Replace author_association auth with org membership checks (docker#110)

Author: derekmisler

.github/workflows/reply-to-feedback.yml

@@ -325,6 +325,7 @@ jobs:
           nebius-api-key: ${{ secrets.NEBIUS_API_KEY }}
           mistral-api-key: ${{ secrets.MISTRAL_API_KEY }}
           github-token: ${{ steps.app-token.outputs.token || github.token }}
+          skip-auth: "true" # Org membership already verified above
 
       # ----------------------------------------------------------------
       # Failure handling

.github/workflows/review-pr.yml

@@ -190,6 +190,7 @@ jobs:
           xai-api-key: ${{ secrets.XAI_API_KEY }}
           nebius-api-key: ${{ secrets.NEBIUS_API_KEY }}
           mistral-api-key: ${{ secrets.MISTRAL_API_KEY }}
+          skip-auth: "true" # Org membership already verified above
 
   # ==========================================================================
   # MANUAL REVIEW PIPELINE
@@ -207,10 +208,50 @@ jobs:
       exit-code: ${{ steps.run-review.outputs.exit-code }}
 
     steps:
+      - name: Check if commenter is org member
+        id: membership
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
+          script: |
+            const org = '${{ inputs.auto-review-org }}';
+            const username = context.payload.comment.user.login;
+            const userType = context.payload.comment.user.type;
+
+            // Allow trusted bot to bypass org membership check
+            if (userType === 'Bot') {
+              core.setOutput('is_member', 'true');
+              console.log(`✅ ${username} is a Bot — allowing /review command`);
+              return;
+            }
+
+            try {
+              await github.rest.orgs.checkMembershipForUser({ org, username });
+              core.setOutput('is_member', 'true');
+              console.log(`✅ ${username} is a ${org} org member — proceeding with manual review`);
+            } catch (error) {
+              if (error.status === 404 || error.status === 302) {
+                core.setOutput('is_member', 'false');
+                console.log(`⏭️ ${username} is not a ${org} org member — skipping manual review`);
+              } else if (error.status === 401) {
+                core.warning(
+                  '❌ CAGENT_ORG_MEMBERSHIP_TOKEN secret is missing or invalid.\n\n' +
+                  `This secret is required to check ${org} org membership.\n\n` +
+                  'To fix this:\n' +
+                  '1. Create a classic PAT with read:org scope at https://github.com/settings/tokens/new\n' +
+                  '2. Add it as an org secret named CAGENT_ORG_MEMBERSHIP_TOKEN'
+                );
+                core.setOutput('is_member', 'false');
+              } else {
+                core.warning(`Failed to check org membership: ${error.message}`);
+                core.setOutput('is_member', 'false');
+              }
+            }
+
       # Generate GitHub App token first so the check run is created under the app's identity
       # (prevents GitHub from nesting it under unrelated pull_request-triggered workflows)
       - name: Generate GitHub App token
-        if: env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
@@ -219,6 +260,7 @@ jobs:
           private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
 
       - name: Create check run
+        if: steps.membership.outputs.is_member == 'true'
         id: create-check
         continue-on-error: true # Don't fail if caller didn't grant checks: write
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -245,15 +287,15 @@ jobs:
             });
             core.setOutput('check-id', check.id);
 
-      # Checkout PR head (not default branch)
-      # Note: Authorization is handled by the composite action's built-in check
       - name: Checkout PR head
+        if: steps.membership.outputs.is_member == 'true'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: refs/pull/${{ github.event.issue.number }}/head
 
       - name: Run PR Review
+        if: steps.membership.outputs.is_member == 'true'
         id: run-review
         continue-on-error: true # Don't fail the calling workflow if the review errors
         uses: docker/cagent-action/review-pr@latest
@@ -272,6 +314,7 @@ jobs:
           xai-api-key: ${{ secrets.XAI_API_KEY }}
           nebius-api-key: ${{ secrets.NEBIUS_API_KEY }}
           mistral-api-key: ${{ secrets.MISTRAL_API_KEY }}
+          skip-auth: "true" # Org membership already verified above
 
       - name: Update check run
         if: always() && steps.create-check.outputs.check-id != ''
@@ -420,22 +463,10 @@ jobs:
           GH_TOKEN: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
           ORG: ${{ inputs.auto-review-org }}
           USERNAME: ${{ github.event.comment.user.login }}
-          # Use the event context expression — $GITHUB_EVENT_PATH is empty/minimal
-          # in workflow_call context, so jq parsing it fails silently.
-          AUTHOR_ASSOCIATION: ${{ github.event.comment.author_association }}
         run: |
           if [ -z "$GH_TOKEN" ]; then
-            echo "::warning::CAGENT_ORG_MEMBERSHIP_TOKEN not configured — falling back to author_association"
-            case "$AUTHOR_ASSOCIATION" in
-              OWNER|MEMBER|COLLABORATOR)
-                echo "authorized=true" >> $GITHUB_OUTPUT
-                echo "✅ Authorized via author_association (fallback)"
-                ;;
-              *)
-                echo "authorized=false" >> $GITHUB_OUTPUT
-                echo "⏭️ Not authorized via author_association (fallback)"
-                ;;
-            esac
+            echo "::error::CAGENT_ORG_MEMBERSHIP_TOKEN not configured — cannot authorize reply"
+            echo "authorized=false" >> $GITHUB_OUTPUT
             exit 0
           fi
           # Check org membership with explicit error handling
@@ -618,6 +649,7 @@ jobs:
           nebius-api-key: ${{ secrets.NEBIUS_API_KEY }}
           mistral-api-key: ${{ secrets.MISTRAL_API_KEY }}
           github-token: ${{ steps.app-token.outputs.token || github.token }}
+          skip-auth: "true" # Org membership already verified above
 
       - name: React on thread-build failure
         if: >-

.github/workflows/self-review-pr.yml

@@ -100,6 +100,7 @@ jobs:
           xai-api-key: ${{ secrets.XAI_API_KEY }}
           nebius-api-key: ${{ secrets.NEBIUS_API_KEY }}
           mistral-api-key: ${{ secrets.MISTRAL_API_KEY }}
+          skip-auth: "true" # Org membership already verified above
 
   # ==========================================================================
   # MANUAL REVIEW PIPELINE
@@ -115,10 +116,50 @@ jobs:
       HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
 
     steps:
+      - name: Check if commenter is org member
+        id: membership
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN }}
+          script: |
+            const org = 'docker';
+            const username = context.payload.comment.user.login;
+            const userType = context.payload.comment.user.type;
+
+            // Allow trusted bot to bypass org membership check
+            if (userType === 'Bot') {
+              core.setOutput('is_member', 'true');
+              console.log(`✅ ${username} is a Bot — allowing /review command`);
+              return;
+            }
+
+            try {
+              await github.rest.orgs.checkMembershipForUser({ org, username });
+              core.setOutput('is_member', 'true');
+              console.log(`✅ ${username} is a ${org} org member — proceeding with manual review`);
+            } catch (error) {
+              if (error.status === 404 || error.status === 302) {
+                core.setOutput('is_member', 'false');
+                console.log(`⏭️ ${username} is not a ${org} org member — skipping manual review`);
+              } else if (error.status === 401) {
+                core.warning(
+                  '❌ CAGENT_ORG_MEMBERSHIP_TOKEN secret is missing or invalid.\n\n' +
+                  `This secret is required to check ${org} org membership.\n\n` +
+                  'To fix this:\n' +
+                  '1. Create a classic PAT with read:org scope at https://github.com/settings/tokens/new\n' +
+                  '2. Add it as an org secret named CAGENT_ORG_MEMBERSHIP_TOKEN'
+                );
+                core.setOutput('is_member', 'false');
+              } else {
+                core.warning(`Failed to check org membership: ${error.message}`);
+                core.setOutput('is_member', 'false');
+              }
+            }
+
       # Generate GitHub App token first so the check run is created under the app's identity
       # (prevents GitHub from nesting it under unrelated pull_request-triggered workflows)
       - name: Generate GitHub App token
-        if: env.HAS_APP_SECRETS == 'true'
+        if: steps.membership.outputs.is_member == 'true' && env.HAS_APP_SECRETS == 'true'
         id: app-token
         continue-on-error: true # Don't fail workflow if token generation fails
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
@@ -127,6 +168,7 @@ jobs:
           private_key: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }}
 
       - name: Create check run
+        if: steps.membership.outputs.is_member == 'true'
         id: create-check
         continue-on-error: true # Don't fail if checks: write permission is missing
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -153,15 +195,15 @@ jobs:
             });
             core.setOutput('check-id', check.id);
 
-      # Checkout PR head (not default branch)
-      # Note: Authorization is handled by the composite action's built-in check
       - name: Checkout PR head
+        if: steps.membership.outputs.is_member == 'true'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
           ref: refs/pull/${{ github.event.issue.number }}/head
 
       - name: Run PR Review
+        if: steps.membership.outputs.is_member == 'true'
         id: run-review
         continue-on-error: true # Don't fail the calling workflow if the review errors
         uses: ./review-pr
@@ -177,6 +219,7 @@ jobs:
           xai-api-key: ${{ secrets.XAI_API_KEY }}
           nebius-api-key: ${{ secrets.NEBIUS_API_KEY }}
           mistral-api-key: ${{ secrets.MISTRAL_API_KEY }}
+          skip-auth: "true" # Org membership already verified above
 
       - name: Update check run
         if: always() && steps.create-check.outputs.check-id != ''

action.yml

@@ -90,6 +90,18 @@ inputs:
     description: "Skip writing agent output to the job summary (useful when callers write their own summary)"
     required: false
     default: "false"
+  org-membership-token:
+    description: "PAT with read:org scope for org membership authorization checks (preferred over author_association)"
+    required: false
+    default: ""
+  auth-org:
+    description: "GitHub organization to check membership against (used with org-membership-token)"
+    required: false
+    default: ""
+  skip-auth:
+    description: "Skip the built-in authorization check (use when the calling workflow already performed its own auth)"
+    required: false
+    default: "false"
 
 outputs:
   exit-code:
@@ -192,6 +204,11 @@ runs:
     # SECURITY: Authorization Check
     # Only enforced for comment-triggered events (the main abuse vector)
     # PR-triggered workflows are controlled by the workflow author
+    #
+    # Auth strategies (in priority order):
+    #   1. skip-auth=true        — caller already verified authorization
+    #   2. org-membership-token  — check org membership via API (preferred)
+    #   3. author_association    — legacy fallback from event payload
     # ========================================
     - name: Check authorization
       id: check-auth
@@ -200,13 +217,27 @@ runs:
         ACTION_PATH: ${{ github.action_path }}
         TRUSTED_BOT_APP_ID: ${{ inputs.trusted-bot-app-id }}
         DEBUG: ${{ inputs.debug }}
+        SKIP_AUTH: ${{ inputs.skip-auth }}
+        ORG_MEMBERSHIP_TOKEN: ${{ inputs.org-membership-token }}
+        AUTH_ORG: ${{ inputs.auth-org }}
       run: |
+        # Mask the org membership token to prevent accidental exposure in logs
+        [ -n "$ORG_MEMBERSHIP_TOKEN" ] && echo "::add-mask::$ORG_MEMBERSHIP_TOKEN"
+
+        # Strategy 0: Skip auth if caller already verified
+        if [ "$SKIP_AUTH" = "true" ]; then
+          echo "ℹ️ Skipping auth check (caller already verified authorization)"
+          echo "authorized=skipped-by-caller" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
         # Read comment fields directly from the event payload (cannot be overridden by workflow env vars)
         COMMENT_ASSOCIATION=$(jq -r '.comment.author_association // empty' "$GITHUB_EVENT_PATH")
+        COMMENT_USER_LOGIN=$(jq -r '.comment.user.login // empty' "$GITHUB_EVENT_PATH")
 
         # Only enforce auth for comment-triggered events
         # This prevents abuse via /commands while allowing PR-triggered workflows to run
-        if [ -z "$COMMENT_ASSOCIATION" ]; then
+        if [ -z "$COMMENT_ASSOCIATION" ] && [ -z "$COMMENT_USER_LOGIN" ]; then
           echo "ℹ️ Skipping auth check (not a comment-triggered event)"
           echo "authorized=skipped" >> $GITHUB_OUTPUT
           exit 0
@@ -219,20 +250,42 @@ runs:
           COMMENT_APP_ID=$(jq -r '.comment.performed_via_github_app.id // empty' "$GITHUB_EVENT_PATH")
 
           if [ "$COMMENT_USER_TYPE" = "Bot" ] && [ -n "$COMMENT_APP_ID" ] && [ "$COMMENT_APP_ID" = "$TRUSTED_BOT_APP_ID" ]; then
-            COMMENT_USER_LOGIN=$(jq -r '.comment.user.login // empty' "$GITHUB_EVENT_PATH")
             echo "ℹ️ Skipping auth check (trusted bot: $COMMENT_USER_LOGIN, app_id: $COMMENT_APP_ID)"
             echo "authorized=true" >> $GITHUB_OUTPUT
             exit 0
           fi
         fi
 
-        echo "Using comment author_association: $COMMENT_ASSOCIATION"
-
-        # Allowed roles (hardcoded for security - cannot be overridden)
-        ALLOWED_ROLES='["OWNER", "MEMBER", "COLLABORATOR"]'
+        # Strategy 1: Org membership check (preferred — reliable for all event types)
+        if [ -n "$ORG_MEMBERSHIP_TOKEN" ] && [ -n "$AUTH_ORG" ] && [ -n "$COMMENT_USER_LOGIN" ]; then
+          echo "Checking org membership for @$COMMENT_USER_LOGIN in $AUTH_ORG..."
+          if ! RESPONSE=$(GH_TOKEN="$ORG_MEMBERSHIP_TOKEN" gh api "orgs/$AUTH_ORG/members/$COMMENT_USER_LOGIN" --silent -i 2>/dev/null); then
+            echo "::error::❌ Authorization failed: @$COMMENT_USER_LOGIN is not a $AUTH_ORG org member"
+            echo "authorized=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+          STATUS=$(echo "$RESPONSE" | head -1 | grep -oE '[0-9]{3}' || echo "000")
+          if [ "$STATUS" = "204" ]; then
+            echo "✅ Authorization successful: @$COMMENT_USER_LOGIN is a $AUTH_ORG org member"
+            echo "authorized=true" >> $GITHUB_OUTPUT
+            exit 0
+          else
+            echo "::error::❌ Authorization failed: @$COMMENT_USER_LOGIN is not a $AUTH_ORG org member (HTTP $STATUS)"
+            echo "authorized=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+        fi
 
-        # Run the authorization check
-        $ACTION_PATH/security/check-auth.sh "$COMMENT_ASSOCIATION" "$ALLOWED_ROLES"
+        # Strategy 2: author_association fallback (legacy — unreliable for pull_request_review_comment events)
+        if [ -n "$COMMENT_ASSOCIATION" ]; then
+          echo "::warning::Using author_association fallback ($COMMENT_ASSOCIATION). Configure org-membership-token and auth-org for more reliable authorization."
+          ALLOWED_ROLES='["OWNER", "MEMBER", "COLLABORATOR"]'
+          $ACTION_PATH/security/check-auth.sh "$COMMENT_ASSOCIATION" "$ALLOWED_ROLES"
+        else
+          echo "::error::No authorization method available (no org token, no author_association)"
+          echo "authorized=false" >> $GITHUB_OUTPUT
+          exit 1
+        fi
 
     # ========================================
     # GitHub App Token (Optional)

review-pr/action.yml

@@ -57,6 +57,18 @@ inputs:
     description: "GitHub App ID of a trusted bot that can bypass comment-based auth checks"
     required: false
     default: ""
+  org-membership-token:
+    description: "PAT with read:org scope for org membership authorization checks"
+    required: false
+    default: ""
+  auth-org:
+    description: "GitHub organization to check membership against"
+    required: false
+    default: ""
+  skip-auth:
+    description: "Skip the built-in authorization check (caller already verified auth)"
+    required: false
+    default: "false"
 
 outputs:
   exit-code:
@@ -689,6 +701,9 @@ runs:
         trusted-bot-app-id: ${{ inputs.trusted-bot-app-id }}
         extra-args: ${{ inputs.model && format('--model={0}', inputs.model) || '' }}
         skip-summary: "true"
+        org-membership-token: ${{ inputs.org-membership-token }}
+        auth-org: ${{ inputs.auth-org }}
+        skip-auth: ${{ inputs.skip-auth }}
 
     # ========================================
     # BUILD REVIEW CONTEXT
@@ -782,6 +797,9 @@ runs:
         add-prompt-files: ${{ inputs.add-prompt-files }}
         max-retries: "1"  # One retry handles transient API failures (e.g. Anthropic 400s) without risking duplicate reviews from full pipeline restarts
         skip-summary: "true"
+        org-membership-token: ${{ inputs.org-membership-token }}
+        auth-org: ${{ inputs.auth-org }}
+        skip-auth: ${{ inputs.skip-auth }}
 
     - name: Release review lock
       if: always() && steps.lock-check.outputs.skip != 'true'