From 12fc57d235a28679bb339979bc224de9e605c138 Mon Sep 17 00:00:00 2001
From: Kesava Krishnan Madavan <mkesavan13@gmail.com>
Date: Mon, 15 Jun 2026 23:36:40 +0530
Subject: [PATCH 1/2] chore(tooling): remove validated label on each push

---
 .github/workflows/pull-request.yml            | 41 ++++++++++++++++++-
 .../remove-validated-on-synchronize.yml       | 41 +++++++++++++++++++
 2 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/remove-validated-on-synchronize.yml

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index bfe2505f4..3c4b67b53 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -6,6 +6,9 @@ on:
     types: [opened, labeled, reopened, synchronize]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -42,9 +45,39 @@ jobs:
   validate:
     name: Validate Pull Request
     runs-on: ubuntu-latest
-    if: contains(toJson(github.event.pull_request.labels), 'validated')
+    if: github.event_name == 'pull_request_target'
 
     steps:
+      - name: Gate privileged execution for fork PRs
+        shell: bash
+        env:
+          PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          BASE_REPO: ${{ github.repository }}
+          EVENT_ACTION: ${{ github.event.action }}
+          EVENT_LABEL: ${{ github.event.label.name || '' }}
+          HAS_VALIDATED_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'validated') }}
+        run: |
+          FROM_BASE=0
+          [ "$PR_REPO" = "$BASE_REPO" ] && FROM_BASE=1
+
+          VALIDATED=0
+          [ "$HAS_VALIDATED_LABEL" = "true" ] && VALIDATED=1
+
+          LABEL_VALIDATION_EVENT=0
+          if [ "$EVENT_ACTION" = "labeled" ] && [ "$EVENT_LABEL" = "validated" ]; then
+            LABEL_VALIDATION_EVENT=1
+          fi
+
+          if [ "$FROM_BASE" -eq 1 ] || \
+             [ "$LABEL_VALIDATION_EVENT" -eq 1 ] || \
+             { [ "$EVENT_ACTION" != "synchronize" ] && [ "$VALIDATED" -eq 1 ]; }; then
+            echo "Validation gate passed."
+            exit 0
+          fi
+
+          echo "Validation gate blocked: fork PRs require fresh 'validated' labeling after each push."
+          exit 1
+
       - name: Validate PR title safely
         uses: actions/github-script@v7
         with:
@@ -86,6 +119,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -123,6 +157,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -157,6 +192,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -191,6 +227,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -228,6 +265,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -277,6 +315,7 @@ jobs:
         uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
diff --git a/.github/workflows/remove-validated-on-synchronize.yml b/.github/workflows/remove-validated-on-synchronize.yml
new file mode 100644
index 000000000..565edee1e
--- /dev/null
+++ b/.github/workflows/remove-validated-on-synchronize.yml
@@ -0,0 +1,41 @@
+name: Remove Validated Label On New Push
+run-name: Remove validated label for PR #${{ github.event.pull_request.number }}
+
+on:
+  pull_request_target:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  remove-validated-label:
+    name: Remove reusable validated label
+    runs-on: ubuntu-latest
+    steps:
+      - name: Remove validated label from PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const pull_number = context.payload.pull_request.number;
+
+            const labels = context.payload.pull_request.labels.map((label) => label.name);
+            if (!labels.includes('validated')) {
+              core.info('No validated label found; skipping.');
+              return;
+            }
+
+            try {
+              await github.rest.issues.removeLabel({
+                owner,
+                repo,
+                issue_number: pull_number,
+                name: 'validated',
+              });
+
+              core.info('Removed validated label after synchronize event.');
+            } catch (error) {
+              core.warning(`Failed to remove validated label: ${error.message}`);
+            }

From 4d7a9683201e07328d729a7c5a2700ed44acdf68 Mon Sep 17 00:00:00 2001
From: Kesava Krishnan Madavan <mkesavan13@gmail.com>
Date: Tue, 16 Jun 2026 00:13:46 +0530
Subject: [PATCH 2/2] chore(tooling): do not run pr workflow on synchronize
 event

---
 .github/workflows/pull-request.yml | 37 ++----------------------------
 1 file changed, 2 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 3c4b67b53..dadee9368 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -3,12 +3,9 @@ run-name: ${{ github.actor }} is running Pull Request CI
 
 on:
   pull_request_target:
-    types: [opened, labeled, reopened, synchronize]
+    types: [opened, labeled, reopened]
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -45,39 +42,9 @@ jobs:
   validate:
     name: Validate Pull Request
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request_target'
+    if: contains(toJson(github.event.pull_request.labels), 'validated')
 
     steps:
-      - name: Gate privileged execution for fork PRs
-        shell: bash
-        env:
-          PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
-          BASE_REPO: ${{ github.repository }}
-          EVENT_ACTION: ${{ github.event.action }}
-          EVENT_LABEL: ${{ github.event.label.name || '' }}
-          HAS_VALIDATED_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'validated') }}
-        run: |
-          FROM_BASE=0
-          [ "$PR_REPO" = "$BASE_REPO" ] && FROM_BASE=1
-
-          VALIDATED=0
-          [ "$HAS_VALIDATED_LABEL" = "true" ] && VALIDATED=1
-
-          LABEL_VALIDATION_EVENT=0
-          if [ "$EVENT_ACTION" = "labeled" ] && [ "$EVENT_LABEL" = "validated" ]; then
-            LABEL_VALIDATION_EVENT=1
-          fi
-
-          if [ "$FROM_BASE" -eq 1 ] || \
-             [ "$LABEL_VALIDATION_EVENT" -eq 1 ] || \
-             { [ "$EVENT_ACTION" != "synchronize" ] && [ "$VALIDATED" -eq 1 ]; }; then
-            echo "Validation gate passed."
-            exit 0
-          fi
-
-          echo "Validation gate blocked: fork PRs require fresh 'validated' labeling after each push."
-          exit 1
-
       - name: Validate PR title safely
         uses: actions/github-script@v7
         with: