Skip to content

chore: add @edosrecki to vouched contributors #3203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ericallam merged 1 commit into from
Mar 11, 2026
+2 −0
Merged

chore: add @edosrecki to vouched contributors #3203

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .vouch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
vouch:
- github: edosrecki
Comment on lines +1 to +2
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the GitHub user exists
gh api /users/edosrecki --jq '{login: .login, name: .name, created_at: .created_at}'

Repository: triggerdotdev/trigger.dev

Length of output: 229

🌐 Web query:

Vouch .vouch.yml configuration file format documentation

💡 Result:

The Vouch configuration file format (including .vouch.yml) is documented in Vouch’s docs/configuration.md. (github.com)

Key points from the documentation:

  • The config file can be YAML or JSON. (github.com)
  • Default filenames/locations:
    • In your home directory: .vouch.yml (or .vouch.json)
    • Under --base-dir / VOUCH_BASE_DIR: vouch.yml (or vouch.json) (github.com)
  • Precedence when the same setting is provided in multiple places: command-line > environment > config file. (github.com)
  • The doc includes a fully annotated sample YAML showing the expected structure and fields. (github.com)

Citations:

🏁 Script executed:

#!/bin/bash
# Search for vouch-related content in the repository
echo "=== Searching for vouch references ==="
rg -i "vouch" --type-list | head -5
echo ""
echo "=== Looking for vouch files ==="
fd -i vouch
echo ""
echo "=== Searching for references to vouch in code ==="
rg -i "vouch" -A 2 -B 2

Repository: triggerdotdev/trigger.dev

Length of output: 2295

🌐 Web query:

GitHub vouch tool PR permission system

💡 Result:

Vouch’s GitHub integration doesn’t introduce a new “PR permission system” of its own—it relies on GitHub App permissions + GitHub repo settings:

  • How Vouch authenticates to GitHub: Vouch mints short‑lived (~1 hour) GitHub installation access tokens via a GitHub App installed in your org, and those tokens are scoped to only the repos the org granted the app (all repos or selected repos). If the app isn’t granted a repo, you’ll see “repository not accessible with current token scope.” [1]
  • What the token can do (including PR actions): A GitHub App’s installation token can only do what the app was granted (repo selection + permission set). GitHub also supports requesting scoped installation tokens with a reduced set of repos and/or permissions (least privilege). [2]
  • If you mean PR creation/approval by automation (Actions): GitHub has a separate org/repo setting—“Allow GitHub Actions to create and approve pull requests”—which is disabled by default; enabling it allows the workflow GITHUB_TOKEN to create/approve PRs. [3]

Practical takeaway: to let “Vouch tooling” (via its GitHub App token) create/comment/update PRs, you grant the Vouch GitHub App access to the target repos and the necessary GitHub App permissions for PR endpoints; branch protection/review rules still apply unless you explicitly allow an app to bypass them in GitHub.

Sources: [1] [2] [3]

🏁 Script executed:

#!/bin/bash
# Check vouch tool documentation and configuration format
echo "=== Looking at vouch references in CONTRIBUTING.md ==="
cat CONTRIBUTING.md | grep -A 20 "Getting vouched"
echo ""
echo "=== Search for any vouch configuration examples ==="
find . -name "*.md" -o -name "*.yml" -o -name "*.yaml" | xargs grep -l "github:" 2>/dev/null | head -10

Repository: triggerdotdev/trigger.dev

Length of output: 1148

🌐 Web query:

mitchellh vouch .vouch.yml format configuration schema

💡 Result:

In mitchellh/vouch (the trust-management tool), there isn’t a documented .vouch.yml configuration file. Configuration is done via:

  • GitHub Action inputs (per-workflow), e.g. vouched-file defaults to ".github/VOUCHED.td" in action/check-pr. [1]
  • A Trustdown vouch list file: VOUCHED.td (or .github/VOUCHED.td), which is the canonical “schema/format” the project defines. [2]

VOUCHED.td (Trustdown) format

  • # ... comments allowed
  • One handle per line (no leading @), typically sorted alphabetically
  • Optional platform prefix: platform:username (example given: github:mitchellh)
  • Denounced users are prefixed with -
  • Optional free-form details/reason after a space

Example from the README: [2]

  • username
  • platform:username
  • -platform:denounced-user
  • -platform:denounced-user reason for denouncement

If you meant a different “vouch” project (there are several), tell me which repo/link you’re using and I’ll pull that project’s .vouch.yml schema instead.

🏁 Script executed:

#!/bin/bash
# Search for vouch tool and configuration details
echo "=== Checking vouch tool GitHub repository ==="
curl -s https://api.github.com/repos/mitchellh/vouch | jq '{name, description, url}'

echo ""
echo "=== Search for VOUCHED or vouch references in trigger.dev ==="
find . -name "*VOUCH*" -o -name "*vouch*" 2>/dev/null

echo ""
echo "=== Check if there are any GitHub Actions using vouch ==="
fd -t f "\.(yml|yaml)$" .github | xargs grep -l vouch 2>/dev/null || echo "No vouch references in GitHub Actions"

Repository: triggerdotdev/trigger.dev

Length of output: 577

🌐 Web query:

mitchellh vouch tool Trustdown format VOUCHED.td vs .vouch.yml

💡 Result:

In mitchellh/vouch, the trust list is a Trustdown file (.td) named VOUCHED.td (or .github/VOUCHED.td by default). It’s a simple line-based format (optionally platform:user, denouncements prefixed with -, optional reason text after a space, # comments). [1]

.vouch.yml is not the vouch-list format used by this tool. Configuration for the GitHub Actions is done via workflow/action inputs (for example, the actions default vouched-file to .github/VOUCHED.td), not via a .vouch.yml config file. [2]

So: use VOUCHED.td for the vouch/denounce list; ignore .vouch.yml unless you’re dealing with some other unrelated “vouch” project/tooling. [1][2]

Sources:
[1] https://github.com/mitchellh/vouch (README: “Vouched File Format”, Trustdown, default lookup paths)
[2] https://raw.githubusercontent.com/mitchellh/vouch/main/action/check-issue/action.yml (action inputs showing default vouched-file: .github/VOUCHED.td)

🏁 Script executed:

#!/bin/bash
# Check the existing VOUCHED.td file format
echo "=== Existing VOUCHED.td file ==="
cat .github/VOUCHED.td

echo ""
echo "=== Check vouch workflow configuration ==="
cat .github/workflows/vouch-check-pr.yml | grep -A 5 -B 5 "vouched"

echo ""
echo "=== Check the new .vouch.yml file ==="
cat .vouch.yml

Repository: triggerdotdev/trigger.dev

Length of output: 421

Remove this file and add the contributor to .github/VOUCHED.td instead.

The repository uses mitchellh/vouch, which expects a Trustdown format file (.github/VOUCHED.td), not YAML. The correct entry should be added to the existing .github/VOUCHED.td file as:

github:edosrecki

Delete .vouch.yml and add edosrecki to .github/VOUCHED.td following the existing format.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.vouch.yml around lines 1 - 2, Remove the incorrect .vouch.yml file and
instead add the contributor entry in Trustdown format to the existing
.github/VOUCHED.td; specifically delete .vouch.yml and append an entry matching
the repository's VOUCHED.td style such as "github:edosrecki" (no YAML), ensuring
it follows the existing Trustdown formatting and placement used by the file.