[sudo_navendu]

Actually, we were sure that it was spam. GitHub gives the option to "approve workflow run for first-time contributors". I guess none of the maintainers thought to approve it because they thought it might be spam. Still, a lot of time and effort spent to review it.

[ynik]

That button was added to GitHub to protect against new bot accounts creating PRs against random projects, adding a CI step that runs a cryptominer. Now that the CI doesn't run automatically for new users without a button click, these attackers have a much harder time.

So tell your maintainers to use that button more liberally -- it mostly just exists to save GitHub money / discourage these attacks. It doesn't hurt to click it for these "CV improvement" spam PRs, and it makes rejecting the PR a lot simpler if there's a red X.

I usually just scan file list changed by the PR, and if it isn't changing CI stuff, I just let the actions run prior to the actual code review.