commit 3383000fdc81e591858098f2e38d8e194f867cdb
parent 8efd9e3a86285b7268b2ea85ba016588ed3bf3c5
Author: Olivier Mehani <omehani@mozilla.com>
Date: Mon, 22 Dec 2025 21:11:35 +0000
Bug 2001552 - workflows: Use actions/create-github-app-token to get a GH_TOKEN with org access r=suhaib DOT_GITHUB_OVERRIDE
Workflows don't get access to organisation metadata via the
GITHUB_TOKEN. We use the Lando Web App to obtain a token with sufficient
permissions.
This requires var.LANDO_WEB_APP_ID [0] and
secrets.LANDO_WEB_APP_PRIVATE_KEY [1] to be set adequately in the
repository settings.
The app needs Organizations/Members read permission.
[0] https://github.com/mozilla-conduit/ff-test/settings/variables/actions
[1] https://github.com/mozilla-conduit/ff-test/settings/secrets/actions
Differential Revision: https://phabricator.services.mozilla.com/D276782
Diffstat:
1 file changed, 15 insertions(+), 0 deletions(-)
diff --git a/.github/workflows/pr-handler.yml b/.github/workflows/pr-handler.yml
@@ -31,11 +31,25 @@ jobs:
handle-pr:
runs-on: ubuntu-latest
steps:
+
+ # Workflows don't get access to organisation metadata via the GITHUB_TOKEN.
+ # We use the Lando Web App to obtain a token with sufficient permissions.
+ - name: Generate a Lando Web token
+ id: generate-lando-web-token
+ uses: actions/create-github-app-token@v2
+ continue-on-error: true
+ with:
+ app-id: ${{ vars.LANDO_WEB_APP_ID }}
+ private-key: ${{ secrets.LANDO_WEB_APP_PRIVATE_KEY }}
+ permission-members: read
+
- name: Check team membership
id: team
+ continue-on-error: true
env:
AUTHOR: ${{ github.actor }}
GH_ORG: ${{ github.repository_owner }}
+ GH_TOKEN: ${{ steps.generate-lando-web-token.outputs.token }}
run: |
if gh api "/orgs/${GH_ORG}/teams/${ALLOWED_TEAM}/memberships/${AUTHOR}" --silent 2>/dev/null; then
echo "is_member=true" >> $GITHUB_OUTPUT
@@ -45,6 +59,7 @@ jobs:
- name: Check allowed paths
id: paths
+ continue-on-error: true
if: steps.team.outputs.is_member == 'true'
run: |
PATTERN=$(echo "${ALLOWED_PATHS}" | xargs | tr ' ' '|')
