diff --git a/.github/workflows/label-enforcer.yml b/.github/workflows/label-enforcer.yml index 5b5812dffe..98b8a3f554 100644 --- a/.github/workflows/label-enforcer.yml +++ b/.github/workflows/label-enforcer.yml @@ -45,22 +45,28 @@ jobs: } try { - // This will succeed with a 204 status if the user is a member, - // and fail with a 404 error if they are not. - await github.rest.teams.getMembershipForUserInOrg ({ - org, - team_slug, + // Check repository permission level directly. + // This is more robust than team membership as it doesn't require Org-level read permissions + // and correctly handles Repo Admins/Writers who might not be in the specific team. + const { data: { permission } } = await github.rest.repos.getCollaboratorPermissionLevel({ + owner: org, + repo: context.repo.repo, username, }); - core.info(`${username} is a member of the ${team_slug} team. No action needed.`); - } catch (error) { - // If the error is not 404, rethrow it to fail the action - if (error.status !== 404) { - throw error; + + if (permission === 'admin' || permission === 'write') { + core.info(`${username} has '${permission}' permission. Allowed.`); + return; } - core.info(`${username} is not a member. Reverting '${action}' action for '${labelName}' label.`); + core.info(`${username} has '${permission}' permission (needs 'write' or 'admin'). Reverting '${action}' action for '${labelName}' label.`); + } catch (error) { + core.error(`Failed to check permissions for ${username}: ${error.message}`); + // Fall through to revert logic if we can't verify permissions (fail safe) + } + // If we are here, the user is NOT authorized. + if (true) { // wrapping block to preserve variable scope if needed if (action === 'labeled') { // 1. Remove the label if added by a non-maintainer await github.rest.issues.removeLabel ({