From d28c7aa5cbfaff8675c5d31f75ffc7503dbc3862 Mon Sep 17 00:00:00 2001
From: Brendan Collins <brendancol@gmail.com>
Date: Fri, 15 May 2026 13:07:54 -0700
Subject: [PATCH] ci: query collaborator API to skip maintainers in welcome
 workflow

The previous gate skipped maintainers via
github.event.pull_request.author_association. On PR #1968 that field
came through as something other than MEMBER for a maintainer's
cross-fork PR (brendancol, admin permission), so the welcome workflow
greeted them as a first-time contributor.

The same field has misreported same-repo maintainer PRs in the past;
copilot-review.yml already gates around it via head.repo == base.repo.
Apply the equivalent here and add a runtime collaborator-permission
lookup so cross-fork PRs from maintainers' personal forks are also
skipped.

The default GITHUB_TOKEN has read access to the collaborator-permission
endpoint on the repo where the workflow runs, so the call works without
additional secrets.
---
 .github/workflows/welcome-contributor.yml | 30 +++++++++++++++++------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/welcome-contributor.yml b/.github/workflows/welcome-contributor.yml
index 30b045e4e..947155385 100644
--- a/.github/workflows/welcome-contributor.yml
+++ b/.github/workflows/welcome-contributor.yml
@@ -7,19 +7,19 @@ on:
 permissions:
   pull-requests: write
   issues: read
+  contents: read
 
 jobs:
   welcome:
-    # Skip drafts and same-repo PRs (the latter sidesteps the author_association
-    # quirk where same-repo authors report as CONTRIBUTOR, per the note in
-    # copilot-review.yml). Also skip maintainers explicitly - across-fork PRs
-    # report author_association reliably.
+    # Skip drafts and same-repo PRs. The event-payload ``author_association``
+    # is unreliable across both same-repo PRs (reports CONTRIBUTOR for actual
+    # MEMBERs, per the copilot-review.yml note) and cross-fork PRs from
+    # maintainers' personal forks (also seen reporting non-MEMBER). The
+    # maintainer-skip is enforced inside the step via the collaborator
+    # permission API instead.
     if: >-
       github.event.pull_request.draft == false &&
-      github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name &&
-      github.event.pull_request.author_association != 'MEMBER' &&
-      github.event.pull_request.author_association != 'OWNER' &&
-      github.event.pull_request.author_association != 'COLLABORATOR'
+      github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     runs-on: ubuntu-latest
     steps:
       - name: Comment if no intro issue exists
@@ -29,6 +29,20 @@ jobs:
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           REPO: ${{ github.repository }}
         run: |
+          # Skip maintainers. Query the live collaborator permission API
+          # rather than trusting the event payload's author_association, which
+          # has been observed to misreport MEMBERs as plain CONTRIBUTOR on
+          # cross-fork PRs (PR #1968 welcomed an admin maintainer).
+          perm=$(gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" \
+            --jq '.permission' 2>/dev/null || echo "none")
+          echo "Collaborator permission for $PR_AUTHOR: $perm"
+          case "$perm" in
+            admin|maintain|write)
+              echo "Author is a maintainer; skipping welcome comment."
+              exit 0
+              ;;
+          esac
+
           count=$(gh issue list \
             --repo "$REPO" \
             --author "$PR_AUTHOR" \