Skip to content

Commit 952a541

Browse files
authored
ci: gate Bonk on author_association instead of an org-membership API call (#198)
Both Bonk workflows previously authorized the triggering user with a dedicated step that called the GitHub API at /orgs/cloudflare/members/{user}. That required provisioning and storing a READ_ONLY_ORG_GITHUB_TOKEN secret and cost an extra API round-trip on every invocation. The webhook payload already carries what we need: author_association describes the actor's relationship to the repository, is populated by GitHub itself (so the commenter can't forge it), and reports MEMBER for organization members regardless of whether their membership is public. Gating each job's `if:` on that field lets us drop the extra step and the token entirely. This admits MEMBER, OWNER, and COLLABORATOR. COLLABORATOR is broader than the old org-membership check: it also includes outside collaborators who have been granted access to this repository without being part of the Cloudflare org. That is intentional -- anyone trusted with collaborator access on the repo should be able to invoke Bonk -- but it is a real widening of the trust boundary relative to the previous behavior, and worth calling out, since these jobs run with contents/issues/ pull-requests write and the Cloudflare AI Gateway secrets. READ_ONLY_ORG_GITHUB_TOKEN is no longer referenced by any workflow and can be deprovisioned.
1 parent 9c9ef01 commit 952a541

2 files changed

Lines changed: 14 additions & 34 deletions

File tree

.github/workflows/bonk-pr-review.yml

Lines changed: 6 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,12 @@ jobs:
99
# Skip Version Packages PRs (auto-generated by the changesets action) since they don't need a Bonk review
1010
if: |
1111
github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name &&
12-
!(github.event.pull_request.base.repo.owner.login == 'cloudflare' && github.event.pull_request.head.ref == 'changeset-release/main')
12+
!(github.event.pull_request.base.repo.owner.login == 'cloudflare' && github.event.pull_request.head.ref == 'changeset-release/main') &&
13+
(
14+
github.event.pull_request.author_association == 'MEMBER' ||
15+
github.event.pull_request.author_association == 'COLLABORATOR' ||
16+
github.event.pull_request.author_association == 'OWNER'
17+
)
1318
runs-on: ubuntu-latest
1419
timeout-minutes: 30
1520
concurrency:
@@ -21,22 +26,6 @@ jobs:
2126
issues: write
2227
pull-requests: write
2328
steps:
24-
- name: Check if PR author is Cloudflare org member
25-
run: |
26-
STATUS=$(gh api \
27-
-H "Accept: application/vnd.github+json" \
28-
-H "X-GitHub-Api-Version: 2022-11-28" \
29-
"/orgs/cloudflare/members/${PR_AUTHOR}" \
30-
--silent -i 2>/dev/null | head -1 | awk '{print $2}') || true
31-
if [ "$STATUS" != "204" ]; then
32-
echo "User ${PR_AUTHOR} is not a member of the Cloudflare organization"
33-
exit 1
34-
fi
35-
echo "User ${PR_AUTHOR} is a Cloudflare org member"
36-
env:
37-
GH_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }}
38-
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
39-
4029
- name: Checkout repository
4130
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4231
with:

.github/workflows/bonk.yml

Lines changed: 8 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,14 @@ concurrency:
1212

1313
jobs:
1414
bonk:
15-
if: github.event.sender.type != 'Bot' && (contains(github.event.comment.body, '/bonk') || contains(github.event.comment.body, '@ask-bonk'))
15+
if: >-
16+
github.event.sender.type != 'Bot' &&
17+
(contains(github.event.comment.body, '/bonk') || contains(github.event.comment.body, '@ask-bonk')) &&
18+
(
19+
github.event.comment.author_association == 'MEMBER' ||
20+
github.event.comment.author_association == 'COLLABORATOR' ||
21+
github.event.comment.author_association == 'OWNER'
22+
)
1623
runs-on: ubuntu-latest
1724
timeout-minutes: 60
1825
permissions:
@@ -21,22 +28,6 @@ jobs:
2128
issues: write
2229
pull-requests: write
2330
steps:
24-
- name: Check if comment author is Cloudflare org member
25-
run: |
26-
STATUS=$(gh api \
27-
-H "Accept: application/vnd.github+json" \
28-
-H "X-GitHub-Api-Version: 2022-11-28" \
29-
"/orgs/cloudflare/members/${COMMENT_AUTHOR}" \
30-
--silent -i 2>/dev/null | head -1 | awk '{print $2}') || true
31-
if [ "$STATUS" != "204" ]; then
32-
echo "User ${COMMENT_AUTHOR} is not a member of the Cloudflare organization"
33-
exit 1
34-
fi
35-
echo "User ${COMMENT_AUTHOR} is a Cloudflare org member"
36-
env:
37-
GH_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }}
38-
COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
39-
4031
- name: Checkout repository
4132
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4233
with:

0 commit comments

Comments
 (0)