fix(ci): check author_association before API calls in vouch gate (NVIDIA#442)

johntmyers · linuxdevel · commit dffb3487b9ee · 2026-03-23T09:54:00.000+01:00
The vouch-check workflow was closing PRs from NVIDIA org members because the GITHUB_TOKEN lacks read:org scope, causing orgs.checkMembershipForUser to return 404 for non-public members. The catch block silently swallowed these as expected 'not found' responses. Add an author_association check from the webhook payload as the primary bypass. GitHub sets this field server-side (MEMBER, OWNER, COLLABORATOR) regardless of membership visibility, with no extra token permissions needed. The existing API calls are kept as fallbacks. Fixes the false positive that closed NVIDIA#430. Co-authored-by: John Myers <johntmyers@users.noreply.github.com>
diff --git a/.github/workflows/vouch-check.yml b/.github/workflows/vouch-check.yml
@@ -19,21 +19,33 @@ jobs:
           script: |
             const author = context.payload.pull_request.user.login;
             const authorType = context.payload.pull_request.user.type;
+            const authorAssociation = context.payload.pull_request.author_association;
 
             // Skip bots (dependabot, renovate, github-actions, etc.).
             if (authorType === 'Bot') {
               console.log(`${author} is a bot. Skipping vouch check.`);
               return;
             }
 
+            // Check author_association from the webhook payload. This is set by
+            // GitHub itself and doesn't require extra token permissions, so it
+            // works reliably for org members even when their membership is private.
+            const trustedAssociations = ['MEMBER', 'OWNER', 'COLLABORATOR'];
+            if (trustedAssociations.includes(authorAssociation)) {
+              console.log(`${author} has author_association=${authorAssociation}. Skipping vouch check.`);
+              return;
+            }
+
+            // Fallback: explicit API checks in case author_association is unexpected.
+
             // Check org membership — members bypass the vouch gate.
             try {
               const { status } = await github.rest.orgs.checkMembershipForUser({
                 org: context.repo.owner,
                 username: author,
               });
               if (status === 204 || status === 302) {
-                console.log(`${author} is an org member. Skipping vouch check.`);
+                console.log(`${author} is an org member (API). Skipping vouch check.`);
                 return;
               }
             } catch (e) {
@@ -50,7 +62,7 @@ jobs:
                 username: author,
               });
               if (status === 204) {
-                console.log(`${author} is a collaborator. Skipping vouch check.`);
+                console.log(`${author} is a collaborator (API). Skipping vouch check.`);
                 return;
               }
             } catch (e) {
