fix: use cascading org checks for PR redirect workflow#586
Merged
brandom-msft merged 1 commit intomainfrom Mar 9, 2026
Merged
Conversation
Replace the single 'microsoft' org membership check with a multi-signal cascade that catches internal contributors with private org membership: 1. Check microsoft-foundry org membership (full GITHUB_TOKEN visibility) 2. Check repo collaborator status 3. Check microsoft org membership (public members fallback) Also adds members: read permission and debug logging. Fixes misidentification of internal contributors like #574 where a Microsoft docs writer was incorrectly treated as an external contributor. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
👋 Thanks for your contribution, @brandom-msft! This repository is read-only. As a Microsoft contributor, please submit your PR to the private staging repository instead: See CONTRIBUTING.md for full instructions. |
glecaros
approved these changes
Mar 9, 2026
brandom-msft
added a commit
that referenced
this pull request
Mar 10, 2026
The 'members: read' permission key added in #586 is not a valid GitHub Actions permission, causing the workflow YAML to fail validation. This broke auto-closing of PRs (#587, #588). The repos.checkCollaborator API works with the default GITHUB_TOKEN repo access — no extra permission is needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
brandom-msft
added a commit
that referenced
this pull request
Mar 10, 2026
The 'members: read' permission key added in #586 is not a valid GitHub Actions permission, causing the workflow YAML to fail validation. This broke auto-closing of PRs (#587, #588). The repos.checkCollaborator API works with the default GITHUB_TOKEN repo access — no extra permission is needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The redirect workflow uses
orgs.checkMembershipForUseragainst themicrosoftorg, but theGITHUB_TOKEN(scoped tomicrosoft-foundry) can only see public members. Contributors with privatemicrosoftorg membership (e.g., #574) are incorrectly treated as external.Fix
Replace the single org check with a cascading multi-signal approach:
microsoft-foundryorg membership — full visibility via GITHUB_TOKENmicrosoftorg membership — catches public members as fallbackAny positive signal → internal contributor.
Also adds
members: readpermission (for the collaborator check) and debug logging that shows which signal matched in the workflow run logs.Testing
brandom-msft(microsoft-foundry member) → should match Signal 1 ✅aahill(microsoft member, likely not in microsoft-foundry) → should match Signal 2 or 3foundry-samples-repo-sync[bot]→ skipped by bot allowlist