@@ -24,26 +24,27 @@ jobs:
2424 universe
2525 rerun
2626
27- name : Check if commenter is org member
27+ name : Check if commenter has write access
2828 id : check-member
2929 env :
3030 GH_TOKEN : ${{ steps.app-token.outputs.token }}
3131 run : |
3232 COMMENTER="${{ github.event.comment.user.login }}"
33- ORG="${{ github.repository_owner }}"
34- # Check if user is a member of the org that owns this repo
35- # This returns 204 for members, 404 for non-members
36- HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
37- -H "Authorization: Bearer $GH_TOKEN" \
38- -H "Accept: application/vnd.github+json" \
39- "https://api.github.com/orgs/$ORG/members/$COMMENTER")
33+ REPO="${{ github.repository }}"
4034
41- if [ "$HTTP_CODE" = "204" ]; then
35+ # Check if user has write or admin permission on this repo
36+ # This works for both user-owned and org-owned repositories
37+ PERMISSION=$(gh api "repos/$REPO/collaborators/$COMMENTER/permission" \
38+ --jq '.permission' 2>/dev/null || echo "none")
39+
40+ echo "User $COMMENTER has permission: $PERMISSION"
41+
42+ if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "write" ]; then
4243 echo "authorized=true" >> $GITHUB_OUTPUT
43- echo "User $COMMENTER is authorized"
44+ echo "User $COMMENTER is authorized (permission: $PERMISSION) "
4445 else
4546 echo "authorized=false" >> $GITHUB_OUTPUT
46- echo "User $COMMENTER is NOT authorized (HTTP $HTTP_CODE )"
47+ echo "User $COMMENTER is NOT authorized (permission: $PERMISSION )"
4748 fi
4849
4950name : Post unauthorized message
0 commit comments