From f12a17a758b0fd809501f9f9f40adc1b9051c1d1 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 16:27:21 -0500 Subject: [PATCH 01/13] feat: Add reusable workflow to check external contributor status Add a new reusable workflow that checks if a PR creator is a member of a specified GitHub team. If the creator is not a member, the workflow automatically adds a configurable label (defaults to "external contributor") to the PR. This workflow enables repositories to easily identify and track external contributions. Co-Authored-By: Claude Opus 4.6 --- .../workflows/check-external-contributor.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/check-external-contributor.yml diff --git a/.github/workflows/check-external-contributor.yml b/.github/workflows/check-external-contributor.yml new file mode 100644 index 0000000..3f4cb67 --- /dev/null +++ b/.github/workflows/check-external-contributor.yml @@ -0,0 +1,56 @@ +name: Check External Contributor + +on: + workflow_call: + inputs: + github_team_slug: + type: string + required: true + description: "GitHub team slug to check membership against (e.g., 'devs')" + label_name: + type: string + required: false + default: "external contributor" + description: "Label to add to PR if creator is not in the team" + secrets: + GITHUB_TOKEN: + required: true + +permissions: + pull-requests: write + +jobs: + check-contributor: + name: Check PR Creator Team Membership + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Check if PR creator is in team + id: check-team + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { data: teams } = await github.rest.teams.listMembershipsForAuthenticatedUser(); + const teamSlugs = teams.map(team => team.slug); + const teamSlug = '${{ inputs.github_team_slug }}'; + + const isMember = teamSlugs.includes(teamSlug); + console.log(`Looking for team: ${teamSlug}`); + console.log(`User's teams: ${teamSlugs.join(', ')}`); + console.log(`Is member: ${isMember}`); + + core.setOutput('is_member', isMember); + + - name: Add external contributor label + if: steps.check-team.outputs.is_member == 'false' + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const labelName = '${{ inputs.label_name }}'; + github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + labels: [labelName] + }); + console.log(`Added label "${labelName}" to PR #${context.issue.number}`); From 316e24a67dde6f024a29f1f4f46ba610ee3ca772 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 17:02:09 -0500 Subject: [PATCH 02/13] feat: Add reusable action to check external contributor status Add a new GitHub Action that checks if a PR creator is a member of a specified GitHub team. If the creator is not a member, the action automatically adds a configurable label (defaults to 'external contributor') to the PR. This action enables repositories to easily identify and track external contributions. Co-Authored-By: Claude Opus 4.6 --- .../check-external-contributor/action.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/actions/check-external-contributor/action.yml diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml new file mode 100644 index 0000000..5c57574 --- /dev/null +++ b/.github/actions/check-external-contributor/action.yml @@ -0,0 +1,61 @@ +name: Check External Contributor +description: Checks if PR creator is in a GitHub team and adds a label if not + +inputs: + github_team_slug: + description: "GitHub team slug to check membership against (e.g., 'solace-ai')" + required: true + label_name: + description: "Label to add to PR if creator is not in the team" + required: false + default: "external contributor" + github-token: + description: "GitHub token for API access" + required: true + +runs: + using: composite + steps: + - name: Check if PR creator is in team + id: check-team + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + run: | + echo "🔍 Checking team membership for PR creator..." + + TEAM_SLUG="${{ inputs.github_team_slug }}" + PR_CREATOR="${{ github.event.pull_request.user.login }}" + ORG="${{ github.repository_owner }}" + + echo " - Team slug: $TEAM_SLUG" + echo " - PR creator: $PR_CREATOR" + echo " - Organization: $ORG" + + # Check if user is a member of the team + if gh api orgs/$ORG/teams/$TEAM_SLUG/memberships/$PR_CREATOR -q '.state' > /dev/null 2>&1; then + echo "is_member=true" >> $GITHUB_OUTPUT + echo "✅ PR creator is a member of the team" + else + echo "is_member=false" >> $GITHUB_OUTPUT + echo "⚠️ PR creator is not a member of the team" + fi + + - name: Add external contributor label + if: steps.check-team.outputs.is_member == 'false' + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + LABEL_NAME: ${{ inputs.label_name }} + run: | + LABEL_NAME="${{ inputs.label_name }}" + REPO="${{ github.repository }}" + PR_NUMBER="${{ github.event.pull_request.number }}" + + echo "🏷️ Adding label '$LABEL_NAME' to PR #$PR_NUMBER..." + + gh issue edit $PR_NUMBER \ + --repo "$REPO" \ + --add-label "$LABEL_NAME" + + echo "✅ Added label '$LABEL_NAME' to PR #$PR_NUMBER" From 05ce4176c074f7ae717a07fa4e71d96bfb297e48 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 17:03:44 -0500 Subject: [PATCH 03/13] refactor: Remove workflow in favor of reusable action Remove the check-external-contributor workflow since we've converted it to a reusable GitHub Action (.github/actions/check-external-contributor) which provides better modularity and consistency. Co-Authored-By: Claude Opus 4.6 --- .../workflows/check-external-contributor.yml | 56 ------------------- 1 file changed, 56 deletions(-) delete mode 100644 .github/workflows/check-external-contributor.yml diff --git a/.github/workflows/check-external-contributor.yml b/.github/workflows/check-external-contributor.yml deleted file mode 100644 index 3f4cb67..0000000 --- a/.github/workflows/check-external-contributor.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Check External Contributor - -on: - workflow_call: - inputs: - github_team_slug: - type: string - required: true - description: "GitHub team slug to check membership against (e.g., 'devs')" - label_name: - type: string - required: false - default: "external contributor" - description: "Label to add to PR if creator is not in the team" - secrets: - GITHUB_TOKEN: - required: true - -permissions: - pull-requests: write - -jobs: - check-contributor: - name: Check PR Creator Team Membership - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest - steps: - - name: Check if PR creator is in team - id: check-team - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const { data: teams } = await github.rest.teams.listMembershipsForAuthenticatedUser(); - const teamSlugs = teams.map(team => team.slug); - const teamSlug = '${{ inputs.github_team_slug }}'; - - const isMember = teamSlugs.includes(teamSlug); - console.log(`Looking for team: ${teamSlug}`); - console.log(`User's teams: ${teamSlugs.join(', ')}`); - console.log(`Is member: ${isMember}`); - - core.setOutput('is_member', isMember); - - - name: Add external contributor label - if: steps.check-team.outputs.is_member == 'false' - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const labelName = '${{ inputs.label_name }}'; - github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - labels: [labelName] - }); - console.log(`Added label "${labelName}" to PR #${context.issue.number}`); From fdedc155f5f9902397237cb9ec1e895aab1d9b26 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 17:15:25 -0500 Subject: [PATCH 04/13] fix: Use github-script action for adding labels with proper permissions Replace gh CLI calls with github-script action to ensure proper GitHub API permissions for adding labels to issues. This resolves 'Resource not accessible by integration' errors. Co-Authored-By: Claude Opus 4.6 --- .../check-external-contributor/action.yml | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 5c57574..56628ad 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -43,19 +43,20 @@ runs: - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' - shell: bash - env: - GH_TOKEN: ${{ inputs.github-token }} - LABEL_NAME: ${{ inputs.label_name }} - run: | - LABEL_NAME="${{ inputs.label_name }}" - REPO="${{ github.repository }}" - PR_NUMBER="${{ github.event.pull_request.number }}" - - echo "🏷️ Adding label '$LABEL_NAME' to PR #$PR_NUMBER..." - - gh issue edit $PR_NUMBER \ - --repo "$REPO" \ - --add-label "$LABEL_NAME" - - echo "✅ Added label '$LABEL_NAME' to PR #$PR_NUMBER" + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ inputs.github-token }} + script: | + const labelName = '${{ inputs.label_name }}'; + const prNumber = context.issue.number; + + console.log(`🏷️ Adding label "${labelName}" to PR #${prNumber}...`); + + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: prNumber, + labels: [labelName] + }); + + console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); From 94b4cafa9717a8de0e70df21abd083451aaed3c2 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 17:17:36 -0500 Subject: [PATCH 05/13] fix: Use github-script for team membership check with error handling Move team membership check to github-script to use consistent authentication context. Add error handling to gracefully handle permission issues - defaults to treating users as external contributors if membership cannot be verified. Co-Authored-By: Claude Opus 4.6 --- .../check-external-contributor/action.yml | 53 +++++++++++-------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 56628ad..45eb7b9 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -18,28 +18,37 @@ runs: steps: - name: Check if PR creator is in team id: check-team - shell: bash - env: - GH_TOKEN: ${{ inputs.github-token }} - run: | - echo "🔍 Checking team membership for PR creator..." - - TEAM_SLUG="${{ inputs.github_team_slug }}" - PR_CREATOR="${{ github.event.pull_request.user.login }}" - ORG="${{ github.repository_owner }}" - - echo " - Team slug: $TEAM_SLUG" - echo " - PR creator: $PR_CREATOR" - echo " - Organization: $ORG" - - # Check if user is a member of the team - if gh api orgs/$ORG/teams/$TEAM_SLUG/memberships/$PR_CREATOR -q '.state' > /dev/null 2>&1; then - echo "is_member=true" >> $GITHUB_OUTPUT - echo "✅ PR creator is a member of the team" - else - echo "is_member=false" >> $GITHUB_OUTPUT - echo "⚠️ PR creator is not a member of the team" - fi + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ inputs.github-token }} + script: | + const teamSlug = '${{ inputs.github_team_slug }}'; + const org = context.repo.owner; + const prCreator = context.payload.pull_request.user.login; + + console.log(`🔍 Checking team membership for PR creator...`); + console.log(` - Team slug: ${teamSlug}`); + console.log(` - PR creator: ${prCreator}`); + console.log(` - Organization: ${org}`); + + try { + const { data } = await github.rest.teams.getMembershipForUserInOrg({ + org: org, + team_slug: teamSlug, + username: prCreator + }); + + core.setOutput('is_member', 'true'); + console.log(`✅ PR creator is a member of the team`); + } catch (error) { + if (error.status === 404) { + core.setOutput('is_member', 'false'); + console.log(`⚠️ PR creator is not a member of the team`); + } else { + console.log(`⚠️ Could not verify team membership (${error.message}), assuming external contributor`); + core.setOutput('is_member', 'false'); + } + } - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' From 472a5cc40305be9990365b85c89ceab32c33585f Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 17:19:47 -0500 Subject: [PATCH 06/13] Revert "fix: Use github-script for team membership check with error handling" This reverts commit 94b4cafa9717a8de0e70df21abd083451aaed3c2. --- .../check-external-contributor/action.yml | 53 ++++++++----------- 1 file changed, 22 insertions(+), 31 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 45eb7b9..56628ad 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -18,37 +18,28 @@ runs: steps: - name: Check if PR creator is in team id: check-team - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ inputs.github-token }} - script: | - const teamSlug = '${{ inputs.github_team_slug }}'; - const org = context.repo.owner; - const prCreator = context.payload.pull_request.user.login; - - console.log(`🔍 Checking team membership for PR creator...`); - console.log(` - Team slug: ${teamSlug}`); - console.log(` - PR creator: ${prCreator}`); - console.log(` - Organization: ${org}`); - - try { - const { data } = await github.rest.teams.getMembershipForUserInOrg({ - org: org, - team_slug: teamSlug, - username: prCreator - }); - - core.setOutput('is_member', 'true'); - console.log(`✅ PR creator is a member of the team`); - } catch (error) { - if (error.status === 404) { - core.setOutput('is_member', 'false'); - console.log(`⚠️ PR creator is not a member of the team`); - } else { - console.log(`⚠️ Could not verify team membership (${error.message}), assuming external contributor`); - core.setOutput('is_member', 'false'); - } - } + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + run: | + echo "🔍 Checking team membership for PR creator..." + + TEAM_SLUG="${{ inputs.github_team_slug }}" + PR_CREATOR="${{ github.event.pull_request.user.login }}" + ORG="${{ github.repository_owner }}" + + echo " - Team slug: $TEAM_SLUG" + echo " - PR creator: $PR_CREATOR" + echo " - Organization: $ORG" + + # Check if user is a member of the team + if gh api orgs/$ORG/teams/$TEAM_SLUG/memberships/$PR_CREATOR -q '.state' > /dev/null 2>&1; then + echo "is_member=true" >> $GITHUB_OUTPUT + echo "✅ PR creator is a member of the team" + else + echo "is_member=false" >> $GITHUB_OUTPUT + echo "⚠️ PR creator is not a member of the team" + fi - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' From 19dd3742f39b12c4f2266784b56ebed1004af459 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 17:20:03 -0500 Subject: [PATCH 07/13] Revert "fix: Use github-script action for adding labels with proper permissions" This reverts commit fdedc155f5f9902397237cb9ec1e895aab1d9b26. --- .../check-external-contributor/action.yml | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 56628ad..5c57574 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -43,20 +43,19 @@ runs: - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ inputs.github-token }} - script: | - const labelName = '${{ inputs.label_name }}'; - const prNumber = context.issue.number; - - console.log(`🏷️ Adding label "${labelName}" to PR #${prNumber}...`); - - await github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: prNumber, - labels: [labelName] - }); - - console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + LABEL_NAME: ${{ inputs.label_name }} + run: | + LABEL_NAME="${{ inputs.label_name }}" + REPO="${{ github.repository }}" + PR_NUMBER="${{ github.event.pull_request.number }}" + + echo "🏷️ Adding label '$LABEL_NAME' to PR #$PR_NUMBER..." + + gh issue edit $PR_NUMBER \ + --repo "$REPO" \ + --add-label "$LABEL_NAME" + + echo "✅ Added label '$LABEL_NAME' to PR #$PR_NUMBER" From fdf1dea8e868c55755004c4200fc64bd37d9edf5 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 18:51:45 -0500 Subject: [PATCH 08/13] Reapply "fix: Use github-script action for adding labels with proper permissions" This reverts commit 19dd3742f39b12c4f2266784b56ebed1004af459. --- .../check-external-contributor/action.yml | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 5c57574..56628ad 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -43,19 +43,20 @@ runs: - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' - shell: bash - env: - GH_TOKEN: ${{ inputs.github-token }} - LABEL_NAME: ${{ inputs.label_name }} - run: | - LABEL_NAME="${{ inputs.label_name }}" - REPO="${{ github.repository }}" - PR_NUMBER="${{ github.event.pull_request.number }}" - - echo "🏷️ Adding label '$LABEL_NAME' to PR #$PR_NUMBER..." - - gh issue edit $PR_NUMBER \ - --repo "$REPO" \ - --add-label "$LABEL_NAME" - - echo "✅ Added label '$LABEL_NAME' to PR #$PR_NUMBER" + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ inputs.github-token }} + script: | + const labelName = '${{ inputs.label_name }}'; + const prNumber = context.issue.number; + + console.log(`🏷️ Adding label "${labelName}" to PR #${prNumber}...`); + + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: prNumber, + labels: [labelName] + }); + + console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); From 1fa523c271cf45ab4c25d5b3a861defc7e5da3d8 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 18:53:55 -0500 Subject: [PATCH 09/13] Revert "Reapply "fix: Use github-script action for adding labels with proper permissions"" This reverts commit fdf1dea8e868c55755004c4200fc64bd37d9edf5. --- .../check-external-contributor/action.yml | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 56628ad..5c57574 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -43,20 +43,19 @@ runs: - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - github-token: ${{ inputs.github-token }} - script: | - const labelName = '${{ inputs.label_name }}'; - const prNumber = context.issue.number; - - console.log(`🏷️ Adding label "${labelName}" to PR #${prNumber}...`); - - await github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: prNumber, - labels: [labelName] - }); - - console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + LABEL_NAME: ${{ inputs.label_name }} + run: | + LABEL_NAME="${{ inputs.label_name }}" + REPO="${{ github.repository }}" + PR_NUMBER="${{ github.event.pull_request.number }}" + + echo "🏷️ Adding label '$LABEL_NAME' to PR #$PR_NUMBER..." + + gh issue edit $PR_NUMBER \ + --repo "$REPO" \ + --add-label "$LABEL_NAME" + + echo "✅ Added label '$LABEL_NAME' to PR #$PR_NUMBER" From 8ad13fa594c78f710be30fae8416fb7d3a8455b4 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 18:54:06 -0500 Subject: [PATCH 10/13] Reapply "fix: Use github-script for team membership check with error handling" This reverts commit 472a5cc40305be9990365b85c89ceab32c33585f. --- .../check-external-contributor/action.yml | 53 +++++++++++-------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 5c57574..2183201 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -18,28 +18,37 @@ runs: steps: - name: Check if PR creator is in team id: check-team - shell: bash - env: - GH_TOKEN: ${{ inputs.github-token }} - run: | - echo "🔍 Checking team membership for PR creator..." - - TEAM_SLUG="${{ inputs.github_team_slug }}" - PR_CREATOR="${{ github.event.pull_request.user.login }}" - ORG="${{ github.repository_owner }}" - - echo " - Team slug: $TEAM_SLUG" - echo " - PR creator: $PR_CREATOR" - echo " - Organization: $ORG" - - # Check if user is a member of the team - if gh api orgs/$ORG/teams/$TEAM_SLUG/memberships/$PR_CREATOR -q '.state' > /dev/null 2>&1; then - echo "is_member=true" >> $GITHUB_OUTPUT - echo "✅ PR creator is a member of the team" - else - echo "is_member=false" >> $GITHUB_OUTPUT - echo "⚠️ PR creator is not a member of the team" - fi + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ inputs.github-token }} + script: | + const teamSlug = '${{ inputs.github_team_slug }}'; + const org = context.repo.owner; + const prCreator = context.payload.pull_request.user.login; + + console.log(`🔍 Checking team membership for PR creator...`); + console.log(` - Team slug: ${teamSlug}`); + console.log(` - PR creator: ${prCreator}`); + console.log(` - Organization: ${org}`); + + try { + const { data } = await github.rest.teams.getMembershipForUserInOrg({ + org: org, + team_slug: teamSlug, + username: prCreator + }); + + core.setOutput('is_member', 'true'); + console.log(`✅ PR creator is a member of the team`); + } catch (error) { + if (error.status === 404) { + core.setOutput('is_member', 'false'); + console.log(`⚠️ PR creator is not a member of the team`); + } else { + console.log(`⚠️ Could not verify team membership (${error.message}), assuming external contributor`); + core.setOutput('is_member', 'false'); + } + } - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' From 993bf3db331c05d332879057e5138e9d3fc955fb Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Mon, 2 Mar 2026 18:56:25 -0500 Subject: [PATCH 11/13] fix: Replace gh CLI with github-script for label addition Use github-script for adding labels to ensure proper authentication and permissions. This fixes the 'Resource not accessible by integration' error. Co-Authored-By: Claude Opus 4.6 --- .../check-external-contributor/action.yml | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/actions/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml index 2183201..45eb7b9 100644 --- a/.github/actions/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -52,19 +52,20 @@ runs: - name: Add external contributor label if: steps.check-team.outputs.is_member == 'false' - shell: bash - env: - GH_TOKEN: ${{ inputs.github-token }} - LABEL_NAME: ${{ inputs.label_name }} - run: | - LABEL_NAME="${{ inputs.label_name }}" - REPO="${{ github.repository }}" - PR_NUMBER="${{ github.event.pull_request.number }}" + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ inputs.github-token }} + script: | + const labelName = '${{ inputs.label_name }}'; + const prNumber = context.issue.number; - echo "🏷️ Adding label '$LABEL_NAME' to PR #$PR_NUMBER..." + console.log(`🏷️ Adding label "${labelName}" to PR #${prNumber}...`); - gh issue edit $PR_NUMBER \ - --repo "$REPO" \ - --add-label "$LABEL_NAME" + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: prNumber, + labels: [labelName] + }); - echo "✅ Added label '$LABEL_NAME' to PR #$PR_NUMBER" + console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); From e9d7d6c061a9465b907f40a4657a93f9c76a59f9 Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Fri, 6 Mar 2026 14:12:03 -0500 Subject: [PATCH 12/13] refactor: Move check-external-contributor action to root level Consolidate action structure by moving check-external-contributor from .github/actions/ to root-level alongside other actions. Add comprehensive README.md for documentation. --- check-external-contributor/README.md | 80 +++++++++++++++++++ .../action.yml | 0 2 files changed, 80 insertions(+) create mode 100644 check-external-contributor/README.md rename {.github/actions/check-external-contributor => check-external-contributor}/action.yml (100%) diff --git a/check-external-contributor/README.md b/check-external-contributor/README.md new file mode 100644 index 0000000..cb79e90 --- /dev/null +++ b/check-external-contributor/README.md @@ -0,0 +1,80 @@ +# Check External Contributor Action + +Automatically labels pull requests created by users who are not members of a specified GitHub team. + +## Usage + +```yaml +- uses: SolaceDev/solace-public-workflows/check-external-contributor@main + with: + github_team_slug: solace-ai + label_name: "external contributor" + github-token: ${{ secrets.GITHUB_TOKEN }} +``` + +## Inputs + +| Input | Description | Required | Default | +|-------|-------------|----------|---------| +| `github_team_slug` | GitHub team slug to check membership against (e.g., `solace-ai`) | Yes | - | +| `label_name` | Label to add to PR if creator is not in the team | No | `"external contributor"` | +| `github-token` | GitHub token for API access | Yes | - | + +## How it Works + +1. Checks if the PR creator is a member of the specified GitHub team +2. If not a member, adds the specified label to the PR +3. Logs the results for debugging + +## Workflow Trigger + +This action is designed to work with `pull_request_target` to safely handle external contributors: + +```yaml +on: + pull_request_target: + types: [opened, reopened] + +jobs: + check-external: + runs-on: ubuntu-latest + permissions: + pull-requests: write + issues: write +``` + +## Examples + +### Basic Example + +```yaml +name: Check External Contributor +on: + pull_request_target: + types: [opened, reopened] + +jobs: + check: + runs-on: ubuntu-latest + permissions: + pull-requests: write + issues: write + steps: + - uses: SolaceDev/solace-public-workflows/check-external-contributor@main + with: + github_team_slug: my-team + label_name: "external contributor" + github-token: ${{ secrets.GITHUB_TOKEN }} +``` + +## Permissions Required + +The GitHub token must have the following permissions: +- `pull-requests: write` - To access PR information +- `issues: write` - To add labels to PRs + +## Notes + +- Use `pull_request_target` instead of `pull_request` for security when running workflows on external PRs +- The action gracefully handles errors when checking team membership +- If the label doesn't exist, GitHub will automatically create it when adding it to the PR diff --git a/.github/actions/check-external-contributor/action.yml b/check-external-contributor/action.yml similarity index 100% rename from .github/actions/check-external-contributor/action.yml rename to check-external-contributor/action.yml From 62e994bef51a0ce04e973af1b7673a8f61214a3d Mon Sep 17 00:00:00 2001 From: solace-mdupls Date: Fri, 6 Mar 2026 15:45:11 -0500 Subject: [PATCH 13/13] . --- .../actions/check-external-contributor}/README.md | 0 .../actions/check-external-contributor}/action.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename {check-external-contributor => .github/actions/check-external-contributor}/README.md (100%) rename {check-external-contributor => .github/actions/check-external-contributor}/action.yml (99%) diff --git a/check-external-contributor/README.md b/.github/actions/check-external-contributor/README.md similarity index 100% rename from check-external-contributor/README.md rename to .github/actions/check-external-contributor/README.md diff --git a/check-external-contributor/action.yml b/.github/actions/check-external-contributor/action.yml similarity index 99% rename from check-external-contributor/action.yml rename to .github/actions/check-external-contributor/action.yml index 45eb7b9..8bca977 100644 --- a/check-external-contributor/action.yml +++ b/.github/actions/check-external-contributor/action.yml @@ -68,4 +68,4 @@ runs: labels: [labelName] }); - console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); + console.log(`✅ Added label "${labelName}" to PR #${prNumber}`); \ No newline at end of file