name: external-contributor-gate
# Defends against vendor badge-trojan / SEO-spam PRs from first-time
# external contributors. Allowlist + bot detection + auto-close-and-lock
# for documentation-only drive-bys. See pleme-io/actions#2 + the
# incident_oyaai_safeskill_drive_by_2026_05_28 memory.
#
# `pull_request_target` runs in the BASE repo context with write
# permissions; the action only makes GitHub API calls (no fork code is
# executed). First-time-contributor approval setting still gates the
# first run from a brand-new account.
on:
pull_request_target:
types:
permissions:
pull-requests: write
issues: write
contents: read
jobs:
gate:
runs-on: ubuntu-latest
steps:
- uses: pleme-io/actions/pull-request-gate@main
with:
allowlist: |
drzln