Addresses hongming-pc review #1421 on PR #535.
Blocker 1 (fail-open privilege gate):
Original v1.2 design `if:`-gated the "Check out BASE" and "Evaluate"
steps on the privilege-check step's `proceed` output. A non-collaborator
commenting `/qa-recheck` produced proceed=false → both steps skipped →
job conclusion = success → `qa-review / approved` context published as
success with ZERO real APPROVE. Any visitor could green the gate.
Fix per RFC#324 v1.3 §A1.1 option (b): drop privilege-gating of the
eval entirely. The eval is read-only and idempotent (reads
pulls/{N}/reviews + teams/{id}/members/{u}, both server-side state
uninfluenced by who commented). Re-running on a non-collaborator's
comment is harmless: if a real team-member APPROVE exists, the eval
flips green; if not, it stays red. The privilege step is retained as
a `::notice::` log line only (griefer-spotting), not a gate.
Non-blocking nit 5 (dead jq fallback):
`apt-get install jq` (no root) and `curl -o /usr/local/bin/jq` (no
write perm on uid-1001 rootless runner) both can't succeed. Per
feedback_ci_runner_install_needs_writable_path + #391/#402, jq is
already baked into runner-base. Replace the install dance with a
clear `exit 1` + diagnostic so a missing-jq runner fails loud rather
than confusingly.
Smoke-test (mocked Gitea API):
no-approve → exit 1 (gate red)
self-approve → exit 1 (gate red)
dismissed-approve → exit 1 (gate red)
non-team-approve → exit 1 (gate red)
team-approve → exit 0 (gate green)
Blocker 2 (A1-α event-suffix context-name verification) is the
smoke-PR's job and is flagged in a follow-up comment on this PR — does
not require workflow changes here.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
core-devops
ecbfa60f04