Redirect contributors to foundry-samples-pr staging repo#552
Redirect contributors to foundry-samples-pr staging repo#552brandom-msft wants to merge 3 commits intomainfrom
Conversation
Rewrite CONTRIBUTING.md to explain the private-to-public workflow: - External users: open issues for bugs/suggestions - Microsoft contributors: join microsoft-foundry org, then contribute via the private foundry-samples-pr staging repo Update README.md contributing section to match. The previous fork-based workflow and stale azure-ai-foundry/doc-samples references are removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Automatically closes PRs with a comment directing: - Microsoft org members to foundry-samples-pr - External contributors to open an issue instead Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check org membership and redirect | ||
| uses: actions/github-script@v7 | ||
| with: | ||
| script: | | ||
| const pr = context.payload.pull_request; | ||
| const author = pr.user.login; | ||
|
|
||
| // Check if author is a member of the microsoft org | ||
| let isOrgMember = false; | ||
| try { | ||
| const res = await github.rest.orgs.checkMembershipForUser({ | ||
| org: 'microsoft', | ||
| username: author, | ||
| }); | ||
| isOrgMember = res.status === 204; | ||
| } catch { | ||
| // 404 or 302 means not a member | ||
| isOrgMember = false; | ||
| } | ||
|
|
||
| let body; | ||
| if (isOrgMember) { | ||
| body = [ | ||
| `👋 Thanks for your contribution, @${author}!`, | ||
| '', | ||
| 'This repository is read-only. As a Microsoft contributor, please submit your PR to the private staging repository instead:', | ||
| '', | ||
| '👉 **[foundry-samples-pr](https://github.com/microsoft-foundry/foundry-samples-pr)**', | ||
| '', | ||
| 'See [CONTRIBUTING.md](https://github.com/microsoft-foundry/foundry-samples/blob/main/CONTRIBUTING.md) for full instructions.', | ||
| ].join('\n'); | ||
| } else { | ||
| body = [ | ||
| `👋 Thanks for your interest in contributing, @${author}!`, | ||
| '', | ||
| 'This repository does not accept pull requests directly. If you\'d like to report a bug, suggest an improvement, or propose a new sample, please **[open an issue](https://github.com/microsoft-foundry/foundry-samples/issues/new)** instead.', | ||
| '', | ||
| 'See [CONTRIBUTING.md](https://github.com/microsoft-foundry/foundry-samples/blob/main/CONTRIBUTING.md) for more details.', | ||
| ].join('\n'); | ||
| } | ||
|
|
||
| await github.rest.issues.createComment({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| issue_number: pr.number, | ||
| body, | ||
| }); | ||
|
|
||
| await github.rest.pulls.update({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| pull_number: pr.number, | ||
| state: 'closed', | ||
| }); |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 16 hours ago
In general, to fix this kind of problem you explicitly declare a permissions: block either at the root of the workflow or inside each job, granting only the scopes actually needed (e.g., pull-requests: write, issues: write, contents: read). This prevents GitHub from falling back to broader repository or organization defaults.
For this specific workflow, the script only needs to: (1) check org membership (orgs scope, which is implicitly covered when the token can act on PRs in this repo) and (2) comment on and close the pull request, which requires write access to PRs and issues, plus read access to repository contents at most. The most precise and non-breaking fix is to add a permissions block under the redirect job, immediately beneath runs-on: ubuntu-latest, with the minimal necessary rights:
contents: read(safe default read access),pull-requests: write(to close the PR),issues: write(to create a comment on the PR, which is an issues API).
No additional methods, imports, or other file changes are needed; only the YAML for this job is updated.
| @@ -7,6 +7,10 @@ | ||
| jobs: | ||
| redirect: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| issues: write | ||
| steps: | ||
| - name: Check org membership and redirect | ||
| uses: actions/github-script@v7 |
Summary
Redirects contributors away from this public repo and toward the proper contribution paths. Updates documentation and adds automated enforcement via a GitHub Actions workflow.
Changes
CONTRIBUTING.md — replaced entirely:
foundry-samples-prlink is introduced after the join-org step, with a note explaining the 404 they'd see otherwiseazure-ai-foundry/doc-samplesreferences removedREADME.md — Contributing section updated to match (issues welcome, contributors redirected to CONTRIBUTING.md)
.github/workflows/redirect-pull-requests.yml — new workflow that auto-closes incoming PRs with a redirect message:
pull_request_target: openedmicrosoftorg memberfoundry-samples-prContext
The private repo
foundry-samples-pris the staging repo where all sample contributions are submitted. A nightly sync publishes content to this public repo. The private repo has its own detailed CONTRIBUTING.md (see PR #46) covering access setup, branching, validation, etc.This public-side CONTRIBUTING.md is intentionally lightweight — it redirects internal contributors to the private repo rather than duplicating instructions. The new workflow enforces this by automatically closing any PRs opened directly on this repo.