fix: use repo-scoped token for pulls.get in Check if org member step

.github/workflows/pr-describe.yml

@@ -21,7 +21,7 @@ jobs:
       id-token: write
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Create check run
         id: create-check

.github/workflows/release.yml

@@ -59,7 +59,7 @@ jobs:
         run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Calculate new version
         id: version
@@ -325,7 +325,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Checkout cagent-action
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -447,7 +447,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Fetch release notes from GitHub
         id: release-notes

.github/workflows/reply-to-feedback.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       # ----------------------------------------------------------------
       # Download artifact from the triggering workflow run

.github/workflows/review-pr.yml

@@ -84,7 +84,7 @@ jobs:
       comment-author: ${{ steps.read.outputs.comment-author }}
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Verify token for cross-run artifact download
         shell: bash
@@ -256,55 +256,20 @@ jobs:
         if: |
           steps.command.outputs.is_review != 'false' &&
           steps.draft.outputs.skip != 'true'
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Check if org member
         id: membership
         if: |
           steps.command.outputs.is_review != 'false' &&
           steps.draft.outputs.skip != 'true'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        shell: bash
         env:
           PR_NUMBER: ${{ steps.pr.outputs.number }}
           PR_SOURCE: ${{ steps.pr.outputs.source }}
           ORG: docker
           COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-        with:
-          github-token: ${{ env.ORG_MEMBERSHIP_TOKEN }}
-          script: |
-            const org = process.env.ORG;
-            const source = process.env.PR_SOURCE;
-
-            let username;
-            if (source === 'event') {
-              username = process.env.COMMENT_AUTHOR;
-            } else {
-              const { data: pr } = await github.rest.pulls.get({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                pull_number: parseInt(process.env.PR_NUMBER, 10)
-              });
-              username = pr.user.login;
-            }
-
-            try {
-              await github.rest.orgs.checkMembershipForUser({ org, username });
-              core.setOutput('is_member', 'true');
-              console.log(`✅ ${username} is a ${org} org member — proceeding with review`);
-            } catch (error) {
-              if (error.status === 404 || error.status === 302) {
-                core.setOutput('is_member', 'false');
-                console.log(`⏭️ ${username} is not a ${org} org member — skipping review`);
-              } else if (error.status === 401) {
-                core.setFailed(
-                  `❌ Org membership token is missing or invalid (HTTP 401).\n\n` +
-                  `This token is fetched automatically from AWS Secrets Manager in docker/* repos.\n` +
-                  `Ensure the workflow job has 'id-token: write' permission and OIDC is configured.`
-                );
-              } else {
-                core.setFailed(`Failed to check org membership: ${error.message}`);
-              }
-            }
+        run: node "$CAGENT_ACTION_ROOT/dist/check-org-membership.js"
 
       - name: Create check run
         if: |
@@ -413,7 +378,7 @@ jobs:
 
       - name: Setup credentials
         if: inputs.trigger-run-id != ''
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Verify token for cross-run artifact download
         if: inputs.trigger-run-id != ''
@@ -532,7 +497,7 @@ jobs:
 
       - name: Setup credentials
         if: steps.check.outputs.is_agent == 'true'
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Check authorization
         if: steps.check.outputs.is_agent == 'true'
@@ -758,7 +723,7 @@ jobs:
 
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Run mention-reply handler
         id: mention-context

.github/workflows/security-scan.yml

@@ -30,7 +30,7 @@ jobs:
           fetch-depth: 0 # Need full history to get commits from past week
 
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
 
       - name: Get commits from past week

.github/workflows/self-review-pr.yml

@@ -48,7 +48,7 @@ jobs:
         run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Verify token for cross-run artifact download
         shell: bash
@@ -206,7 +206,7 @@ jobs:
         if: |
           steps.command.outputs.is_review != 'false' &&
           steps.draft.outputs.skip != 'true'
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Check if org member
         id: membership
@@ -376,7 +376,7 @@ jobs:
 
       - name: Setup credentials
         if: github.event_name == 'workflow_run'
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Verify token for cross-run artifact download
         if: github.event_name == 'workflow_run'
@@ -495,7 +495,7 @@ jobs:
 
       - name: Setup credentials
         if: steps.check.outputs.is_agent == 'true'
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Check authorization
         if: steps.check.outputs.is_agent == 'true'
@@ -732,7 +732,7 @@ jobs:
         run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Run mention-reply handler
         id: mention-context

.github/workflows/test.yml

@@ -96,7 +96,7 @@ jobs:
         run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
         continue-on-error: true
 
       - name: Run integration tests

.github/workflows/update-consumers.yml

@@ -56,7 +56,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup credentials
-        uses: ./.github/actions/setup-credentials
+        uses: ./setup-credentials
 
       - name: Checkout source for build
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/update-docker-agent-version.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup credentials
-        uses: docker/cagent-action/.github/actions/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
+        uses: docker/cagent-action/setup-credentials@c22076b8856ee12d9b4c4685bb49cf26eb974079 # v1.5.0
 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

AGENTS.md

@@ -30,8 +30,8 @@ Anything else here (workflows under `.github/workflows/`, scripts, tests) exists
 │   ├── add-reaction/                # Adds emoji reactions to issue/PR comments.
 │   │   ├── index.ts                 # Entry → bundled to dist/add-reaction.js
 │   │   └── __tests__/
-│   ├── check-org-membership/        # Verifies a user belongs to a GitHub org (used by org-membership auth tier).
-│   │   ├── index.ts                 # Entry → bundled to dist/check-org-membership.js
+│   ├── check-org-membership/        # Verifies a user belongs to a GitHub org; also resolves PR author via pulls.get.
+│   │   ├── index.ts                 # Entry → bundled to dist/check-org-membership.js (standalone CLI + library).
 │   │   └── __tests__/
 │   ├── credentials/                 # Fetches AWS secrets via OIDC, exports PAT and AI keys.
 │   │   ├── index.ts                 # Entry → bundled to dist/credentials.js
@@ -83,15 +83,16 @@ Anything else here (workflows under `.github/workflows/`, scripts, tests) exists
 │       ├── refs/                    # Reference docs passed to agents (posting format, code-review style).
 │       └── evals/                   # cagent eval JSON files (success-*, security-*, marlin-*, etc.).
 │
+├── setup-credentials/               # Composite action: fetches AWS creds via OIDC, exports GITHUB_APP_TOKEN +
+│   └── action.yml                   #   ORG_MEMBERSHIP_TOKEN. At root so consumers can use
+│                                    #   docker/cagent-action/setup-credentials@VERSION directly.
+│                                    #   Also exports CAGENT_ACTION_ROOT (repo root of the downloaded action copy)
+│                                    #   for subsequent run: steps that need to invoke dist/ bundles.
+│
 ├── .github/
 │   ├── actions/
-│   │   ├── mention-reply/           # Internal JS action (using: node20). main = dist/mention-reply.js.
-│   │   │   └── action.yml           #   Note: unlike setup-credentials (composite + shell run:), this uses
-│   │   │                            #   the native node20 runner form — a difference contributors will notice.
-│   │   └── setup-credentials/       # Internal composite action: runs dist/credentials.js via a bash run: step.
-│   │       │                        #   Uses OIDC → AWS to read docker-agent-action/github-app from Secrets Manager;
-│   │       │                        #   exports GITHUB_APP_TOKEN (PAT) and ORG_MEMBERSHIP_TOKEN. No longer mints a GitHub App installation token.
-│   │       └── action.yml
+│   │   └── mention-reply/           # Internal-only JS action (node24). main = dist/mention-reply.js.
+│   │       └── action.yml           #   Only used by review-pr.yml; not intended for external consumers.
 │   ├── workflows/                   # CI + self-test + release workflows (see "Workflows" below).
 │   └── CODEOWNERS
 │

review-pr/action.yml

@@ -262,7 +262,7 @@ runs:
         ACTION_PATH: ${{ github.action_path }}
         EXCLUDE_PATHS: ${{ inputs.exclude-paths }}
       run: |
-        node "$ACTION_PATH/dist/filter-diff.js" pr.diff "$EXCLUDE_PATHS"
+        node "$ACTION_PATH/../dist/filter-diff.js" pr.diff "$EXCLUDE_PATHS"
 
     - name: Split diff into chunks
       if: hashFiles('pr.diff') != ''
@@ -343,7 +343,7 @@ runs:
         EXCLUDE_PATHS: ${{ inputs.exclude-paths }}
       run: |
         set -euo pipefail
-        node "$ACTION_PATH/dist/score-risk.js" pr.diff "$EXCLUDE_PATHS"
+        node "$ACTION_PATH/../dist/score-risk.js" pr.diff "$EXCLUDE_PATHS"
         echo "✅ File risk scores: $(jq -c . /tmp/file_risk_scores.json)"
 
     - name: Generate file history

.github/actions/setup-credentials/action.yml → setup-credentials/action.yml

@@ -10,7 +10,7 @@ runs:
 
     - name: Fetch credentials
       shell: bash
-      run: node "$GITHUB_ACTION_PATH/../../../dist/credentials.js"
+      run: node "$GITHUB_ACTION_PATH/../dist/credentials.js"
 
     - name: Verify credentials were obtained
       shell: bash
@@ -19,3 +19,5 @@ runs:
           echo "::error::GITHUB_APP_TOKEN was not set — setup-credentials failed silently."
           exit 1
         fi
+        # Export the repo root so callers can reach dist/ bundles via $CAGENT_ACTION_ROOT
+        echo "CAGENT_ACTION_ROOT=$(cd "$GITHUB_ACTION_PATH/.." && pwd)" >> "$GITHUB_ENV"