👷 Update guard-dependencies.yml workflow to allow modifying dependencies for non-fork PRs#209
Open
YuriiMotov wants to merge 2 commits into
Open
👷 Update guard-dependencies.yml workflow to allow modifying dependencies for non-fork PRs#209YuriiMotov wants to merge 2 commits into
guard-dependencies.yml workflow to allow modifying dependencies for non-fork PRs#209YuriiMotov wants to merge 2 commits into
Conversation
YuriiMotov
force-pushed
the
fix-guard-dependencies-workflow
branch
from
7b865c4 to
2adfaf1
Compare
svlandeg
reviewed
Jun 1, 2026
Contributor
There was a problem hiding this comment.
I'm not sure we need to edit anything. The reason the bot closed, is because your membership of fastapilabs is set to "private". We discussed this internally and I think decided to put those memberships "public" to allow the bot to work properly.
If you/the team prefers not to do that, then yea I guess we can change this rule, I don't really mind either way.
svlandeg
reviewed
Jun 1, 2026
| core.setFailed('Dependency changes are restricted to organization members.'); | ||
| } else { | ||
| console.log(`Author ${author} (author_association=${assoc}) is allowed to make dependency changes.`); | ||
| console.log(`Author ${author} (sameRepo=${sameRepo}) is allowed to make dependency changes.`); |
Contributor
There was a problem hiding this comment.
I'm not sure it makes sense to still refer to author here? Maybe just something like "This PR (...) is allowed ..." ?
svlandeg
reviewed
Jun 1, 2026
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| issue_number: context.payload.pull_request.number, | ||
| body: `This PR modifies dependency files (\`pyproject.toml\` or \`uv.lock\`), which is restricted to members of the **${context.repo.owner}** organization on GitHub.\n\nIf you need a dependency change, please [open a discussion](https://github.com/${context.repo.owner}/${context.repo.repo}/discussions/new) describing what you need and why.\n\nClosing this PR automatically.` |
Contributor
There was a problem hiding this comment.
Should we also update the wording here?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently
guard-dependencies.ymlcloses PRs that modify dependencies even if PR branch is in the same repo (author has write permissions in the repo).See #208
I suggest we modify it to make decision by checking if the PR branch is in the same repo