ci: Restrict maintainer check to admin/maintain roles

stephanie-anderson · claude · stephanie-anderson · commit 0ab97fea5722 · 2026-03-27T09:42:47.000+01:00
Everyone at Sentry has write access to this repo, so write-level
permission is too broad for the maintainer bypass. Only users with
admin or maintain roles should skip the contribution validation.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/close-unvetted-pr.yml b/.github/workflows/close-unvetted-pr.yml
@@ -29,24 +29,24 @@ jobs:
             const prAuthor = pullRequest.user.login;
             const contributingUrl = `https://github.com/${repo.owner}/${repo.repo}/blob/master/CONTRIBUTING.md`;
 
-            // --- Helper: check if a user has write+ permission on a repo ---
-            async function hasWriteAccess(owner, repoName, username) {
+            // --- Helper: check if a user has admin or maintain permission on a repo ---
+            async function isMaintainer(owner, repoName, username) {
               try {
                 const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
                   owner,
                   repo: repoName,
                   username,
                 });
-                return ['admin', 'maintain', 'write'].includes(data.permission);
+                return ['admin', 'maintain'].includes(data.permission);
               } catch {
                 return false;
               }
             }
 
-            // --- Step 1: Check if PR author is a maintainer ---
-            const isMaintainer = await hasWriteAccess(repo.owner, repo.repo, prAuthor);
-            if (isMaintainer) {
-              core.info(`PR author ${prAuthor} has write+ access. Skipping.`);
+            // --- Step 1: Check if PR author is a maintainer (admin or maintain role) ---
+            const authorIsMaintainer = await isMaintainer(repo.owner, repo.repo, prAuthor);
+            if (authorIsMaintainer) {
+              core.info(`PR author ${prAuthor} has admin/maintain access. Skipping.`);
               return;
             }
             core.info(`PR author ${prAuthor} is not a maintainer.`);
@@ -187,7 +187,7 @@ jobs:
 
                 for (const user of usersToCheck) {
                   if (user === prAuthor) continue;
-                  if (await hasWriteAccess(ref.owner, ref.repo, user)) {
+                  if (await isMaintainer(ref.owner, ref.repo, user)) {
                     maintainerParticipated = true;
                     core.info(`Maintainer ${user} participated in ${ref.owner}/${ref.repo}#${ref.number}.`);
                     break;
