Skip to content

chore(ci): add goodegg contributor scoring action#8091

Closed
bdbch wants to merge 1 commit into
mainfrom
chore/goodegg-test
Closed

chore(ci): add goodegg contributor scoring action#8091
bdbch wants to merge 1 commit into
mainfrom
chore/goodegg-test

Conversation

@bdbch

@bdbch bdbch commented Jul 16, 2026

Copy link
Copy Markdown
Member

Fixes

  • N/A

Changes and Review

Recently, we’ve seen an increase in AI-written pull requests. AI itself is not the problem, but a high number of PRs from the same contributors can come across less as genuine interest in the project and more as contribution farming.

For the long-term health of the project, I think we should prioritize contributors who are trustworthy, read and follow the guidelines, and take the time to understand an issue before submitting a quick AI-generated fix for something they were not assigned to.

Goodegg is a GitHub Action that scores contributors based on their contribution history. It looks at metrics such as how many pull requests they opened within a given timeframe, how many repositories those PRs were spread across, and how many were merged or closed.

I hope this action can help us quickly identifying if a user is just here to farm contributions or genuinely wants to improve the project.

Open for discussion.

Checklist

  • I have added a changeset if necessary.
  • I have added tests if possible.
  • I have made sure to test my changes myself.

Responsibility

  • I have reviewed and understand these changes, and I take responsibility for this PR, even if an AI agent created it.

@bdbch
bdbch requested a review from a team as a code owner July 16, 2026 13:10
@netlify

netlify Bot commented Jul 16, 2026

Copy link
Copy Markdown

Deploy Preview for tiptap-embed ready!

Name Link
🔨 Latest commit 02ff494
🔍 Latest deploy log https://app.netlify.com/projects/tiptap-embed/deploys/6a58d849393db30008781039
😎 Deploy Preview https://deploy-preview-8091--tiptap-embed.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@changeset-bot

changeset-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 02ff494

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Adds a GitHub Action that scores contributors based on their contribution history. It runs when pull requests are opened, updated, or reopened, helping identify consistent contributors and possible contribution farming.

Walkthrough

Adds a GitHub Actions workflow that runs 2ndSetAI/good-egg@v2.0.0 for opened, synchronized, and reopened pull requests using the repository’s GITHUB_TOKEN.

Changes

Good Egg workflow

Layer / File(s) Summary
Configure pull request automation
.github/workflows/good-egg.yml
Adds the score job on ubuntu-latest, grants pull-request write permission, and passes secrets.GITHUB_TOKEN to the Good Egg action.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested labels: area: ci, complexity: easy, impact: low

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the change: adding the Goodegg CI action for contributor scoring.
Description check ✅ Passed The description follows the template and explains the change, purpose, and checklist items.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

🥚 Diet Egg: HIGH Trust

Score: 81%

Score Breakdown

Component Value
Merge Rate 81% (500/614 PRs)

Top Contributions

Repository PRs Language Stars
ueberdosis/tiptap 328 TypeScript 37643
ueberdosis/tiptap-docs 109 MDX 103
ueberdosis/hocuspocus 16 TypeScript 2488
bdbch/ai-dotfiles 12 Shell 1
bdbch/rivet 8 Rust 0
tsky-dev/tsky 8 TypeScript 41
ueberdosis/y-tiptap 7 JavaScript 19
bdbch/releader 2 TypeScript 0
basecamp/omarchy 2 Shell 23961
bdbch/winget 2 TypeScript 0

@coderabbitai coderabbitai Bot added area: ci Continuous integration and build pipelines complexity: easy Small effort, well-defined scope impact: low No direct user impact labels Jul 16, 2026
@bdbch bdbch closed this Jul 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/good-egg.yml:
- Around line 11-13: Update the good-egg action reference in the workflow to an
immutable full-length commit SHA instead of the mutable v2.0.0 tag, while
preserving the existing github-token input. Also pin the action’s transitive
setup-python and good-egg dependency references to immutable versions where they
are controlled by this workflow.
- Around line 2-6: Update the workflow trigger and permissions around the
pull_request configuration to explicitly handle forked pull requests: either
provide a trusted reporting path that can post Good Egg comments for external
contributors, or clearly document that fork PRs are unsupported. Do not switch
to pull_request_target while executing untrusted action code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 66da5dff-44a3-4b3e-94ac-9419dae0f64e

📥 Commits

Reviewing files that changed from the base of the PR and between d26840f and 02ff494.

📒 Files selected for processing (1)
  • .github/workflows/good-egg.yml

Comment on lines +2 to +6
on:
pull_request:
types: [opened, synchronize, reopened]
permissions:
pull-requests: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== workflow =="
git ls-files .github/workflows/good-egg.yml docs/github-action.md
echo

echo "== workflow contents =="
cat -n .github/workflows/good-egg.yml
echo

echo "== fork-related docs search =="
rg -n -i "fork|pull_request_target|pull-request|permissions|GITHUB_TOKEN|comment" docs/github-action.md .github/workflows/good-egg.yml || true
echo

echo "== docs excerpt =="
cat -n docs/github-action.md | sed -n '1,260p'

Repository: ueberdosis/tiptap

Length of output: 945


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== workflow file =="
cat -n .github/workflows/good-egg.yml
echo

echo "== docs file search =="
rg -n -i "fork|pull_request_target|GITHUB_TOKEN|pull-requests: write|comment|unsupported" docs/github-action.md .github/workflows/good-egg.yml || true
echo

echo "== docs excerpt around matches =="
python3 - <<'PY'
from pathlib import Path
path = Path("docs/github-action.md")
lines = path.read_text().splitlines()
terms = ["fork", "pull_request_target", "GITHUB_TOKEN", "pull-requests: write", "comment", "unsupported"]
hits = []
for i, line in enumerate(lines, 1):
    if any(t.lower() in line.lower() for t in terms):
        hits.append(i)
for i in hits[:20]:
    start = max(1, i-3)
    end = min(len(lines), i+3)
    print(f"\n-- lines {start}-{end} --")
    for j in range(start, end+1):
        print(f"{j}: {lines[j-1]}")
PY

Repository: ueberdosis/tiptap

Length of output: 1349


🏁 Script executed:

#!/bin/bash
set -euo pipefail
printf 'Reading files only, no execution.\n'
for f in .github/workflows/good-egg.yml docs/github-action.md; do
  echo "=== $f ==="
  if [ -f "$f" ]; then
    nl -ba "$f" | sed -n '1,220p'
  else
    echo "missing"
  fi
done

Repository: ueberdosis/tiptap

Length of output: 268


🌐 Web query:

GitHub Actions pull_request from fork GITHUB_TOKEN read-only permissions pull-requests write documentation

💡 Result:

When a GitHub Actions workflow is triggered by a pull_request event originating from a forked repository, the GITHUB_TOKEN is automatically granted read-only permissions by default, regardless of the permissions configured in the workflow file [1][2][3]. This is a security measure designed to prevent untrusted code from a fork from accessing or modifying the base repository with write privileges [4][3]. To manage or circumvent this restriction, you have the following options: 1. Repository Settings: If you are an administrator of the repository, you can navigate to Settings > Actions > General > Workflow permissions and enable the option Send write tokens to workflows from pull requests [5][2][3]. Enabling this allows pull requests from forks to use a GITHUB_TOKEN with write permissions [5]. 2. Use pull_request_target: If you need to perform actions that require write access (such as adding labels, posting comments, or updating status checks), you can use the pull_request_target event [4][3]. Unlike the standard pull_request event, pull_request_target runs in the context of the base repository's default branch, not the commit from the fork [4][3]. Because it executes trusted code from the base repository, it is granted the repository's standard GITHUB_TOKEN permissions [4][2]. Warning: Since pull_request_target runs with elevated trust, you must exercise extreme caution. Do not use it to check out and execute code directly from the untrusted pull request, as this could lead to security vulnerabilities [4][3]. 3. Use a Personal Access Token (PAT): If you do not wish to use pull_request_target, or if you need permissions that go beyond the scope of GITHUB_TOKEN, you can use a PAT or a GitHub App token stored as a repository secret [3]. This allows the workflow to authenticate with specific, controlled permissions independent of the GITHUB_TOKEN limitations [3].

Citations:


Handle fork PRs explicitly. pull_request on forked PRs gets a read-only GITHUB_TOKEN, so Good Egg won’t be able to post comments for external contributors unless you add a trusted reporting path or clearly document that fork PRs are unsupported. Avoid switching this to pull_request_target with an untrusted action.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/good-egg.yml around lines 2 - 6, Update the workflow
trigger and permissions around the pull_request configuration to explicitly
handle forked pull requests: either provide a trusted reporting path that can
post Good Egg comments for external contributors, or clearly document that fork
PRs are unsupported. Do not switch to pull_request_target while executing
untrusted action code.

Comment on lines +11 to +13
- uses: 2ndSetAI/good-egg@v2.0.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file around the referenced lines.
git ls-files .github/workflows/good-egg.yml
cat -n .github/workflows/good-egg.yml | sed -n '1,80p'

Repository: ueberdosis/tiptap

Length of output: 549


🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo=2ndSetAI/good-egg
tag=v2.0.0

echo "== tag ref =="
curl -fsSL "https://api.github.com/repos/$repo/git/refs/tags/$tag" | jq '{object_type:.object.type, object_sha:.object.sha, ref:.ref}'

echo "== tag object (if annotated) =="
tag_obj_sha="$(curl -fsSL "https://api.github.com/repos/$repo/git/refs/tags/$tag" | jq -r '.object.sha')"
tag_obj_type="$(curl -fsSL "https://api.github.com/repos/$repo/git/refs/tags/$tag" | jq -r '.object.type')"
if [ "$tag_obj_type" = "tag" ]; then
  curl -fsSL "https://api.github.com/repos/$repo/git/tags/$tag_obj_sha" | jq '{type:.object.type, commit_sha:.object.sha, tag:.tag}'
else
  echo "lightweight tag -> commit $tag_obj_sha"
fi

echo "== action.yml at tag =="
commit_sha="$(curl -fsSL "https://api.github.com/repos/$repo/git/refs/tags/$tag" | jq -r '.object.sha')"
if [ "$(curl -fsSL "https://api.github.com/repos/$repo/git/refs/tags/$tag" | jq -r '.object.type')" = "tag" ]; then
  commit_sha="$(curl -fsSL "https://api.github.com/repos/$repo/git/tags/$commit_sha" | jq -r '.object.sha')"
fi
curl -fsSL "https://raw.githubusercontent.com/$repo/$commit_sha/action.yml" | cat -n

echo "== package metadata / workflow references in repo tree =="
curl -fsSL "https://api.github.com/repos/$repo/contents?ref=$commit_sha" | jq -r '.[].name'

Repository: ueberdosis/tiptap

Length of output: 220


🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo_url=https://github.com/2ndSetAI/good-egg.git
tag=v2.0.0

echo "== git refs =="
git ls-remote --tags "$repo_url" "refs/tags/$tag" "refs/tags/$tag^{}" || true

echo "== action.yml at tag =="
curl -fsSL "https://raw.githubusercontent.com/2ndSetAI/good-egg/$tag/action.yml" | cat -n | sed -n '1,220p'

echo "== package.json at tag (if present) =="
curl -fsSL "https://raw.githubusercontent.com/2ndSetAI/good-egg/$tag/package.json" | cat -n | sed -n '1,220p' || true

echo "== repo root listing at tag =="
curl -fsSL "https://api.github.com/repos/2ndSetAI/good-egg/contents?ref=$tag" | jq -r '.[].name' || true

Repository: ueberdosis/tiptap

Length of output: 3287


Pin this action to an immutable commit
2ndSetAI/good-egg@v2.0.0 is still a mutable tag, and this workflow runs with pull-requests: write. The composite action also pulls actions/setup-python@v5 and pip install 'good-egg>=2,<3', so the supply chain is still open-ended.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/good-egg.yml around lines 11 - 13, Update the good-egg
action reference in the workflow to an immutable full-length commit SHA instead
of the mutable v2.0.0 tag, while preserving the existing github-token input.
Also pin the action’s transitive setup-python and good-egg dependency references
to immutable versions where they are controlled by this workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: ci Continuous integration and build pipelines complexity: easy Small effort, well-defined scope impact: low No direct user impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant