feat: manage PR creation cap bypass list from config#135
Merged
Conversation
Add a new optional `prCreationCapBypassList` field to a repository's config so maintainers can declaratively manage the set of users exempt from a repo's pull request creation cap. When the field is present, checkRepository() reconciles the repo's bypass list via the generic octokit.request() escape hatch (the pinned octokit has no typed method for the interaction-limits/pulls/bypass-list endpoint), dry-run gated and Slack-logged like the fork PR contributor approval reconciliation.
Confine the raw off-spec octokit request route strings and the single unavoidable response cast to a dedicated module, and refactor the reconciler to call the typed helpers instead.
MarshallOfSound
approved these changes
Jul 1, 2026
VerteDinde
approved these changes
Jul 1, 2026
Move the bypass-list config from a top-level `prCreationCapBypassList` field on a repository to `pr_creation_cap_bypass_list` under the repo's `settings` block, for consistency with other repository settings. This also allows the list to be defaulted org-wide via `repository_defaults`. The reconciliation now reads the desired list from the computed settings.
georgexu99
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requested by Samuel Attard · Slack thread
Before / After
Before: exempting a good-faith contributor from a repository's pull request creation cap meant clicking around in GitHub's UI, per repository, with no record in config.
After: the exemption is declared in
.permissionsconfig via a newpr_creation_cap_bypass_listkey under a repository'ssettingsblock, and Sheriff reconciles the repo's bypass list to match. Maintainers add/remove contributors by editing config instead of clicking in the UI.The setting is opt-in per repo: when it is absent (after merging
repository_defaultswith the repo'ssettings), Sheriff does not touch the bypass list (unmanaged). When it is present — including an empty[], which clears the list — that exact set becomes the desired state. Because it lives undersettings, it can also be defaulted org-wide viarepository_defaults.How
pr_creation_cap_bypass_list?: string[]onRepoSettings(a repository'ssettings) insrc/permissions/types.ts.pr_creation_cap_bypass_list: Joi.array().items(Joi.string().min(1)).optional()in both thesettingsandrepository_defaultssub-schemas ofvalidateConfigFast()(src/permissions/run.ts).checkRepository(): read the desired list from the computed settings (repository_defaultsmerged with the repo'ssettings), GET the current bypass list, diff it case-insensitively against the desired list, then add missing users and remove extra users. This uses the genericoctokit.request(...)escape hatch because the pinned@octokit/plugin-rest-endpoint-methods@17.0.0(already the latest release) exposes no typed method for theinteraction-limits/pulls/bypass-listendpoints. The change is dry-run gated (if (!IS_DRY_RUN)) and Slack-logged viabuilder.addContext(...), mirroring the fork PR contributor approval reconciliation.Per the GitHub REST docs (
apiVersion=2026-03-10), there is no wholesale "set" operation for this list — only:GET /repos/{owner}/{repo}/interaction-limits/pulls/bypass-list(list)PUT .../bypass-listwith{ users: string[] }(add users)DELETE .../bypass-listwith{ users: string[] }(remove users)so reconciliation is expressed as an add + remove diff rather than a single replace.
Notes
No octokit bump was needed or possible:
@octokit/plugin-rest-endpoint-methods@17.0.0is the latest release and still lacks a typed method for these endpoints, hence theoctokit.request(...)escape hatch.🤖 Generated with Claude Code
https://claude.ai/code/session_01MRt32Rsnbd6W6CVEt4hw4k
Generated by Claude Code