fix: add ORG_READ_TOKEN support for detecting private microsoft org members#603
Closed
brandom-msft wants to merge 1 commit into
Closed
fix: add ORG_READ_TOKEN support for detecting private microsoft org members#603brandom-msft wants to merge 1 commit into
brandom-msft wants to merge 1 commit into
Conversation
…embers Users like geabdluca (#601) who are Microsoft employees but have private microsoft org membership and are not in the microsoft-foundry org slip through all three signals in the current cascade. This adds support for an optional ORG_READ_TOKEN repository secret — a PAT with read:org scope from a microsoft org member. When configured, Signal 3 uses this token to see all microsoft org members (including private). Without the secret, behavior is unchanged (falls back to GITHUB_TOKEN which only sees public members). To activate: create a classic PAT with read:org scope, then add it as a repository secret named ORG_READ_TOKEN. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
👋 Thanks for your contribution, @brandom-msft! This repository is read-only. As a Microsoft contributor, please submit your PR to the private staging repository instead: See CONTRIBUTING.md for full instructions. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Users like
geabdluca(#601) are Microsoft employees and members of bothmicrosoft-foundryandmicrosoftorgs, yet the workflow classified them as external.Root cause: The
GITHUB_TOKENcannot read org membership for any org — even the repo's own org (microsoft-foundry). It only sees public members. The workflow permissions block (pull-requests: write) restricts the token to only that scope, and there is noorganizationpermission available in GitHub Actions workflows. Users with private org membership in both orgs (likegeabdluca) fail all signals.The previous
brandom-msftdetection worked only because that account has publicmicrosoftorg membership.Fix
Add support for an
ORG_READ_TOKENrepository secret (a PAT withread:orgscope from amicrosoftorg member). This token is used for all org membership checks:microsoft-foundryorg membership (viaORG_READ_TOKEN)microsoftorg membership (viaORG_READ_TOKEN)GITHUB_TOKEN— repo-level, no org permission needed)Without the secret, behavior is unchanged (falls back to
GITHUB_TOKEN, public members only).How to activate
After merging:
microsoftorg member account with theread:orgscopeORG_READ_TOKENin foundry-samples settingsChanges
redirect-pull-requests.yml: Create a sharedorgOctokitclient (PAT-backed when available), use it for both org checks. Collaborator check stays on default token. Added logging for which token is in use.