go back to token#65
Conversation
There was a problem hiding this comment.
Pull request overview
This PR reverts the survey-on-merged-pr reusable workflow back to using a GitHub App token (client-id/private-key) instead of the built-in GITHUB_TOKEN. The motivation, per the description, is that the built-in token cannot read private organization membership, which is required to correctly determine whether a PR author is an org member. The workflow now mints an installation token via actions/create-github-app-token and performs the membership check at runtime via the API, rather than relying on author_association in the job if: condition.
Changes:
- Adds required
client_idinput andprivate_keysecret to the reusable workflow, and mints an app token withpull-requests: writeandmembers: read. - Replaces the static
author_associationfiltering in theif:with a runtimegh api orgs/$ORG/members/$USERNAMEcheck, so private org members are correctly detected. - Updates the README to document the new input/secret, drops the obsolete "Required permissions" section, and updates the caller example.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/survey-on-merged-pr.yml |
Adds app-token minting, new input/secret, and moves the org-membership check to a runtime API call. |
survey-on-merged-pr/README.md |
Documents the new client_id input and private_key secret and updates the caller usage example. |
The changes are internally consistent: the README's inputs/secrets match the workflow, SURVEY_URL remains defined at the top-level env:, the app-token usage mirrors the established pattern in pull-request-dashboard-repo.yml, and the membership-check exit-code handling is correct under set -euo pipefail. I did not identify concrete defects to flag. This is a security/authentication-adjacent change to a reusable workflow consumed across multiple repositories, so I am deferring the final call to a human reviewer.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
My changes to make it work without the need for the token failed because it can't read private members. Reverting to use the client-id/private-key instead