ci: pf-4128 contribution policy workflow

[cdcabrera]

What is it?

• ci: pf-4128 contribution policy workflow
  • build, workflow package audit, combined PR gatekeeper, commits, integration
  • testing, scripts testing for workflows

Notes

• workflow scripting broken out to help reviews
• the integration workflow and support scripts require being checked in before the Gatekeeper policy will pass

Updates issue/story

related #193
updates #190
pf-4128

[nicolethoen]

Took a look primarily at the copy

[nicolethoen]

Once you've addressed these items, I'll re-check your changes. Thank you for your contribution!

[nicolethoen]

All pre-checks pass! Your contribution is queued for review. Thank you for following our guidelines!

[cdcabrera]

So we ended up refactoring the messages again @nicolethoen ... it may alter your comments

1. the draft variation had to be removed, it just melted in testing
2. outside contributors received nothing in testing, no labels, no comments. what we're about to add into this is they now receive logging with the same "comments" and a "label" subset. this should improve the overall experience
3. and we ended up refactor messages after a bot reviewer implied the content was written by a soulless machine ... whoops

[dlabaj]

Looks good

[nicolethoen]

I added suggestions back with suggestions for the messages.

I tried removing 'you' and 'i' statements to make it sound more direct/actionable and a bit less first person.

[nicolethoen]

⚠️ Large changeset detected (${fileCount} files, guideline: ${fileChangeLimit}). Resolution: Smaller PRs are easier to review and merge faster. Please split these changes into focused PRs, each addressing a single concern.

[nicolethoen]

⚠️ Core file modifications detected (${coreModified.join(', ')}). Resolution: Please link the related issue in your PR description. If no issue exists, please create one first so we can discuss the approach. How to create an issue

[nicolethoen]

⚠️ Changes detected to security-sensitive files... Resolution: These files (workflows, scripts, package configuration) require a core contributor's security review before merging.

[nicolethoen]

⚠️ Changes to agent instruction guidelines detected (${guidelinesModified.join(', ')}). Resolution: Modifications to AI agent instructions require maintainer review for security and quality. Please explain your changes in the PR description, attach the related issue, and a maintainer will review.

[nicolethoen]

⚠️ Changes detected to test fixture/mock directories (${extraModified.join(', ')}). These don't match our testing structure. Resolution: Please review our testing guidelines or ask in your PR description how to structure your tests. A maintainer will provide guidance.

[cdcabrera]

This one we're going to have to tweak more... these lists we're leveraging can include both "test" and "code".

Inviting discussion on aligning to an established pattern vs creating an entirely new one based on an internal preference feels like an unresolvable thing (def way more talking than we want). I'll tweak it to remove the "I" for sure, but I'll fiddle with it

[jpuzz0]

With CODEOWNERS requiring maintainer approval on every file in this repo, what is this script catching that the existing review process doesn't already cover?

If I'm understanding this correctly, someone can submit a working, tested fix — and their build fails. Not because their code is broken, but because of which files they touched. What are they supposed to do next?

I think this is a possible scenario — a contributor adds a new MCP tool with full test coverage, updates snapshots, writes a detailed PR description by hand. They've seemingly done everything right, but because they touched 16 files, hit a few paths on the core list, and didn't preserve a hidden metadata string from the PR template — hasTell fires, CI fails, and a bot tells them their work doesn't meet "quality, security, and architectural standards." How do we expect someone to respond to that? That doesn't guide contributions — it discourages them.

[cdcabrera]

@jpuzz0 in meeting we noted #193

I recommend you review the doc updates there for the explanation you want

[nicolethoen]

Jeff raised good point. The scenario he described is real — contributor does everything right (working code, tests, snapshots) but CI fails on metadata/file count. CODEOWNERS already enforces maintainer review on every file, so automation doesn't add protection — just friction.

Some things we could consider:

• Keep warnings/labels as guidance
• Remove hard CI failure from hasTell
• Drop isPrTemplateModified and isGenModified from failure conditions
• CODEOWNERS is actual gate, let automation inform maintainer review instead of blocking it

Our own bot messaging in this PR emphasizes "starting with a conversation helps ensure your contribution is integrated smoothly." Fewer CI failure gates communicates we're open to conversation. Contributors still get all feedback and warnings — just not blocked from maintainer review.

[nicolethoen]

### 🤖 PR Quality Guidance\n +
This PR has been flagged for a **Policy Hold** to ensure alignment with quality, security, and architectural standards.\n\n +
**To resolve this hold and move forward**:\n +
- Associate updates with a GitHub issue (Step 1 of the [Contributor's Journey (https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md#step-1-start-a-conversation)).\n +
- Align changes with codebase style and remove excessive scope.\n +
- Consider splitting changes into smaller, focused PR contributions.\n\n +
Starting with a conversation helps ensure contributions are integrated smoothly.\n\n +
**Labels**: \${LABEL_NEEDS_CLEANUP}`, `${LABEL_PRECHECKS_FAIL}` \n\n+Read our contribution guidelines. This comment updates automatically.`

[nicolethoen]

### 🤖 PR Quality Guidance\n +
The following issues need to be addressed before this PR can be queued for review:\n\n +
${codeSignature.errors.map(err => - ${err}).join('\n')}\n\n +
**Labels**: \${LABEL_NEEDS_CLEANUP}` \n\n+Read our contribution guidelines. This comment updates automatically.`