Fix reply-to-feedback authorization api

[derekmisler]

Summary

This PR fixes the authorization check in the reply-to-feedback workflow step. The previous implementation relied solely on author_association from the GitHub event context (which can be unreliable in workflow_call contexts), replacing it with a direct GitHub API call to verify org membership. It also fixes a bug where the jq payload used in_reply_to_id instead of the correct in_reply_to field.

Changes

• .github/workflows/review-pr.yml — auth step: Replaces the author_association-based authorization with an explicit gh api orgs/$ORG/members/$USERNAME membership check using CAGENT_ORG_MEMBERSHIP_TOKEN. Falls back to author_association if the token is not configured.
• .github/workflows/review-pr.yml — auth step: Adds robust HTTP response parsing — validates the response starts with an HTTP status line, extracts the status code via grep -oP, and handles unexpected formats gracefully.
• .github/workflows/review-pr.yml — Notify unauthorized user step: Adds validation that ROOT_COMMENT_ID is set and is a valid integer before passing it to jq/gh api, preventing silent failures.
• .github/workflows/review-pr.yml — Notify unauthorized user step: Fixes the jq payload key from in_reply_to_id to in_reply_to, which is the correct field name for the GitHub Pull Request Review Comments API.

Breaking Changes

• The CAGENT_ORG_MEMBERSHIP_TOKEN secret (scoped to org membership read) must be configured for the primary authorization path to work. Without it, the workflow falls back to author_association.
• The auto-review-org input must be set correctly, as it is now used as the org name in the membership API call.

How to Test

• Trigger a comment reply on a PR from a user who is a member of the configured org — verify authorized=true is set and the reply workflow proceeds.
• Trigger a comment reply from a user who is not an org member — verify authorized=false is set and the unauthorized notification comment is posted correctly (and uses in_reply_to in the API payload).
• Remove or leave CAGENT_ORG_MEMBERSHIP_TOKEN unset and verify the fallback to author_association logic works as expected with a warning logged.

Closes: https://github.com/docker/gordon/issues/260

[derekmisler]

/describe

[docker-agent]

✅ PR description has been generated and updated!

[docker-agent]

Assessment: 🟢 APPROVE

The changes improve authorization logic by switching from author_association to org membership checking with proper fallback. The validation of ROOT_COMMENT_ID and the API field name fix (in_reply_to_id → in_reply_to) are good improvements.

Minor observations noted in inline comments for future consideration.