Merge common gating parts into composite action

[koppor]

Refactoring if the rejection workflows - to avoid code duplication

Steps to test

See workflows working :)

• https://github.com/JabRef/jabref/actions/workflows/remove-ready-for-review.yml
• https://github.com/JabRef/jabref/actions/workflows/remove-reviewers.yml

Checklist

• I own the copyright of the code submitted and I license it under the MIT license
• [/] I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I added a screenshot in the PR description showing a library with a single entry with me as author and as title the issue number
• [/] I described the change in CHANGELOG.md in a way that can be understood by the average user (if change is visible to the user)
• [/] I checked the user documentation for up to dateness and submitted a pull request to our user documentation repository

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Extract PR gating logic into reusable composite action

✨ Enhancement

Walkthroughs

Description

• Create reusable composite action for PR gating logic
• Consolidate duplicate code from two rejection workflows
• Check maintainer permissions, CI status, and change labels
• Reduce workflow complexity and improve maintainability

Diagram

flowchart LR
  A["Duplicate gating logic<br/>in two workflows"] -->|"Extract common parts"| B["pr-gate<br/>composite action"]
  B -->|"Used by"| C["remove-ready-for-review.yml"]
  B -->|"Used by"| D["remove-reviewers.yml"]
  C -->|"Simplified"| E["Reduced code duplication"]
  D -->|"Simplified"| E

Loading

File Changes

1. .github/actions/pr-gate/action.yml ✨ Enhancement +110/-0

New composite action for PR gating checks

• New composite action that encapsulates PR gating logic
• Checks actor permissions (admin/maintain/write) to skip validation
• Evaluates CI status (Binaries and Source Code Tests checks)
• Detects "status: changes-required" label on PRs
• Posts conditional comments based on CI state or required changes

.github/actions/pr-gate/action.yml

---

2. .github/workflows/remove-ready-for-review.yml ✨ Enhancement +6/-75

Refactor to use pr-gate composite action

• Replace 69 lines of inline logic with single composite action call
• Remove duplicate maintainer permission check implementation
• Remove duplicate CI and label evaluation logic
• Simplify conditional comment posting by delegating to action
• Update step references from steps.perm and steps.eval to steps.gate

.github/workflows/remove-ready-for-review.yml

---

3. .github/workflows/remove-reviewers.yml ✨ Enhancement +6/-47

Refactor to use pr-gate composite action

• Replace 41 lines of inline logic with single composite action call
• Remove duplicate CI and label evaluation implementation
• Remove duplicate comment posting logic
• Add maintainer permission check via composite action
• Update step references from steps.eval to steps.gate

.github/workflows/remove-reviewers.yml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (1) 📎 Requirement gaps (0)

1. gh api errors unhandled 📘 Rule violation ⛯ Reliability

Description

The composite action captures perm from a gh api call without handling non-zero exits (e.g., API
errors or missing permissions), which can fail the workflow without setting required outputs. This
reduces robustness and can lead to CI/runtime failures rather than a controlled “not a maintainer”
outcome.

Code

.github/actions/pr-gate/action.yml[R47-49]

+        user="${{ github.actor }}"
+        perm=$(gh api "repos/${{ github.repository }}/collaborators/$user/permission" --jq '.permission')
+

Evidence

Compliance requires handling likely failure points with graceful degradation and actionable context.
The new composite action runs gh api to determine permissions but does not guard against failures
(no fallback/default), so the step may terminate before producing skip-check output.

Rule 3: Generic: Robust Error Handling and Edge Case Management
.github/actions/pr-gate/action.yml[47-49]
Best Practice: Learned patterns

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The composite action uses `gh api` to fetch collaborator permission, but does not handle failures (e.g., API errors/404/rate limiting). If this command fails, the step can exit before setting `skip-check`, breaking downstream conditions.

## Issue Context
This action runs in PR gating workflows; it should degrade gracefully (treat unknown permission as non-maintainer) and keep outputs consistent even when GitHub API/gh fails.

## Fix Focus Areas
- .github/actions/pr-gate/action.yml[47-59]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Unset outputs when skipped 🐞 Bug ⛯ Reliability

Description

pr-gate wires several outputs to the conditionally-skipped eval step, so those outputs can become
empty/unset (rather than explicit false/values) whenever skip-check is true. This makes the
action’s outputs contract fragile for current/future consumers (especially pr_number/pr_url).

Code

.github/actions/pr-gate/action.yml[R19-28]

+  ci_running:
+    description: "true if relevant checks are QUEUED/IN_PROGRESS"
+    value: ${{ steps.eval.outputs.ci_running }}
+  changes_required:
+    description: "true if label 'status: changes-required' exists"
+    value: ${{ steps.eval.outputs.changes_required }}
+  pr_number:
+    value: ${{ steps.eval.outputs.pr_number }}
+  pr_url:
+    value: ${{ steps.eval.outputs.pr_url }}

Evidence

The action declares outputs ci_running, changes_required, pr_number, and pr_url as values
from steps.eval.outputs.*, but the eval step is skipped when skip-check is true, leaving those
outputs unset.

.github/actions/pr-gate/action.yml[15-28]
.github/actions/pr-gate/action.yml[61-64]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Composite action outputs (`ci_running`, `changes_required`, `pr_number`, `pr_url`) are derived from `steps.eval.outputs.*`, but `eval` is skipped when `skip-check` is true, leaving outputs empty.

### Issue Context
This makes consuming workflows brittle and violates the implied outputs contract.

### Fix Focus Areas
- .github/actions/pr-gate/action.yml[15-28]
- .github/actions/pr-gate/action.yml[61-72]

### Suggested implementation approaches (pick one)
1) **Always run eval** and inside the script short-circuit when `skip-check==true` while still setting outputs to `false` + `pr_number`/`pr_url`.
2) **Provide defaults in output expressions**, e.g. use `|| 'false'` for boolean outputs and wire `pr_number`/`pr_url` to a step that always runs.
3) Add a small always-running `init` step that sets default outputs, and have `eval` overwrite by writing to a shared mechanism (or change output wiring accordingly).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Hard-coded CI check names 🐞 Bug ✓ Correctness

Description

CI-running detection is hard-coded to only consider checks named “Binaries” or “Source Code Tests”.
If other relevant PR checks can be queued/in-progress, the workflows may allow
ready-for-review/review requests even though checks are still running (if that’s not the intended
policy).

Code

.github/actions/pr-gate/action.yml[R81-88]

+        # running checks: Binaries / Source Code Tests
+        running=$(gh pr checks "$PR" --json name,state -q \
+          '[.[] | select((.name=="Binaries" or .name=="Source Code Tests") and (.state=="IN_PROGRESS" or .state=="QUEUED"))] | length')
+        if [ "$running" -gt 0 ]; then
+          echo "ci_running=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "ci_running=false" >> "$GITHUB_OUTPUT"
+        fi

Evidence

pr-gate’s filter explicitly selects only two check names. The repo also defines other workflows that
create check runs (e.g., “Check PR Format”), which would not be considered by this gate.

.github/actions/pr-gate/action.yml[81-84]
.github/workflows/pr-format.yml[1-7]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`ci_running` is computed only from checks named `Binaries` and `Source Code Tests`. If the intent is “block while *any* meaningful PR checks are running”, this can miss other relevant checks.

### Issue Context
The repo contains other workflows that may produce check runs (e.g. `Check PR Format`).

### Fix Focus Areas
- .github/actions/pr-gate/action.yml[81-88]

### Possible fix directions
- Add an action input like `ci-check-names` (JSON array or newline-separated) and filter based on that.
- Or remove the `.name==...` constraint and detect any queued/in-progress checks, optionally excluding known non-CI checks by name.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Unneeded repo checkout 🐞 Bug ➹ Performance

Description

pr-gate performs actions/checkout, but the action only uses gh API calls and doesn’t appear to
read repository files. This adds avoidable time/network overhead to each run.

Code

.github/actions/pr-gate/action.yml[33]

+    - uses: actions/checkout@v6

Evidence

The composite action checks out the repo, but subsequent steps only call gh api, gh pr view, and
gh pr checks, indicating no dependence on workspace contents.

.github/actions/pr-gate/action.yml[33-33]
.github/actions/pr-gate/action.yml[47-49]
.github/actions/pr-gate/action.yml[73-84]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The composite action checks out the repository but doesn’t use workspace files.

### Issue Context
This gate is run for lightweight policy checks via GitHub API and comments; checkout is likely unnecessary.

### Fix Focus Areas
- .github/actions/pr-gate/action.yml[30-35]

### Suggested fix
- Remove the `actions/checkout@v6` step and verify the action still works (since it only uses `gh` commands).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more