Allowing using request-ci label for collaborators in unapproved PRs

[rluvaton]

Hey everyone, we now can't run CI for unapproved PRs using the request-ci label

⚠  No approving reviews found 
✘  Refusing to run CI on potentially unsafe PR

I believe it was done to avoid security risks for running untrusted code in the CI but collaborators can pass that by starting the CI using ci.nodejs.org

And this is really inconvenient for collaborators

So can we change it so collaborators can run the CI using the request-ci label

[mcollina]

+1, we need a different mechanism

[aduh95]

My reasoning when implementing the security check was there was no reason for a collaborator to start a CI on an unapproved CI (likely reviews will have nits that you'd want to merge before starting CI) – and also it was simpler to not treat collaborators differently.

[atlowChemi]

My reasoning when implementing the security check was there was no reason for a collaborator to start a CI on an unapproved CI (likely reviews will have nits that you'd want to merge before starting CI) – and also it was simpler to not treat collaborators differently.

@aduh95 perhaps we could change it to start CI execution on PR with an approval, even if not on latest commits, so this way if you fixed nits etc, you don't need a re-approval?

[mcollina]

My reasoning when implementing the security check was there was no reason for a collaborator to start a CI on an unapproved CI (likely reviews will have nits that you'd want to merge before starting CI) – and also it was simpler to not treat collaborators differently.

Well, no. Myself (and many others) open PRs to verify if the change fails on all the list of environments we support. Waiting for an approval to start CI will slow development significantly, and it basically tell maintainers to start the CI manually completely defeating the purpose of the label.

[mcollina]

I recommend the change to be reverted while we find a different solution.