body, author, file paths) flow through actions/github-script → step outputs → env vars. No ${{ github.event.* }} ever lands in a run: block — that's the workflow-injection vector.
  • Minimal permissions: pull-requests: write, issues: write. No code execution from PR contents.

Rollout plan

  1. Land this PR.
  2. Add caller workflow to autotask-mcp (separate PR) with dry-run: true for ~1 week to confirm zero false positives.
  3. Flip dry-run off; broadcast caller stub to remaining org repos.

Test plan

  • Actions syntax validates on PR open
  • After merge, add caller to autotask-mcp in dry-run mode and watch next inbound spam PR get labeled (not closed)
  • After verification window, switch to auto-close and broadcast org-wide

@asachs01
feat: add reusable PR spam-triage workflow + org CONTRIBUTING.md
388c101 
Reusable workflow auto-closes promotional/badge-spam PRs (e.g. MseeP.ai
"Add badge" PRs) using author denylist + title/body regex matching, with
README-only tiny-diff as a reinforcing signal. Repos opt in via a small
caller workflow.

Safe under pull_request_target: PR head is never checked out and all
PR-derived strings flow through env vars, never direct interpolation.

Org-level CONTRIBUTING.md gives the close comment something authoritative
to point at and clarifies what we accept.
@asachs01 asachs01 mentioned this pull request Apr 28, 2026
Merged
4 tasks
@asachs01 asachs01 merged commit 03d64fc into main Apr 28, 2026
1 check failed
@asachs01 asachs01 deleted the feat/pr-spam-triage branch April 28, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asachs01