From d77b5c941e37f4037341f2bdac6ab58d7fd58745 Mon Sep 17 00:00:00 2001
From: Udit Kumar Agarwal <udit.agarwal@intel.com>
Date: Wed, 16 Jul 2025 10:12:58 -0700
Subject: [PATCH 1/2] [CI] Make email check workflow fail when author's email
 is private in Github UI (#148694)

**Problem**
Currently, the email check workflow uses `git` to see email used for the
last commit but the email address used when merging is actually governed
by GitHub settings not what's stored in `git`. Due to this, the email
check workflow passes even when the author's email is private in Github.
We saw several such cases in our fork of llvm. See
https://github.com/intel/llvm/issues/17675

**Solution**
Try to find user's email using GH's GraphQL APIs. User's email will be
null if it's hidden in the profile.

---------

Signed-off-by: Agarwal, Udit <udit.agarwal@intel.com>
---
 .github/workflows/email-check.yaml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml
index 80c2025e30208..3f554441e9b1e 100644
--- a/.github/workflows/email-check.yaml
+++ b/.github/workflows/email-check.yaml
@@ -21,14 +21,30 @@ jobs:
 
       - name: Extract author email
         id: author
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
-          git log -1
-          echo "EMAIL=$(git show -s --format='%ae' HEAD~0)" >> $GITHUB_OUTPUT
+          # Use Github GraphQL APIs to get the email associated with the PR author because this takes into account the GitHub settings for email privacy.
+          query='
+          query($login: String!) {
+            user(login: $login) {
+              email
+            }
+          }'
+
+          PR_AUTHOR=${{ github.event.pull_request.user.login }}
+
+          email=$(gh api graphql -f login="$PR_AUTHOR" -f query="$query" --jq '.data.user.email')
+          echo "EMAIL_AUTHOR_GH_UI=$email" >> "$GITHUB_OUTPUT"
+
           # Create empty comment file
           echo "[]" > comments
 
+      # When EMAIL_AUTHOR_GH_UI is NULL, author's email is hidden in GitHub UI.
+      # In this case, we warn the user to turn off "Keep my email addresses private"
+      # setting in their account.
       - name: Validate author email
-        if: ${{ endsWith(steps.author.outputs.EMAIL, 'noreply.github.com')  }}
+        if: ${{ steps.author.outputs.EMAIL_AUTHOR_GH_UI == '' }}
         env:
           COMMENT: >-
             ⚠️ We detected that you are using a GitHub private e-mail address to contribute to the repo.<br/>

From df8156afe8b40e0552cb5251cd3175634a1d0232 Mon Sep 17 00:00:00 2001
From: "Agarwal, Udit" <udit.agarwal@intel.com>
Date: Wed, 16 Jul 2025 19:25:28 +0200
Subject: [PATCH 2/2] Fail the job

---
 .github/workflows/email-check.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/email-check.yaml b/.github/workflows/email-check.yaml
index 3f554441e9b1e..607842cb37d74 100644
--- a/.github/workflows/email-check.yaml
+++ b/.github/workflows/email-check.yaml
@@ -55,6 +55,9 @@ jobs:
           [{"body" : "$COMMENT"}]
           EOF
 
+          # Fail this job.
+          false
+
       - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 #v4.3.0
         if: always()
         with: