MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-05-12 12:54:07 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(automation): robust label enforcement with permission checks (#16762)

Browse Source
This commit is contained in:
Bryan Morgan
2026-01-15 14:53:08 -05:00
committed by GitHub
parent c8670f8696
commit 48fdb9872f
1 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/label-enforcer.yml
+17 -11
View File
@@ -45,22 +45,28 @@ jobs:
} }
try { try {
// This will succeed with a 204 status if the user is a member, // Check repository permission level directly.
// and fail with a 404 error if they are not. // This is more robust than team membership as it doesn't require Org-level read permissions
await github.rest.teams.getMembershipForUserInOrg ({ // and correctly handles Repo Admins/Writers who might not be in the specific team.
org, const { data: { permission } } = await github.rest.repos.getCollaboratorPermissionLevel({
team_slug, owner: org,
repo: context.repo.repo,
username, username,
}); });
core.info(`${username} is a member of the ${team_slug} team. No action needed.`);
} catch (error) { if (permission === 'admin' || permission === 'write') {
// If the error is not 404, rethrow it to fail the action core.info(`${username} has '${permission}' permission. Allowed.`);
if (error.status !== 404) { return;
throw error;
} }
core.info(`${username} is not a member. Reverting '${action}' action for '${labelName}' label.`); core.info(`${username} has '${permission}' permission (needs 'write' or 'admin'). Reverting '${action}' action for '${labelName}' label.`);
} catch (error) {
core.error(`Failed to check permissions for ${username}: ${error.message}`);
// Fall through to revert logic if we can't verify permissions (fail safe)
}
// If we are here, the user is NOT authorized.
if (true) { // wrapping block to preserve variable scope if needed
if (action === 'labeled') { if (action === 'labeled') {
// 1. Remove the label if added by a non-maintainer // 1. Remove the label if added by a non-maintainer
await github.rest.issues.removeLabel ({ await github.rest.issues.removeLabel ({