Skip to content

ci: use org members API for community label check#23343

Closed
matifali wants to merge 2 commits intomainfrom
fix/community-label-membership-api
Closed

ci: use org members API for community label check#23343
matifali wants to merge 2 commits intomainfrom
fix/community-label-membership-api

Conversation

@matifali
Copy link
Copy Markdown
Member

@matifali matifali commented Mar 20, 2026
edited
Loading

The author_association field on pull_request_target events can be unreliable (see actions/github-script#643), causing flaky community labeling.

Replace it with an explicit org membership check via github.rest.orgs.checkMembershipForUser() using a token that can resolve both public and private members.

@matifali matifali force-pushed the fix/community-label-membership-api branch from bb96f66 to a21625c Compare March 20, 2026 01:25
@matifali matifali changed the title fix(.github): use org members API for community label check ci: use org members API for community label check Mar 20, 2026
@matifali matifali requested review from deansheather and ethanndickson and removed request for ethanndickson March 20, 2026 02:06
@matifali matifali marked this pull request as draft March 20, 2026 02:14
ethanndickson
ethanndickson reviewed Mar 20, 2026
View reviewed changes
Comment thread .github/workflows/contrib.yaml Outdated
@matifali matifali requested a review from ethanndickson March 20, 2026 10:05
ethanndickson
ethanndickson approved these changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ethanndickson ethanndickson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAICT, this is another safe usage of pull_request_target - though I can't speak for whether we should be using cdrci here. Probably best to let jd sign off on this too.

@matifali matifali marked this pull request as ready for review March 25, 2026 13:16
jdomeracki-coder
jdomeracki-coder reviewed Apr 1, 2026
View reviewed changes
Comment thread .github/workflows/contrib.yaml
- name: Add community label
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
github-token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
Copy link
Copy Markdown
Contributor

@jdomeracki-coder jdomeracki-coder Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matifali are we sure that CDRCI_GITHUB_TOKEN is read only?

Copy link
Copy Markdown
Member Author

@matifali matifali Apr 1, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deansheather owns this account. So I am not sure. But it's a good catch; it has to be read only for our use case. Do we have another bot account (an org member) we can create a new token for?

Copy link
Copy Markdown
Member

@deansheather deansheather Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's definitely not read only but I can make a separate token with only the permissions we need. Just let me know what permissions are needed (and please test them with a PAT on your own account)

Copy link
Copy Markdown
Member Author

@matifali matifali Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to read:membership in the org, I think. I will test

@f0ssel f0ssel mentioned this pull request Apr 8, 2026
Merged
f0ssel added a commit that referenced this pull request Apr 8, 2026
@f0ssel
ci: use org membership API for community label check
74600f0 
Replace the flaky author_association check with an explicit org
membership API call (orgs.checkMembershipForUser) which reliably
detects both public and private org members.

author_association is unreliable because:
- It returns CONTRIBUTOR instead of MEMBER when both apply.
- It returns NONE for members with private org visibility.

This uses a dedicated CODER_ORG_READ_TOKEN secret scoped to only
read:org, avoiding the need to reuse a broader PAT. A repo admin
needs to create this token and add it as a repository secret.

Supersedes #23343.
@matifali
Copy link
Copy Markdown
Member Author

matifali commented Apr 8, 2026

closing in favor of #24149

@matifali matifali closed this Apr 8, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 8, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jdomeracki-coder jdomeracki-coder jdomeracki-coder left review comments

@ethanndickson ethanndickson ethanndickson approved these changes

@deansheather deansheather Awaiting requested review from deansheather

Assignees

@matifali matifali

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matifali @deansheather @ethanndickson @jdomeracki-coder