ci(e2e): add org membership check to e2e-staging workflow#8144
ci(e2e): add org membership check to e2e-staging workflow#8144jacekradko merged 3 commits intomainfrom
Conversation
🦋 Changeset detectedLatest commit: 0380e3c The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughA new 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/e2e-staging.yml:
- Around line 60-62: The catch always reports "not a member" for
github.rest.orgs.checkMembershipForUser failures; change the handler to inspect
the thrown error (e.g., error.status or error.statusCode) from
github.rests.orgs.checkMembershipForUser and differentiate cases: treat 404 as
"user 'username' is not a member of 'org'", but for 403, 401 or 5xx return a
distinct permission/API failure message that includes the status and
error.message and surface it (via core.setFailed or rethrow) so triage can
distinguish non-membership from auth/permission/API errors; update the catch
around the checkMembershipForUser call (referencing
github.rests.orgs.checkMembershipForUser, core.setFailed, username, org, and
error) to implement this branching behavior.
- Around line 48-50: The current permission check uses context.actor (assigned
to username) which stays as the original actor on reruns; replace that usage
with the runtime triggering actor by reading GITHUB_TRIGGERING_ACTOR (e.g., set
username = process.env.GITHUB_TRIGGERING_ACTOR || context.actor) so permission
enforcement reflects who initiated the current run; keep org derived from
context.repo.owner as before and ensure downstream checks use this updated
username value.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: abe23700-08f4-47c1-bd5e-683137cebf72
📒 Files selected for processing (2)
.changeset/e2e-staging-permissions-check.md.github/workflows/e2e-staging.yml
2 participants
Summary
permissions-checkjob to the E2E Staging workflow that verifies the actor is a member of theclerkGitHub org before allowing the workflow to runvalidate-instancesandintegration-testsjobs now depend on this check, gating all workflow execution behind org membershiporgs.checkMembershipForUserpattern asmajor-version-check.ymlTest plan
repository_dispatchfrom clerk_go (using an org member's PAT) passes the checkSummary by CodeRabbit