Skip to content

feat: trust core team commits and verified bot commits in run-ci label validation #26911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
keithwillcode wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: trust core team commits and verified bot commits in run-ci label validation #26911

keithwillcode wants to merge 1 commit into from
+99 −0

Conversation

@keithwillcode
Copy link
Contributor

@keithwillcode keithwillcode commented Jan 15, 2026

What does this PR do?

Updates the run-ci label validation logic to trust commits made after the label was added if they come from trusted sources:

  1. Core team members with write permission to the repo
  2. Trusted bots (devin-ai-integration[bot], cubic-dev-ai[bot]) with verified commit signatures

Previously, when the run-ci label was "stale" (added before new commits were pushed), the PR would be marked as untrusted. Now, if all commits after the label are from trusted sources, the PR remains trusted.

Security model: Bot commits must be verified (signed by GitHub) to be trusted. This prevents external contributors from spoofing bot commits by setting their git author name to a bot name - they cannot forge a verified commit signature that GitHub creates when commits are made via the GitHub API.

How should this be tested?

This is a GitHub Actions workflow change that will be tested in production when the scenario occurs:

  1. External contributor opens a PR
  2. Maintainer reviews and adds run-ci label
  3. Trusted bot (Devin or Cubic) or core team member pushes additional commits
  4. The workflow should recognize these commits as trusted and allow CI to run

Manual verification: Review the logic flow and security assumptions in the code.

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - no documentation changes needed.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works. N/A - GitHub Actions workflow changes cannot be unit tested.

Human Review Checklist

  • Verify the security model: Can an external contributor bypass this by forging a verified commit? (They shouldn't be able to)
  • Confirm the trusted bot list (devin-ai-integration[bot], cubic-dev-ai[bot]) is correct
  • Review the compareCommits API response structure assumptions (author.type, commit.verification)
  • Check edge case handling when runAtLabelTime is not found

Link to Devin run: https://app.devin.ai/sessions/dd01a0464a1445a18ded1bb9be7b59ed
Requested by: @keithwillcode

@keithwillcode @devin-ai-integration
feat: trust core team commits and verified bot commits in run-ci labe…
cd66aee 
…l validation

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 15, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@keithwillcode