Skip to content

Fix operator precedence in approval-gate environment expression#11170

Merged
sylvainsf merged 1 commit intomainfrom
fix-approval-gate-precedence
Feb 4, 2026
Merged

Fix operator precedence in approval-gate environment expression#11170
sylvainsf merged 1 commit intomainfrom
fix-approval-gate-precedence

Conversation

@sylvainsf
Copy link
Contributor

@sylvainsf sylvainsf commented Feb 4, 2026

Description

Fixes a bug introduced in PR #11169 where org members (like PR #11139 from @brooke-hamilton) were incorrectly being blocked by the approval gate.

The && operator has higher precedence than || in GitHub expressions. Without parentheses, the expression was incorrectly evaluating to 'external-contributor-approval' for ALL PRs, blocking org members.

Added parentheses to group the trusted user check so it correctly returns empty string (no approval needed) for dependabot and org members.

Type of change

  • This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

  • An overview of proposed schema changes is included in a linked GitHub issue.
    • Yes
    • Not applicable
  • A design document PR is created in the design-notes repository, if new APIs are being introduced.
    • Yes
    • Not applicable
  • The design document has been reviewed and approved by Radius maintainers/approvers.
    • Yes
    • Not applicable
  • A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
    • Yes
    • Not applicable
  • A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
    • Yes
    • Not applicable

@sylvainsf
Fix operator precedence in approval-gate environment expression
bd9525e 
The && operator has higher precedence than || in GitHub expressions.
Without parentheses, the expression was incorrectly evaluating to
'external-contributor-approval' for ALL PRs, blocking org members.

Fixed by adding parentheses around the trusted user check so it
correctly returns '' (empty/no environment) for dependabot and
org members (OWNER, MEMBER, COLLABORATOR).

Before (buggy):
  actor == 'dependabot[bot]' || contains(...) && '' || 'external-...'

After (fixed):
  (actor == 'dependabot[bot]' || contains(...)) && '' || 'external-...'
@sylvainsf sylvainsf requested review from a team as code owners February 4, 2026 17:53
@sylvainsf sylvainsf requested a deployment to external-contributor-approval February 4, 2026 17:53 — with GitHub Actions Waiting
@sylvainsf sylvainsf merged commit 0d8ef11 into main Feb 4, 2026
21 of 34 checks passed
@sylvainsf sylvainsf deleted the fix-approval-gate-precedence branch February 4, 2026 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sylvainsf