fix(ci): use author_association instead of org API for pr-gate

GITHUB_TOKEN lacks org-level scope, so checkMembershipForUser always fails. Switch to author_association from the webhook payload which is already available without additional API calls. Also add google-labs-jules[bot] to trusted bots list. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 17:44:12 +00:00 · 2026-02-04 17:44:12 +00:00 · 4da8722429
commit 4da8722429
parent 4fa7da2987
2 changed files with 22 additions and 19 deletions
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@ -20,16 +20,17 @@ jobs:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        with:
          script: |
-            const { owner, repo } = context.repo;
            const author = context.payload.pull_request.user.login;
+            const association = context.payload.pull_request.author_association;

-            try {
-              await github.rest.orgs.checkMembershipForUser({
-                org: owner,
-                username: author,
-              });
-            } catch {
-              core.info(`${author} is not an org member — skipping auto-merge`);
+            // Trusted bot accounts (act as org members)
+            const trustedBots = ['google-labs-jules[bot]'];
+            const isTrustedBot = trustedBots.includes(author);
+
+            // Check author association from webhook payload (no API call needed)
+            const trusted = ['MEMBER', 'OWNER', 'COLLABORATOR'];
+            if (!isTrustedBot && !trusted.includes(association)) {
+              core.info(`${author} is ${association} — skipping auto-merge`);
              return;
            }

--- a/.github/workflows/pr-gate.yml
+++ b/.github/workflows/pr-gate.yml
@ -15,19 +15,21 @@ jobs:
        uses: actions/github-script@v7
        with:
          script: |
-            const { owner, repo } = context.repo;
            const author = context.payload.pull_request.user.login;
+            const association = context.payload.pull_request.author_association;

-            // Check if author is an org member
-            try {
-              await github.rest.orgs.checkMembershipForUser({
-                org: owner,
-                username: author,
-              });
-              core.info(`${author} is an org member — gate passed`);
+            // Trusted bot accounts (act as org members)
+            const trustedBots = ['google-labs-jules[bot]'];
+            if (trustedBots.includes(author)) {
+              core.info(`${author} is a trusted bot — gate passed`);
+              return;
+            }
+
+            // Check author association from webhook payload (no API call needed)
+            const trusted = ['MEMBER', 'OWNER', 'COLLABORATOR'];
+            if (trusted.includes(association)) {
+              core.info(`${author} is ${association} — gate passed`);
              return;
-            } catch {
-              core.info(`${author} is not an org member — checking for label`);
            }

            // Check for external-approved label
@ -38,5 +40,5 @@ jobs:
            }

            core.setFailed(
-              `External PR from ${author} requires an org member to add the "external-approved" label before merge.`
+              `External PR from ${author} (${association}) requires an org member to add the "external-approved" label before merge.`
            );