Skip to content

Enable automatic workflow approval for Liatrio Labs organization members #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 36 commits into from
Closed

Enable automatic workflow approval for Liatrio Labs organization members #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
213053c
Remove title field from generate-spec prompt
iaminawe Oct 17, 2025
a645aa6
Remove title field from prompts and parser
iaminawe Oct 17, 2025
b285a82
Remove title field from test fixtures
iaminawe Oct 17, 2025
e795fe8
feat: add reverse-engineer-codebase prompt for contextual analysis
iaminawe Oct 21, 2025
e0471a5
refactor: rename reverse-engineer-codebase to generate-codebase-context
iaminawe Oct 21, 2025
5f071b6
docs: add comprehensive research analysis for prompt improvements
iaminawe Oct 21, 2025
e8c27f6
feat: enhance generate-codebase-context with evidence citations and c…
iaminawe Oct 21, 2025
754c5ea
docs: add comprehensive progress tracking and future roadmap
iaminawe Oct 21, 2025
5a8cedf
docs: add research directory README with complete overview
iaminawe Oct 21, 2025
f5ce583
docs: add accurate PR description for new prompt creation
iaminawe Oct 21, 2025
9fe9884
docs: emphasize NEW prompt creation in PR description
iaminawe Oct 21, 2025
1ec8b01
refactor: reorganize documentation structure
iaminawe Oct 21, 2025
c19cfe2
fix: resolve pre-commit markdownlint issues
iaminawe Oct 21, 2025
6fc25c6
chore: remove accidentally committed WARP.md session notes
iaminawe Oct 21, 2025
27b548e
Merge branch 'main' into add-reverse-engineer-codebase-prompt
iaminawe Oct 21, 2025
50061d7
fix: resolve pre-commit markdownlint issues
github-actions[bot] Oct 21, 2025
f387337
fix: resolve pre-commit issues after merge from main
iaminawe Oct 21, 2025
f3c2b1e
fix: convert emphasis to headings to resolve MD036 linting issues
github-actions[bot] Oct 21, 2025
705f76d
feat: enhance generate-spec prompt with evidence-based approach
iaminawe Oct 21, 2025
02ff6fb
feat: enhance generate-codebase-context with advanced analysis features
iaminawe Oct 21, 2025
f93790c
feat: add explicit 'What NOT to Do' section to generate-spec
iaminawe Oct 21, 2025
098785a
refactor: condense generate-codebase-context prompt from 1264 to 930 …
iaminawe Oct 21, 2025
e432810
fix: add blank lines in code blocks for markdownlint compliance
iaminawe Oct 21, 2025
b6535ee
Merge branch 'main' into add-reverse-engineer-codebase-prompt
iaminawe Oct 23, 2025
d1274aa
feat: add comprehensive codebase context analysis for mcp-spec-driven
iaminawe Oct 23, 2025
78db745
chore: update repository URLs to spec-driven-workflow
iaminawe Oct 23, 2025
98ea2db
fix: update research doc paths and restore Phase 4 checkpoint
github-actions[bot] Oct 23, 2025
e0a8fda
fix: resolve markdown linting issues in claude-code-feature-dev-compa…
github-actions[bot] Oct 23, 2025
ba6f472
fix: add blank line and language specifier to code block in claude-co…
github-actions[bot] Oct 23, 2025
059d75d
fix: apply markdownlint formatting fixes
iaminawe Oct 23, 2025
1f8152d
fix: add Phase 5.5 to execution rules in generate-context prompt
github-actions[bot] Oct 24, 2025
f1119ae
docs: resolve CodeRabbit nitpick comments
github-actions[bot] Oct 24, 2025
a1c31ba
Merge branch 'main' into add-reverse-engineer-codebase-prompt
iaminawe Oct 24, 2025
c265968
fix: add blank line before list in research-synthesis.md
iaminawe Oct 24, 2025
9565791
fix: convert emphasis to headings in generate-spec.md (MD036)
iaminawe Oct 24, 2025
17a47e2
Enable automatic workflow approval for Liatrio Labs organization members
iaminawe Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 50 additions & 13 deletions .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,70 @@
types: [submitted]

jobs:
claude:
timeout-minutes: 10
concurrency:
group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
# Check if the user is a member of liatrio-labs organization
check-org-membership:
runs-on: ubuntu-latest
if: |
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '@claude')
) || (
github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '@claude')
) || (
github.event_name == 'pull_request_review' &&
github.event.review.body != null &&
contains(github.event.review.body, '@claude') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
contains(github.event.review.body, '@claude')
) || (
github.event_name == 'issues' &&
(
(github.event.issue.body != null && contains(github.event.issue.body, '@claude')) ||
contains(github.event.issue.title, '@claude')
) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
)
)
outputs:
is-authorized: ${{ steps.check.outputs.authorized }}
steps:
- name: Check authorization
id: check
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
ACTOR="${{ github.actor }}"
# Check if user is a repo collaborator/owner/member first
if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
AUTHOR_ASSOC="${{ github.event.review.author_association }}"
elif [[ "${{ github.event_name }}" == "issues" ]]; then
AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
fi
if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
echo "User is authorized via author_association: $AUTHOR_ASSOC"
echo "authorized=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# Check if user is a member of liatrio-labs organization
if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
echo "User is authorized as liatrio-labs organization member"
echo "authorized=true" >> "$GITHUB_OUTPUT"
else
echo "User is not authorized"
echo "authorized=false" >> "$GITHUB_OUTPUT"
fi
claude:
Comment on lines +16 to +71

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 1 month ago

The safest and most correct fix is to add a permissions: block explicitly to the root of the workflow or directly to the check-org-membership: job. Since the claude job already has its own permissions block, and since least privilege is recommended everywhere, we should add a permissions: block to the root of the workflow for read-only access or, more strictly, to the check-org-membership job with only the permissions needed. In this job, gh api "orgs/liatrio-labs/members/$ACTOR" is used, which only requires the token for reading public organization membership, meaning contents: read is sufficient. If we wish to be most precise, we add:

permissions:
  contents: read

at the job level (for check-org-membership:), or at the root if appropriate. For clarity and future extensibility, setting it at the job level minimizes possible impact on other jobs.

Steps:

  • Find the check-org-membership: job definition.
  • Add a block under it: 
    permissions:
  contents: read

No new imports, methods or definitions are necessary.

Suggested changeset 1
.github/workflows/claude.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -14,6 +14,8 @@
   # Check if the user is a member of liatrio-labs organization
   check-org-membership:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: |
       (
         github.event_name == 'issue_comment' &&
EOF
@@ -14,6 +14,8 @@
# Check if the user is a member of liatrio-labs organization
check-org-membership:
runs-on: ubuntu-latest
permissions:
contents: read
if: |
(
github.event_name == 'issue_comment' &&
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
needs: check-org-membership
if: needs.check-org-membership.outputs.is-authorized == 'true'
timeout-minutes: 10
concurrency:
group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down
63 changes: 50 additions & 13 deletions .github/workflows/opencode-gpt-5-codex.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,70 @@
types: [submitted]

jobs:
opencode:
timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods
concurrency:
group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
# Check if the user is a member of liatrio-labs organization
check-org-membership:
runs-on: ubuntu-latest
if: |
(
github.event_name == 'issue_comment' &&
contains(github.event.comment.body, '/oc-codex') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '/oc-codex')
) || (
github.event_name == 'pull_request_review_comment' &&
contains(github.event.comment.body, '/oc-codex') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
contains(github.event.comment.body, '/oc-codex')
) || (
github.event_name == 'pull_request_review' &&
github.event.review.body != null &&
contains(github.event.review.body, '/oc-codex') &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
contains(github.event.review.body, '/oc-codex')
) || (
github.event_name == 'issues' &&
(
(github.event.issue.body != null && contains(github.event.issue.body, '/oc-codex')) ||
contains(github.event.issue.title, '/oc-codex')
) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
)
)
outputs:
is-authorized: ${{ steps.check.outputs.authorized }}
steps:
- name: Check authorization
id: check
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
ACTOR="${{ github.actor }}"
# Check if user is a repo collaborator/owner/member first
if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
AUTHOR_ASSOC="${{ github.event.review.author_association }}"
elif [[ "${{ github.event_name }}" == "issues" ]]; then
AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
fi
if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
echo "User is authorized via author_association: $AUTHOR_ASSOC"
echo "authorized=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# Check if user is a member of liatrio-labs organization
if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
echo "User is authorized as liatrio-labs organization member"
echo "authorized=true" >> "$GITHUB_OUTPUT"
else
echo "User is not authorized"
echo "authorized=false" >> "$GITHUB_OUTPUT"
fi
opencode:
Comment on lines +16 to +71

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 1 month ago

To resolve this issue, the best practice is to add an explicit permissions: block to the check-org-membership job, specifying the least privilege required for the job's function. Since the workflow job only uses the GITHUB_TOKEN to read metadata, the minimal permission should be contents: read. This should be added right below the runs-on key in the check-org-membership job (on line 16 or 17), ensuring that the job does not inherit potentially overly broad repository-level permissions.

Necessary change:

  • In file .github/workflows/opencode-gpt-5-codex.yml, in the check-org-membership job, add: 
    permissions:
  contents: read
    directly after runs-on: ubuntu-latest, indented to align with the rest of the job configuration.
Suggested changeset 1
.github/workflows/opencode-gpt-5-codex.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/opencode-gpt-5-codex.yml b/.github/workflows/opencode-gpt-5-codex.yml
--- a/.github/workflows/opencode-gpt-5-codex.yml
+++ b/.github/workflows/opencode-gpt-5-codex.yml
@@ -14,6 +14,8 @@
   # Check if the user is a member of liatrio-labs organization
   check-org-membership:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: |
       (
         github.event_name == 'issue_comment' &&
EOF
@@ -14,6 +14,8 @@
# Check if the user is a member of liatrio-labs organization
check-org-membership:
runs-on: ubuntu-latest
permissions:
contents: read
if: |
(
github.event_name == 'issue_comment' &&
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
needs: check-org-membership
if: needs.check-org-membership.outputs.is-authorized == 'true'
timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods
concurrency:
group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
cancel-in-progress: true
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down
4 changes: 4 additions & 0 deletions .markdownlintrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"MD036": false,
"MD040": false
}
Loading