Skip to content

Commit 5b4d463

Browse files
committed
fix: use org-scoped app token for reliable CLA membership check
1 parent 251ac3a commit 5b4d463

1 file changed

Lines changed: 17 additions & 4 deletions

File tree

.github/workflows/cla.yml

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,21 +22,34 @@ jobs:
2222
app-id: ${{ secrets.APP_ID }}
2323
private-key: ${{ secrets.APP_PRIVATE_KEY }}
2424
owner: blacklanternsecurity
25-
repositories: CLA
2625

2726
- name: Check org membership
2827
id: membership
29-
if: github.event_name == 'pull_request_target'
3028
env:
3129
GH_TOKEN: ${{ steps.app-token.outputs.token }}
3230
run: |
33-
AUTHOR="${{ github.event.pull_request.user.login }}"
34-
if gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then
31+
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
32+
AUTHOR="${{ github.event.pull_request.user.login }}"
33+
else
34+
PR_NUM="${{ github.event.issue.number }}"
35+
AUTHOR=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUM" --jq '.user.login' 2>/dev/null)
36+
fi
37+
if [ -n "$AUTHOR" ] && gh api "orgs/blacklanternsecurity/members/$AUTHOR" > /dev/null 2>&1; then
3538
echo "is_member=true" >> "$GITHUB_OUTPUT"
3639
else
3740
echo "is_member=false" >> "$GITHUB_OUTPUT"
3841
fi
3942
43+
- name: Skip CLA for org members
44+
if: steps.membership.outputs.is_member == 'true' && github.event_name == 'pull_request_target'
45+
env:
46+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
47+
run: |
48+
gh api --method POST "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \
49+
-f state=success \
50+
-f context="CLAAssistant" \
51+
-f description="CLA check skipped — author is an org member"
52+
4053
- name: "CLA Assistant"
4154
if: |
4255
(steps.membership.outputs.is_member != 'true') &&

0 commit comments

Comments
 (0)