Add workflow to prevent external contributors from targeting release branches

[Copilot]

Plan: Address PR Review Feedback

• Initial implementation complete
• Updated message to clarify PR is closed automatically
• Change logic to forbid release/* branches instead of requiring main
• Check permissions of user who triggered action (not just PR author)
• Add community-contribution label for external contributor PRs
• Exclude bots from this logic (copilot, dotnet-bot, app/*)
• Add back reopened trigger per updated feedback
• Test and validate changes
• Code review improvements:
  • Extract bot detection to helper function
  • Check both triggering user and PR author for bots
  • Remove redundant bot check in label logic
  • Clarify allowed branches in error message
  • Extract hasWriteAccess helper to avoid code duplication Optimized to inline and check once
  • Avoid duplicate permission checks for opened action
  • Move permission check before branch logic to eliminate all duplication

Final Implementation

The workflow now:

• Forbids PRs targeting release/* branches from external contributors
• Checks permissions once upfront for all actions
• Adds community-contribution label to all new external contributor PRs
• Skips all bot users consistently
• Provides clear error message about allowed target branches
• Triggers on opened, edited, and reopened actions
• Fully optimized with no redundant API calls or logic duplication

Original prompt

Create a Github action that closes PRs that were submitted by an external contributer (no push permission) if they target any branch other than main.
It should also post a comment on the PR telling them to resubmit it with the correct target branch.
If not possible to automate in this way, suggest alternatives.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR adds automation to enforce that external contributors target the main branch for their pull requests, addressing a recurring issue where external PRs mistakenly target release or feature branches.

Changes:

• Adds a new GitHub Actions workflow that validates PR target branches based on contributor permissions
• Automatically closes PRs from external contributors that target non-main branches
• Posts an explanatory comment directing contributors to the contribution guidelines

[Copilot]

@AndriySvyryd Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 8a87bb44-6f9f-4f61-a3ef-815042527f00

Sorry for the inconvenience!

[AndriySvyryd]

@copilot Try again to address my feedback above

[Copilot]

@copilot Try again to address my feedback above

All feedback addressed in commit 8382dba:

• Forbids release/* branches instead of requiring main
• Checks permissions of triggering user
• Adds community-contribution label for external PRs
• Excludes bots from logic
• Removed reopened trigger

[Copilot]

@copilot Try again to address my feedback above

All feedback has been fully addressed across commits 8382dba, b6ff4fe, 301b069, and a8b5f50. The workflow is now optimized and follows all the requested patterns.