{"id":36750337,"url":"https://github.com/octodemo/pr-gatekeeper","last_synced_at":"2026-01-12T12:43:30.216Z","repository":{"id":37818043,"uuid":"365376171","full_name":"octodemo/pr-gatekeeper","owner":"octodemo","description":"An action to perform the required checks for complex pull request approval cases","archived":false,"fork":false,"pushed_at":"2023-09-04T11:19:40.000Z","size":2201,"stargazers_count":11,"open_issues_count":16,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-11-27T09:12:09.739Z","etag":null,"topics":["backend"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/octodemo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-07T23:33:22.000Z","updated_at":"2023-09-26T20:08:00.000Z","dependencies_parsed_at":"2024-06-19T22:49:18.176Z","dependency_job_id":"85c0bc2b-8a39-482c-8926-9f928d9d3c2d","html_url":"https://github.com/octodemo/pr-gatekeeper","commit_stats":{"total_commits":156,"total_committers":5,"mean_commits":31.2,"dds":0.4294871794871795,"last_synced_commit":"8f2152cef9c25a9a10b54cd572bd82645ffd9620"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":"actions/typescript-action","purl":"pkg:github/octodemo/pr-gatekeeper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fpr-gatekeeper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fpr-gatekeeper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fpr-gatekeeper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fpr-gatekeeper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/octodemo","download_url":"https://codeload.github.com/octodemo/pr-gatekeeper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/octodemo%2Fpr-gatekeeper/sbom","scorecard":{"id":702158,"data":{"date":"2025-08-11","repo":{"name":"github.com/octodemo/pr-gatekeeper","commit":"8f2152cef9c25a9a10b54cd572bd82645ffd9620"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.2,"checks":[{"name":"Code-Review","score":3,"reason":"Found 2/6 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:16","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:15","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/octodemo/pr-gatekeeper/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/octodemo/pr-gatekeeper/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/octodemo/pr-gatekeeper/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/octodemo/pr-gatekeeper/test.yml/main?enable=pin","Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:3","Warn: npmCommand not pinned by hash: .github/workflows/test.yml:11","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"13 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-f9xv-q969-pqx4"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T05:25:42.186Z","repository_id":37818043,"created_at":"2025-08-22T05:25:42.186Z","updated_at":"2025-08-22T05:25:42.186Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338983,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T12:22:26.515Z","status":"ssl_error","status_checked_at":"2026-01-12T12:22:10.856Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backend"],"created_at":"2026-01-12T12:43:30.143Z","updated_at":"2026-01-12T12:43:30.210Z","avatar_url":"https://github.com/octodemo.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![test](https://github.com/octodemo/review-approval-action/actions/workflows/test.yml/badge.svg)](https://github.com/octodemo/review-approval-action/actions/workflows/test.yml)\n\n# PR Gatekeeper\n\nThis action is a status check to validate if specific reviewers have provided approvals within your PR workflows. Repo owners/ admins can configure the following:\n- The minimum no. of approvals needed \n- The various groups and it's members and minimum no. of approvals within each group\n- _The action currently supports only people and not GitHub teams_\n\n## How this action works\nThis action is triggered every time some change is made to the pull request (see [workflow example](#Workflow-config)). It checks whether the review and approval status of the pull request meets the policy described in the [action's config](#Action-config), and sets the result to a commit status named \"PR Gatekeeper Status\".\n\n![screenshot](./images/commit-status.png)\nYou can enforce the review policy described in [action's config](#Action-config) by setting this \"PR Gatekeeper Status\" as required in the protected branch settings.\n\n## How does it work alongside my repo's Branch Protection Rules(BPR)\nPR Gatekeeper works in tandem with Branch Protection Rules, and helps enforce more finer policy controls. \n\nBranch Protection rules checks if the configured number of people have approved the PR and if yes, returns a `pass` signal. In situations where approvals from a specific people across specific teams is needed, Branch Protection Rules are unable to enforce. This is a common enterprise usecase, where select changes need approvals from Security, Quality \u0026 Infra teams for auditory \u0026 compliance purposes.\n\n## How do I configure this to work in tandem with the repo's Branch Protection Rules(BPR)\n1. Ensure that \"PR Gatekeeper Status\" is a required status check in the Branch Protection settings.\n2. Define either the PR Gatekeeper `minimum` approvals within the [action's config](#Action-config) or in BPR's 'Required number of approvals before merging' field\n\u003cimg width=\"766\" alt=\"image\" src=\"https://user-images.githubusercontent.com/83639549/192690706-d6448d13-40c6-4dd8-9027-6b26572d7003.png\"\u003e\n3. If both of the above fields are defined, ensure that the PR Gatekeeper's minimum no. of approvals should be greater than or equal to the BPR's required no. of approvals\n\n## Configuration\n### Action config\nThe action is configured via the `approve_config.yml` file located in the `.github` subdirectory. The general format is as follows.\n```yaml\napprovals:\n  # check will fail if there is no approval\n  minimum: 1     # optional, leave blank or a value greater than or equal to the Branch Protection Rules `Required no. of approvals`\n  groups:        # optional\n    - name: frontend # This would be the first team or group of reviewers\n      minimum: 1 # optional, leaving this blank would make the review optional for this group. Uncommon, but possible\n      from:\n        - octocat1 # Ensure the username has no @ prefix\n        - octocat2 # currently, only usernames are supported, no team names\n    - name: backend\n      minimum: 2\n      from:\n        - octocat4\n        - octocat5\n```\n\n### Workflow config\n\nOnce the `approve_config.yml` file is in place, add the action to execute on every PR and then set it as a required action to start enforcing your new approval policy!\n\n```yaml\nname: 'PR Gatekeeper'\n\non:\n  pull_request:\n    types:\n      [\n        assigned,\n        unassigned,\n        opened,\n        reopened,\n        synchronize,\n        review_requested,\n        review_request_removed\n      ]\n  pull_request_review:\n\njobs:\n  pr-gatekeeper:\n    name: PR Gatekeeper\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - uses: octodemo/pr-gatekeeper@v1.0\n        with:\n          token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n# A bit of History \nThis is an action created for the 2021 INTL FS Hackathon where we decided to reimplement [Zappr](https://zappr.opensource.zalan.do/login) in the form of a GitHub Action that will perform the required checks for complex pull request approval cases that are not currently supported by the [protected branches](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#about-branch-protection-settings) feature in GitHub.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctodemo%2Fpr-gatekeeper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foctodemo%2Fpr-gatekeeper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foctodemo%2Fpr-gatekeeper/lists"}