Skip to content

Enable automatic workflow approval for Liatrio Labs organization members #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Enable automatic workflow approval for Liatrio Labs organization members #22

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fce9ad5
Enable automatic workflow approval for Liatrio Labs organization members
iaminawe Oct 24, 2025
215cc73
Use ORG_MEMBER_CHECK_TOKEN for organization membership verification
iaminawe Oct 24, 2025
4c5cdc9
Refactor authorization logic into reusable composite action
iaminawe Oct 24, 2025
2ab5a28
Merge branch 'main' into workflow-org-member-approval
iaminawe Oct 24, 2025
a4a675f
Update .github/actions/check-org-membership/action.yml
iaminawe Oct 27, 2025
006097d
Add explicit permissions block to check-org-membership jobs
iaminawe Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 50 additions & 13 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,70 @@
types: [submitted]

jobs:
claude:
timeout-minutes: 10
concurrency:
group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
# Check if the user is a member of liatrio-labs organization
check-org-membership:
runs-on: ubuntu-latest
if: |
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '@claude')
) || (
github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '@claude')
) || (
github.event_name == 'pull_request_review' &&
github.event.review.body != null &&
contains(github.event.review.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
contains(github.event.review.body, '@claude')
) || (
github.event_name == 'issues' &&
(
(github.event.issue.body != null && contains(github.event.issue.body, '@claude')) ||
contains(github.event.issue.title, '@claude')
) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
)
)
outputs:
is-authorized: ${{ steps.check.outputs.authorized }}
steps:
- name: Check authorization
id: check
env:
GH_TOKEN: ${{ secrets.ORG_MEMBER_CHECK_TOKEN }}
run: |
ACTOR="${{ github.actor }}"
# Check if user is a repo collaborator/owner/member first
if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
AUTHOR_ASSOC="${{ github.event.review.author_association }}"
elif [[ "${{ github.event_name }}" == "issues" ]]; then
AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
fi
if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
echo "User is authorized via author_association: $AUTHOR_ASSOC"
echo "authorized=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# Check if user is a member of liatrio-labs organization
if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
echo "User is authorized as liatrio-labs organization member"
echo "authorized=true" >> "$GITHUB_OUTPUT"
else
echo "User is not authorized"
echo "authorized=false" >> "$GITHUB_OUTPUT"
fi
claude:
needs: check-org-membership
if: needs.check-org-membership.outputs.is-authorized == 'true'
timeout-minutes: 10
concurrency:
group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down
63 changes: 50 additions & 13 deletions .github/workflows/opencode-gpt-5-codex.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,70 @@
types: [submitted]

jobs:
opencode:
timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods
concurrency:
group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
# Check if the user is a member of liatrio-labs organization
check-org-membership:
runs-on: ubuntu-latest
if: |
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '/oc-codex') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '/oc-codex')
) || (
github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '/oc-codex') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '/oc-codex')
) || (
github.event_name == 'pull_request_review' &&
github.event.review.body != null &&
contains(github.event.review.body, '/oc-codex') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
contains(github.event.review.body, '/oc-codex')
) || (
github.event_name == 'issues' &&
(
(github.event.issue.body != null && contains(github.event.issue.body, '/oc-codex')) ||
contains(github.event.issue.title, '/oc-codex')
) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
)
)
outputs:
is-authorized: ${{ steps.check.outputs.authorized }}
steps:
- name: Check authorization
id: check
env:
GH_TOKEN: ${{ secrets.ORG_MEMBER_CHECK_TOKEN }}
run: |
ACTOR="${{ github.actor }}"
# Check if user is a repo collaborator/owner/member first
if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
AUTHOR_ASSOC="${{ github.event.review.author_association }}"
elif [[ "${{ github.event_name }}" == "issues" ]]; then
AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
fi
if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
echo "User is authorized via author_association: $AUTHOR_ASSOC"
echo "authorized=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# Check if user is a member of liatrio-labs organization
if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
echo "User is authorized as liatrio-labs organization member"
echo "authorized=true" >> "$GITHUB_OUTPUT"
else
echo "User is not authorized"
echo "authorized=false" >> "$GITHUB_OUTPUT"
fi
opencode:
needs: check-org-membership
if: needs.check-org-membership.outputs.is-authorized == 'true'
timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods
concurrency:
group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down