4da8722429
GITHUB_TOKEN lacks org-level scope, so checkMembershipForUser always fails. Switch to author_association from the webhook payload which is already available without additional API calls. Also add google-labs-jules[bot] to trusted bots list. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
44 lines
1.5 KiB
YAML
44 lines
1.5 KiB
YAML
name: PR Gate
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize, reopened, labeled]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
org-gate:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check org membership or approval label
|
|
uses: actions/github-script@v7
|
|
with:
|
|
script: |
|
|
const author = context.payload.pull_request.user.login;
|
|
const association = context.payload.pull_request.author_association;
|
|
|
|
// Trusted bot accounts (act as org members)
|
|
const trustedBots = ['google-labs-jules[bot]'];
|
|
if (trustedBots.includes(author)) {
|
|
core.info(`${author} is a trusted bot — gate passed`);
|
|
return;
|
|
}
|
|
|
|
// Check author association from webhook payload (no API call needed)
|
|
const trusted = ['MEMBER', 'OWNER', 'COLLABORATOR'];
|
|
if (trusted.includes(association)) {
|
|
core.info(`${author} is ${association} — gate passed`);
|
|
return;
|
|
}
|
|
|
|
// Check for external-approved label
|
|
const labels = context.payload.pull_request.labels.map(l => l.name);
|
|
if (labels.includes('external-approved')) {
|
|
core.info('external-approved label present — gate passed');
|
|
return;
|
|
}
|
|
|
|
core.setFailed(
|
|
`External PR from ${author} (${association}) requires an org member to add the "external-approved" label before merge.`
|
|
);
|