fix(ci): check author_association before API calls in vouch gate#442
Merged
johntmyers merged 1 commit intomainfrom Mar 18, 2026
Merged
fix(ci): check author_association before API calls in vouch gate#442johntmyers merged 1 commit intomainfrom
johntmyers merged 1 commit intomainfrom
Conversation
The vouch-check workflow was closing PRs from NVIDIA org members because the GITHUB_TOKEN lacks read:org scope, causing orgs.checkMembershipForUser to return 404 for non-public members. The catch block silently swallowed these as expected 'not found' responses. Add an author_association check from the webhook payload as the primary bypass. GitHub sets this field server-side (MEMBER, OWNER, COLLABORATOR) regardless of membership visibility, with no extra token permissions needed. The existing API calls are kept as fallbacks. Fixes the false positive that closed #430.
6 tasks
drew
approved these changes
Mar 18, 2026
johntmyers
added a commit
that referenced
this pull request
Mar 18, 2026
…load The webhook payload field context.payload.pull_request.author_association is unreliable under pull_request_target events — it was absent or not populated, causing the previous fix (#442) to still fail. Switch to fetching author_association via pulls.get REST API, which only needs pull-requests permission (already granted) and reliably returns MEMBER for org members regardless of membership visibility. Also removes the redundant orgs.checkMembershipForUser and repos.checkCollaborator fallbacks, which suffered from the same GITHUB_TOKEN permission limitation that started this bug.
2 tasks
johntmyers
added a commit
that referenced
this pull request
Mar 18, 2026
…load (#444) The webhook payload field context.payload.pull_request.author_association is unreliable under pull_request_target events — it was absent or not populated, causing the previous fix (#442) to still fail. Switch to fetching author_association via pulls.get REST API, which only needs pull-requests permission (already granted) and reliably returns MEMBER for org members regardless of membership visibility. Also removes the redundant orgs.checkMembershipForUser and repos.checkCollaborator fallbacks, which suffered from the same GITHUB_TOKEN permission limitation that started this bug. Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
This was referenced Mar 18, 2026
drew
pushed a commit
that referenced
this pull request
Mar 18, 2026
The vouch-check workflow was closing PRs from NVIDIA org members because the GITHUB_TOKEN lacks read:org scope, causing orgs.checkMembershipForUser to return 404 for non-public members. The catch block silently swallowed these as expected 'not found' responses. Add an author_association check from the webhook payload as the primary bypass. GitHub sets this field server-side (MEMBER, OWNER, COLLABORATOR) regardless of membership visibility, with no extra token permissions needed. The existing API calls are kept as fallbacks. Fixes the false positive that closed #430. Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
drew
pushed a commit
that referenced
this pull request
Mar 18, 2026
…load (#444) The webhook payload field context.payload.pull_request.author_association is unreliable under pull_request_target events — it was absent or not populated, causing the previous fix (#442) to still fail. Switch to fetching author_association via pulls.get REST API, which only needs pull-requests permission (already granted) and reliably returns MEMBER for org members regardless of membership visibility. Also removes the redundant orgs.checkMembershipForUser and repos.checkCollaborator fallbacks, which suffered from the same GITHUB_TOKEN permission limitation that started this bug. Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
author_associationcheck from the webhook payload as the primary bypass, before the API calls that fail due to insufficientGITHUB_TOKENpermissionsRelated Issue
Fixes the false positive that closed #430
Changes
.github/workflows/vouch-check.yml: Readauthor_associationfromcontext.payload.pull_requestand skip the vouch gate forMEMBER,OWNER, andCOLLABORATORassociations. The existingorgs.checkMembershipForUserandrepos.checkCollaboratorAPI calls are kept as fallbacks.Root cause
The
GITHUB_TOKENonly hascontents: readandpull-requests: writepermissions. Theorgs.checkMembershipForUserAPI requiresread:orgscope to see non-public org members — a scopeGITHUB_TOKENdoesn't support. When a member has private org membership, the API returns 404, the catch block swallows it (since it specifically ignores 404s), and the workflow falls through to closing the PR.author_associationis set server-side by GitHub on every webhook event and correctly reportsMEMBERfor org members regardless of public/private visibility, with no extra token permissions needed.Testing
Kh4Ldespite being an org memberKh4LhasauthorAssociation: MEMBERin the PR metadata viagh pr viewChecklist