feat(ci): hard-gate PR merges on contributor star (Star Check workflow)#48
Merged
Conversation
Promotes the 'star the repo' rule from soft enforcement to a CI-blocking
gate on PR merges. PRs from contributors who haven't starred the repo
cannot merge until they do (single click + Re-run job).
Mechanism:
- New workflow .github/workflows/star-check.yml runs on every PR
(opened, reopened, synchronize, ready_for_review, labeled, unlabeled).
- Uses the public GitHub REST API 'GET /users/{login}/starred/{owner}/{repo}'
via github-script. Returns 204 if starred, 404 if not.
- No extra auth scope required beyond the default GITHUB_TOKEN.
- Single job, 2 steps: the check + a summary write to the Actions UI.
Auto-exemptions (no human action needed):
- Maintainer PRs (@hoainho): hard-coded in the workflow's MAINTAINERS list.
- Bot PRs: matches *[bot] suffix + an allowlist (dependabot,
gemini-code-assist, google-cla, github-actions, renovate).
- PRs labeled 'tracked-plan': for maintainer-driven milestone work
(M-A, M-B, future Self-Roadmap milestones).
- PRs labeled 'pre-star-rule': grandfathered PRs that were open
before this policy landed (2026-06-01).
Grandfathering (applied before this commit, separately via gh CLI):
- 4 in-flight contributor PRs (#17, #36, #37, #38) labeled
'pre-star-rule' so the new check skips them.
- 2 in-flight maintainer PRs (#39 M-A, #41 M-B) labeled 'tracked-plan'
so the new check skips them.
Failure UX:
- When star check fails, the workflow writes a clear error message
with: 'star the repo', 'click Re-run failed jobs', and a link
to CONTRIBUTING.md. No re-push required to re-run after starring.
Doc surface updated:
- CONTRIBUTING.md: 'How to claim' section now flags the hard gate
with a clear ⚠️ notice; new 'Exemptions' subsection documents
the 4 bypass categories.
- PULL_REQUEST_TEMPLATE.md: 'Claim confirmation' section updated
to note the CI enforcement.
- CHANGELOG.md: new Unreleased entries under Added (workflow) +
Changed (policy hardening) + Migration (grandfathering).
Privacy + safety notes:
- The API endpoint is public + read-only (no PII beyond GitHub's
own public star list).
- Workflow permissions are minimal: 'contents: read' +
'pull-requests: read'. No write access requested.
- The check is idempotent and safe to re-run.
Self-referential note: this PR itself will trigger the new workflow
once merged. Author is @hoainho (in MAINTAINERS), so it auto-passes.
hoainho
added
the
tracked-plan
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the contribution guidelines, pull request template, and changelog to document the new CI-enforced 'Star Check' workflow, which requires PR authors to star the repository before merging. The review feedback correctly identifies broken relative links to the workflow file and the contribution guide in both .github/CONTRIBUTING.md and .github/PULL_REQUEST_TEMPLATE.md due to incorrect directory paths, providing suggestions to fix them.
| Click the **Star** button at the top of the repo. This isn't a vanity gate — it's a low-friction signal that you've actually looked at the project and intend to follow through, not just farm a PR for a profile stat. Maintainers prioritize claims from users who star first. | ||
| Click the **Star** button at the top of the repo. This isn't a vanity gate — it's a low-friction signal that you've actually looked at the project and intend to follow through, not just farm a PR for a profile stat. | ||
|
|
||
| **⚠️ This is now enforced by CI.** A workflow ([`.github/workflows/star-check.yml`](../blob/main/.github/workflows/star-check.yml)) runs on every PR. If the author hasn't starred the repo, the **Star Check** status will fail and the PR cannot be merged until you star and re-run the check (or push a new commit, which automatically re-runs). |
There was a problem hiding this comment.
The relative link to the workflow file is broken. Since CONTRIBUTING.md is located inside the .github/ directory, the relative path to the workflow is simply workflows/star-check.yml. The current path ../blob/main/.github/workflows/star-check.yml will result in a 404 error when navigating on GitHub.
Suggested change
| **⚠️ This is now enforced by CI.** A workflow ([`.github/workflows/star-check.yml`](../blob/main/.github/workflows/star-check.yml)) runs on every PR. If the author hasn't starred the repo, the **Star Check** status will fail and the PR cannot be merged until you star and re-run the check (or push a new commit, which automatically re-runs). | |
| **⚠️ This is now enforced by CI.** A workflow ([.github/workflows/star-check.yml](workflows/star-check.yml)) runs on every PR. If the author hasn't starred the repo, the **Star Check** status will fail and the PR cannot be merged until you star and re-run the check (or push a new commit, which automatically re-runs). |
|
|
||
| - [ ] I starred the repo ⭐ — see [CONTRIBUTING.md → How to claim](../blob/main/.github/CONTRIBUTING.md#-how-to-claim-an-issue-required-before-opening-a-pr) (low-friction signal that you intend to follow through) | ||
| - [ ] I commented `I'll take this` (or similar) on the issue before starting work, so two people don't accidentally race on the same issue | ||
| - [ ] **I starred the repo ⭐** — see [CONTRIBUTING.md → How to claim](../blob/main/.github/CONTRIBUTING.md#-how-to-claim-an-issue-required-before-opening-a-pr). **This is now enforced by CI** ([`.github/workflows/star-check.yml`](../blob/main/.github/workflows/star-check.yml)) — the "Star Check" status will block merge until you star. |
There was a problem hiding this comment.
The relative links to both CONTRIBUTING.md and the workflow file are broken. Since PULL_REQUEST_TEMPLATE.md is located inside the .github/ directory, the relative path to CONTRIBUTING.md is simply CONTRIBUTING.md, and the relative path to the workflow is workflows/star-check.yml. The current paths using ../blob/main/.github/... will result in 404 errors on GitHub.
Suggested change
| - [ ] **I starred the repo ⭐** — see [CONTRIBUTING.md → How to claim](../blob/main/.github/CONTRIBUTING.md#-how-to-claim-an-issue-required-before-opening-a-pr). **This is now enforced by CI** ([`.github/workflows/star-check.yml`](../blob/main/.github/workflows/star-check.yml)) — the "Star Check" status will block merge until you star. | |
| - [ ] **I starred the repo ⭐** — see [CONTRIBUTING.md → How to claim](CONTRIBUTING.md#-how-to-claim-an-issue-required-before-opening-a-pr). **This is now enforced by CI** ([.github/workflows/star-check.yml](workflows/star-check.yml)) — the "Star Check" status will block merge until you star. |
hoainho
added a commit
that referenced
this pull request
Jun 1, 2026
…-budget gate, lifecycle module (#50) Recovered from closed PR #39. The original M-A branch had an identity-rewrite force-push yesterday that orphaned the branch ancestry from main (zero common commits). GitHub auto-closed PR #39 because of the divergent ancestry. This commit recovers the content as a single squash applied onto current main, preserving all post-M-A merges (PR #40 editor onboarding, PR #47 claim rule, PR #48 star check). The work below is identical to what was committed across the 5 M-A tasks (T1-T5). Atomic-task SHAs preserved in the harness at .opencode/plans/2026-05-31-self-roadmap-m-a.md as historical reference. M-A T1: refactor(types) — delete 5 ghost IssueType enum values (UNNECESSARY_RERENDER, DEV_MODE_IN_PROD, DIRECT_STATE_MUTATION, DUPLICATE_KEY, EXTRA_DEP). Fan-out across 9 files chasing string refs in panel components + tabs + tests. Also adds SEARCH_REDUX to MessageType union (yesterday's CI fix folded in). M-A T2: fix(inject) — bound 3 leaky Sets (reportedEffectIssues, reportedExcessiveRerenders, reportedSlowRenders) via TTL Maps in periodicCleanup. Was Set<string>, now Map<string, number> with 5-min TTL eviction. M-A T3: ci(typecheck) — add typecheck + typecheck:node + bench npm scripts. CI workflow now runs typecheck (fail-fast, no continue-on-error) BEFORE build. Pre-existing tsc errors fixed (SEARCH_REDUX added to MessageType, dead navigationStartTime + NAVIGATION_GRACE_MS declarations removed). tsconfig.node.json tightened to match root strict mode. Closes #27. M-A T4: test(bench) — vitest-bench harness skeleton: - test/bench/detectors.bench.ts (1365-node synthetic tree walk at ~575K hz, no-op detector benchmark) - test/fixtures/bench-tree/SimpleList.tsx (100-element list fixture) - bench/baselines/.gitkeep + bench/results/.gitkeep M-A T5: refactor(inject) — extract cleanup-interval lifecycle helpers into src/inject/lifecycle.ts (89 LoC). First leaf module exiting the 3270-LoC IIFE god-file. Zero behavior change (controller pre-flight verified the existing code was already lazy-install). Plus: .gitignore fix — was 'node_modules*.tsbuildinfo' smushed on one line, now correctly two lines. Verification: - tsc --noEmit: ZERO errors - build: exit 0 - test:run: 29 pre-existing emoji failures + 141 passes - bench: exit 0 Part of self-roadmap H2 2026 milestone M-A.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
User asked: "You should require contributor star before merge any PR, it's a precondition to contribute".
Promotes the "star the repo" rule from the soft-enforcement PR #47 landed yesterday into a hard CI gate on merges. Goal: filter out drive-by PRs that don't engage with the project. Star is a single click; the friction is intentional but tiny.
What
New file
.github/workflows/star-check.yml— runs on every PR (opened,reopened,synchronize,ready_for_review,labeled,unlabeled). Uses the publicGET /users/{login}/starred/{owner}/{repo}REST API viaactions/github-script@v7. Returns 204 if starred, 404 if not — single API call.Updated files
.github/CONTRIBUTING.md— "How to claim" section now flags the hard gate with a.github/PULL_REQUEST_TEMPLATE.md— "Claim confirmation" updated to note CI enforcement.CHANGELOG.md—Added(workflow),Changed(policy hardening),Migration(grandfathering).Auto-exemptions (no human action needed)
The workflow auto-skips in 4 cases:
@hoainho)MAINTAINERSarray*[bot]suffix + allowlist (Dependabot, gemini-code-assist, google-cla, github-actions, renovate)tracked-planlabelpre-star-rulelabelGrandfathering (applied before this PR opened)
Labels already applied to in-flight PRs via
gh pr editso they're not ambushed:pre-star-rulepre-star-rulepre-star-rulepre-star-ruletracked-plantracked-planFailure UX
When the check fails, the workflow logs a clear error in the Actions tab with:
No re-push required after starring. Click "Re-run failed jobs" in Actions → check passes within seconds.
Privacy + safety
contents: read+pull-requests: read. No write access requested.Self-referential test
This PR itself will trigger the new workflow once it lands. Author is
@hoainho(inMAINTAINERS), so the check auto-passes. CI run on this PR will demonstrate the exempt-maintainer code path end-to-end.What does NOT change
Build + Testworkflow (ci.yml) is untouched.Review focus
github-scriptJS handle the 404 case correctly? Fallback path usesgithub.request()with a try/catch onerr.status === 404.mergify[bot],pre-commit-ci[bot].) Easy to add later — workflow just needs a new entry inBOTSarray.Closes: nothing — this is a policy addition. The previous policy PR (#47) was the soft-enforcement version; this hardens it.