alchemyplatform · SahilAujla · Apr 24, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
@@ -0,0 +1,90 @@
+name: Block originator self-approval on docs-agent PRs
+
+# When the docs-agent (JackReacher0807) opens a PR on behalf of someone who
+# requested the change via Slack, it includes a "Requested-by: @<github_username>"
+# trailer in the commit message. This workflow watches for approvals on those
+# PRs and dismisses any approval submitted by that user, so a docs-agent PR
+# always requires a non-originator review before merging.
+#
+# Branch protection on main only needs "Require 1 approval"; this workflow
+# ensures that 1 approval can't come from the person who originated the request.
+#
+# Why commit message and not PR body: the PR body is editable by anyone with
+# write access (including the originator), who could remove their own @mention
+# before approving. The commit message is GPG-signed by docs-agent's key
+# (AB0009C56564B53A); force-pushing to amend the trailer would either lose
+# the signature (no agent key on the originator's machine) or — if the repo
+# has "Dismiss stale pull request approvals when new commits are pushed"
+# enabled — drop existing approvals.
+#
+# Scope: this workflow does NOT affect human-authored PRs — it only fires when
+# the PR author is JackReacher0807 (the docs-agent's GitHub identity).
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  block-originator-self-approval:
+    if: github.event.review.state == 'approved' && github.event.pull_request.user.login == 'JackReacher0807'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Compare approver to originator and dismiss if same
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPROVER: ${{ github.event.review.user.login }}
+          REVIEW_ID: ${{ github.event.review.id }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          set -euo pipefail
+
+          # Pull the Requested-by trailer from commits that are BOTH:
+          #   1. Authored on GitHub by JackReacher0807 (the docs-agent), AND
+          #   2. GPG-verified by GitHub (signature matches a known key on
+          #      JackReacher0807's account)
+          #
+          # Without these two filters, a collaborator with push access to the
+          # PR branch (or maintainer-edit on a fork PR) could add a commit
+          # with a fake "Requested-by: @<other-person>" trailer to redirect
+          # the policy at someone else, then approve their own request without
+          # being dismissed. Filtering on author.login + verification.verified
+          # closes that bypass — the originator can't forge an agent-signed
+          # commit because they don't have the agent's private GPG key.
+          #
+          # `|| true` on each command substitution is critical: under pipefail,
+          # grep-no-match propagates a non-zero exit and the step aborts before
+          # the empty-attribution fallback runs.
+          COMMITS_JSON="$(gh api "repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/commits" || true)"
+          REQUESTED_BY="$(printf '%s' "$COMMITS_JSON" \
+            | jq -r '.[] | select(.author.login == "JackReacher0807") | select(.commit.verification.verified == true) | .commit.message' 2>/dev/null \
+            | grep -oE 'Requested-by:[[:space:]]*@[A-Za-z0-9_-]+' \
+            | grep -oE '@[A-Za-z0-9_-]+' \
+            | head -1 \
+            | tr -d '@' \
+            || true)"
+
+          if [ -z "$REQUESTED_BY" ]; then
+            echo "No 'Requested-by:' trailer found in any commit on this PR."
+            # Post a one-time heads-up so reviewers know the rule isn't enforced
+            # for this PR. Skip if a comment already exists.
+            EXISTING="$(gh api "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
+              --jq '.[] | select(.body | startswith(":warning: docs-agent PR has no Requested-by attribution")) | .id' \
+              | head -1 || true)"
+            if [ -z "$EXISTING" ]; then
+              gh api -X POST "repos/$GITHUB_REPOSITORY/issues/$PR_NUMBER/comments" \
+                -f body=":warning: docs-agent PR has no Requested-by attribution in any commit message. The originator-self-approval rule cannot be enforced for this PR; please apply review judgment."
+            fi
+            exit 0
+          fi
+
+          echo "Approver=$APPROVER, Originator=$REQUESTED_BY"
+
+          if [ "$APPROVER" = "$REQUESTED_BY" ]; then
+            echo "Approver is the originator. Dismissing approval $REVIEW_ID."
+            gh api -X PUT "repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/reviews/$REVIEW_ID/dismissals" \
+              -f message="@$APPROVER you originated this docs request via Slack. Per the docs-agent self-review policy, the originator can't approve their own request — please ask another team member to review."
+          else
+            echo "Approver is not the originator. No action."
+          fi