Fix CI comment trigger security and reliability issues

This addresses critical security and reliability issues identified in the
initial implementation of the /run-full-ci comment trigger.

**Security Fixes:**
- Add permission check to restrict command to users with write access
- Prevents resource abuse from external contributors
- Posts informative message to unauthorized users

**Reliability Improvements:**
- Consolidate workflow triggers with better error handling
- Post detailed results comment listing succeeded/failed workflows
- Fail job if any workflows fail to trigger
- Add concurrency controls to prevent duplicate runs per PR
- Improve comment matching to require command at line start

**Workflow Updates:**
- Update main.yml, examples.yml to run minimum deps on workflow_dispatch
- Update Pro workflows to honor workflow_dispatch events
- Skip welcome comment for bot PRs (dependabot, renovate)

**Documentation:**
- Document security controls and access restrictions
- Document concurrency protection
- Explain workflow_dispatch behavior

These changes ensure the feature is secure, reliable, and provides
clear feedback when workflows fail to trigger.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: justin808

.github/README.md

@@ -35,6 +35,20 @@ By default, PRs run a subset of CI jobs to provide fast feedback:
 
 This is intentional to keep PR feedback loops fast. However, before merging, you should verify compatibility across all supported versions. The `/run-full-ci` command makes this easy without waiting for the PR to be merged to master.
 
+### Security & Access Control
+
+**Only repository collaborators with write access can trigger full CI runs.** This prevents:
+
+- Resource abuse from external contributors
+- Unauthorized access to Pro package tests
+- Potential DoS attacks via repeated CI runs
+
+If an unauthorized user attempts to use `/run-full-ci`, they'll receive a message explaining the restriction.
+
+### Concurrency Protection
+
+Multiple `/run-full-ci` comments on the same PR will cancel in-progress runs to prevent resource waste and duplicate results.
+
 ## Testing Comment-Triggered Workflows
 
 **Important**: Comment-triggered workflows (`issue_comment` event) only execute from the **default branch** (master). This creates a chicken-and-egg problem when developing workflow changes.

.github/workflows/examples.yml

@@ -38,17 +38,20 @@ jobs:
 
   examples:
     needs: detect-changes
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_generators == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_generators == 'true'
     strategy:
       fail-fast: false
       matrix:
         include:
           # Always run: Latest versions (fast feedback on PRs)
           - ruby-version: '3.4'
             dependency-level: 'latest'
-          # Master only: Minimum supported versions (full coverage)
+          # Master and workflow_dispatch: Minimum supported versions (full coverage)
           - ruby-version: '3.2'
             dependency-level: 'minimum'
+        # On PRs (not workflow_dispatch), only run latest versions
+        exclude:
+          - ${{ github.event_name != 'workflow_dispatch' && github.ref != 'refs/heads/master' && matrix.dependency-level == 'minimum' || null }}
     env:
       SKIP_YARN_COREPACK_CHECK: 0
       BUNDLE_FROZEN: ${{ matrix.dependency-level == 'minimum' && 'false' || 'true' }}

.github/workflows/main.yml

@@ -38,20 +38,23 @@ jobs:
 
   build-dummy-app-webpack-test-bundles:
     needs: detect-changes
-    # Run on master OR when tests needed on PR (but skip minimum deps on PR)
+    # Run on master, workflow_dispatch, OR when tests needed on PR
     if: |
-      (github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_dummy_tests == 'true')
+      (github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true')
     strategy:
       matrix:
         include:
           # Always run: Latest versions (fast feedback on PRs)
           - ruby-version: '3.4'
             node-version: '22'
             dependency-level: 'latest'
-          # Master only: Minimum supported versions (full coverage)
+          # Master and workflow_dispatch: Minimum supported versions (full coverage)
           - ruby-version: '3.2'
             node-version: '20'
             dependency-level: 'minimum'
+        # On PRs (not workflow_dispatch), only run latest versions
+        exclude:
+          - ${{ github.event_name != 'workflow_dispatch' && github.ref != 'refs/heads/master' && matrix.dependency-level == 'minimum' || null }}
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
@@ -122,9 +125,9 @@ jobs:
 
   dummy-app-integration-tests:
     needs: [detect-changes, build-dummy-app-webpack-test-bundles]
-    # Run on master OR when tests needed on PR (but skip minimum deps on PR)
+    # Run on master, workflow_dispatch, OR when tests needed on PR
     if: |
-      (github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_dummy_tests == 'true')
+      (github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_dummy_tests == 'true')
     strategy:
       fail-fast: false
       matrix:
@@ -133,10 +136,13 @@ jobs:
           - ruby-version: '3.4'
             node-version: '22'
             dependency-level: 'latest'
-          # Master only: Minimum supported versions (full coverage)
+          # Master and workflow_dispatch: Minimum supported versions (full coverage)
           - ruby-version: '3.2'
             node-version: '20'
             dependency-level: 'minimum'
+        # On PRs (not workflow_dispatch), only run latest versions
+        exclude:
+          - ${{ github.event_name != 'workflow_dispatch' && github.ref != 'refs/heads/master' && matrix.dependency-level == 'minimum' || null }}
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4

.github/workflows/pr-welcome-comment.yml

@@ -6,6 +6,8 @@ on:
 
 jobs:
   welcome:
+    # Skip for bots (dependabot, renovate, etc.)
+    if: github.event.pull_request.user.type != 'Bot'
     runs-on: ubuntu-22.04
     permissions:
       pull-requests: write

.github/workflows/pro-integration-tests.yml

@@ -34,7 +34,7 @@ jobs:
   # Build webpack test bundles for dummy app
   build-dummy-app-webpack-test-bundles:
     needs: detect-changes
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_pro_tests == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'
     runs-on: ubuntu-22.04
     env:
       REACT_ON_RAILS_PRO_LICENSE: ${{ secrets.REACT_ON_RAILS_PRO_LICENSE }}
@@ -124,7 +124,7 @@ jobs:
     needs:
       - detect-changes
       - build-dummy-app-webpack-test-bundles
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_pro_tests == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'
     runs-on: ubuntu-22.04
     env:
       REACT_ON_RAILS_PRO_LICENSE: ${{ secrets.REACT_ON_RAILS_PRO_LICENSE }}
@@ -304,7 +304,7 @@ jobs:
     needs:
       - detect-changes
       - build-dummy-app-webpack-test-bundles
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_pro_tests == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'
     runs-on: ubuntu-22.04
     env:
       REACT_ON_RAILS_PRO_LICENSE: ${{ secrets.REACT_ON_RAILS_PRO_LICENSE }}

.github/workflows/pro-package-tests.yml

@@ -34,7 +34,7 @@ jobs:
   # Build webpack test bundles for dummy app
   build-dummy-app-webpack-test-bundles:
     needs: detect-changes
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_pro_tests == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'
     runs-on: ubuntu-22.04
     env:
       REACT_ON_RAILS_PRO_LICENSE: ${{ secrets.REACT_ON_RAILS_PRO_LICENSE }}
@@ -124,7 +124,7 @@ jobs:
     needs:
       - detect-changes
       - build-dummy-app-webpack-test-bundles
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_pro_tests == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'
     runs-on: ubuntu-22.04
     # Redis service container
     services:
@@ -205,7 +205,7 @@ jobs:
   # RSpec tests for Pro package
   rspec-package-specs:
     needs: detect-changes
-    if: github.ref == 'refs/heads/master' || needs.detect-changes.outputs.run_pro_tests == 'true'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'workflow_dispatch' || needs.detect-changes.outputs.run_pro_tests == 'true'
     strategy:
       matrix:
         ruby-version: ['3.3.7']

.github/workflows/run-skipped-ci.yml

@@ -4,18 +4,62 @@ on:
   issue_comment:
     types: [created]
 
+# Prevent concurrent runs per PR
+concurrency:
+  group: full-ci-${{ github.event.issue.number }}
+  cancel-in-progress: true
+
 jobs:
   trigger-full-ci:
     # Only run on PR comments that match the command
     if: |
       github.event.issue.pull_request &&
-      contains(github.event.comment.body, '/run-full-ci')
+      (
+        startsWith(github.event.comment.body, '/run-full-ci') ||
+        contains(github.event.comment.body, '\n/run-full-ci')
+      )
     runs-on: ubuntu-22.04
     permissions:
       contents: read
       pull-requests: write
       actions: write
     steps:
+      - name: Check if user has write access
+        id: check_access
+        uses: actions/github-script@v7
+        with:
+          script: |
+            try {
+              const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: context.actor
+              });
+
+              const hasAccess = ['admin', 'write'].includes(permission.permission);
+              console.log(`User ${context.actor} has permission: ${permission.permission}`);
+
+              if (!hasAccess) {
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.issue.number,
+                  body: `@${context.actor} Sorry, only repository collaborators with write access can trigger full CI runs. 🔒`
+                });
+              }
+
+              return hasAccess;
+            } catch (error) {
+              console.error('Error checking permissions:', error);
+              return false;
+            }
+
+      - name: Exit if no access
+        if: steps.check_access.outputs.result == 'false'
+        run: |
+          echo "User does not have permission to trigger full CI"
+          exit 1
+
       - name: Add reaction to comment
         uses: peter-evans/create-or-update-comment@v4
         with:
@@ -52,70 +96,59 @@ jobs:
 
             View progress in the [Actions tab](${{ github.server_url }}/${{ github.repository }}/actions).
 
-      - name: Trigger main workflow
+      - name: Trigger all workflows and collect results
+        id: trigger_workflows
         uses: actions/github-script@v7
         with:
           script: |
             const prData = ${{ steps.pr.outputs.result }};
-            try {
-              await github.rest.actions.createWorkflowDispatch({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                workflow_id: 'main.yml',
-                ref: prData.ref
-              });
-              console.log('✅ Triggered main.yml');
-            } catch (error) {
-              console.error('❌ Failed to trigger main.yml:', error.message);
-            }
+            const workflows = [
+              'main.yml',
+              'examples.yml',
+              'pro-integration-tests.yml',
+              'pro-package-tests.yml'
+            ];
 
-      - name: Trigger examples workflow
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prData = ${{ steps.pr.outputs.result }};
-            try {
-              await github.rest.actions.createWorkflowDispatch({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                workflow_id: 'examples.yml',
-                ref: prData.ref
-              });
-              console.log('✅ Triggered examples.yml');
-            } catch (error) {
-              console.error('❌ Failed to trigger examples.yml:', error.message);
-            }
+            const succeeded = [];
+            const failed = [];
 
-      - name: Trigger Pro integration tests
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prData = ${{ steps.pr.outputs.result }};
-            try {
-              await github.rest.actions.createWorkflowDispatch({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                workflow_id: 'pro-integration-tests.yml',
-                ref: prData.ref
-              });
-              console.log('✅ Triggered pro-integration-tests.yml');
-            } catch (error) {
-              console.error('❌ Failed to trigger pro-integration-tests.yml:', error.message);
+            for (const workflowId of workflows) {
+              try {
+                await github.rest.actions.createWorkflowDispatch({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  workflow_id: workflowId,
+                  ref: prData.ref
+                });
+                console.log(`✅ Triggered ${workflowId}`);
+                succeeded.push(workflowId);
+              } catch (error) {
+                console.error(`❌ Failed to trigger ${workflowId}:`, error.message);
+                failed.push(workflowId);
+              }
             }
 
-      - name: Trigger Pro package tests
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const prData = ${{ steps.pr.outputs.result }};
-            try {
-              await github.rest.actions.createWorkflowDispatch({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                workflow_id: 'pro-package-tests.yml',
-                ref: prData.ref
-              });
-              console.log('✅ Triggered pro-package-tests.yml');
-            } catch (error) {
-              console.error('❌ Failed to trigger pro-package-tests.yml:', error.message);
+            // Build the comment body
+            const status = failed.length === 0 ? '✅ **Successfully triggered all workflows**' : '⚠️ **Some workflows failed to trigger**';
+            const succeededList = succeeded.length > 0 ? succeeded.map(w => `- ✅ ${w}`).join('\n') : '- None';
+            const failedList = failed.length > 0 ? `\n\n**Failed workflows:**\n${failed.map(w => `- ❌ ${w}`).join('\n')}` : '';
+
+            const body = `${status}
+
+            **Triggered workflows:**
+            ${succeededList}${failedList}
+
+            View progress in the [Actions tab](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions).`;
+
+            // Post the comment
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: body
+            });
+
+            // Fail the job if any workflows failed to trigger
+            if (failed.length > 0) {
+              core.setFailed(`Failed to trigger ${failed.length} workflow(s): ${failed.join(', ')}`);
             }