Proposal: Prevent untrusted users from creating issues/PRs

[rickhanlonii]

Overview

I want to be able to use vouch to prevent untrusted users to create issues or PRs, instead of letting it be created and then closing it.

GitHub Limitations

GitHub doesn't have first class support block creating issues or PRs.

The permission model is intentionally setup so that public repos are open for everyone to comment, create issues, and create PRs. This was probably the right choice historically, but with AI lowering the barrier to entry, open writes by default is becoming unsustainable.

Until GitHub adds a feature to support this (like a GitHub action that runs when an comment/issue/PR is created that can reject creating it), there is a way to achieve this that is more nuclear approach.

In the React working groups, we've set them up so that the working group members have write access, but it's read only for everyone else. This balances being open by default, but limiting interactions to a trusted group.

The way we did this is with the moderation interaction limits settings. This feature is intended to be a temporary way to limit spam, but you can use it to limit the repository only to contributors:

Unfortunately this setting can only last for 6 months, which requires it to be renewed.

Proposal

Add a GitHub Action that adds trusted users to the list of "triage" contributors in a repo, and enables interaction limits to a repository.

Workflow

• When a user is vouched, add them to the repository's collaborations with the "Triage" role, if they don't already exist.
• Since interaction limits expire, periodically check the repo's interaction limit settings to refresh them

This gives trusted users access to create or comment on issues/PRs, but not push, approval, or merge access.

Limitations

There are some limitations here:

• It limits all interactions. Untrusted users can't react or comment on any issue or PR.
• The "triage" role gives trusted users more permissions:
  • Apply/dismiss labels
  • Close, reopen, and assign all issues and pull requests
  • Request pull request reviews
  • Hide anyone's comments
  • And a few others, see the table here.

There are some tradeoffs here. Repos that enable this option would need to be aware of the additional permissions and perhaps more restrictive of who is trusted, set clear guidelines, and diligent about finding bad actors/violations.

Appendix: GitHub APIs

The API to check if a user is a collaborator is:

GET /repos/{owner}/{repo}/collaborators/{username}

204 if true

The API to add a user is:

PUT /repos/{owner}/{repo}/collaborators/{username}

{"permission":"triage"}

The API to get interaction limits is:

GET /repos/{owner}/{repo}/interaction-limits

{
  "limit": "collaborators_only",
  "origin": "repository",
  "expires_at": "2018-08-17T04:18:39Z"
}

The API to add interaction limits is:

PUT /repos/{owner}/{repo}/interaction-limits

{"limit":"collaborators_only","expiry":"six_months"}

You could choose between:

• previous contributors (and collaborators) "limit": "existing_users"
• only collaborators "limit": "existing_users"

[mitchellh]

vouch

[mitchellh]

Thanks for writing this up with such detail. The way you're doing it is clear. Where I'm sitting now is wondering if and how this fits into a generalizable GitHub action within this repo. I'm not saying no at all, I just wanted to give you a response that I have to think about it and I'm open to ideas.

[rickhanlonii]

Yeah it might not make sense to be in this repo directly - someone could write an action that triggers on updates to the vouchfile and does the workflow I described.

What I had in mind though was:

Action	Trigger	Description
only-trusted	push	Limit all repo interactions to trusted users. Adds vouched users to repo collaborators with "Triage" role and enables moderation settings to limit repo interactions to collaborators

If enabled, this runs after a push is made to the VOUCHED file.