Workflow check for author association #201388
-
🏷️ Discussion TypeQuestion 💬 Feature/Topic AreaWorkflow Configuration Discussion DetailsI have seen the announcement that the The blog post says one should use the REST API as a replacement. The candidate I see for that is the collaborators. However these require
permissions, and it seems the only way to get these into a workflow is using a PAT. I've tested a workflow with Is there any other way to do this without setting a PAT? Thanks a lot! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi Nikolas! handling github api permissions is honestly such a headache especially when you're trying to keep things secure without messing with PATs. Great catch testing out the read-all permissions by the way the reason that failed is because the /collaborators endpoint strictly needs push/write access to the repo a standard read-only token just gets blocked by it every single time. The good news is you don't need a PAT at all and you don't even have to look at the collaborators endpoint. Just a quick heads-up on that github changelog announcement:--> the deprecation is actually for the public Activity Events API (like when people query GET /events) not the actual webhook payloads that fill out github.event inside your action workflows. So it's definitely worth checking first whether Below is the drop-in yaml using the github cli (gh api) to grab that author_association field securely: jobs:
check-association:
runs-on: ubuntu-latest
permissions:
pull-requests: read # change to `issues: read` if this is for issues
steps:
- name: Fetch author association
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# pull the PR directly from the API to get the field safely
ASSOCIATION=$(gh api /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }} --jq .author_association)
echo "The user ${{ github.actor }} is a $ASSOCIATION"
# now you can use it exactly like before
if [ "$ASSOCIATION" = "MEMBER" ] || [ "$ASSOCIATION" = "COLLABORATOR" ] || [ "$ASSOCIATION" = "OWNER" ]; then
echo "they are a core team member!"
else
echo "they are an external contributor."
fiThis keeps your workflow completely future-proof, gets you the exact data you want and also it will avoid personal tokens entirely. Hope this helps you clear that blocker! let me know how it goes when you drop it into your workflow and if it works out, i'd super appreciate it if you could mark this as the answer! |
Beta Was this translation helpful? Give feedback.
Hi Nikolas! handling github api permissions is honestly such a headache especially when you're trying to keep things secure without messing with PATs.
Great catch testing out the read-all permissions by the way the reason that failed is because the /collaborators endpoint strictly needs push/write access to the repo a standard read-only token just gets blocked by it every single time.
The good news is you don't need a PAT at all and you don't even have to look at the collaborators endpoint.
Just a quick heads-up on that github changelog announcement:--> the deprecation is actually for the public Activity Events API (like when people query GET /events) not the actual webhook payloads that …