Check k3s-io organization membership not team membership for trivy sc…

…ans (k3s-io#10940) Signed-off-by: Derek Nola <derek.nola@suse.com>
dereknola · Sep 24, 2024 · 3a268ac · 3a268ac
1 parent 6731f4a
commit 3a268ac
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -14,19 +14,20 @@ jobs:
     - name: Check if comment author is a member of k3s-dev team
       uses: actions/github-script@v7
       with:
+        # Catch 404 errors if user is not a member of the organization
+        # 302 is expected as the GHA is not a member of the organization
+        # Users must be set their membership to public for this to work
+        # https://github.com/orgs/k3s-io/people
         script: |
           const org = context.repo.owner;
-          const team_slug = 'k3s-dev';
           const username = context.payload.comment.user.login;
-
-          const { data: membership } = await github.rest.teams.getMembershipForUserInOrg({
-            org,
-            team_slug,
-            username
-          });
-
-          if (membership.state !== 'active') {
-            core.setFailed(`User ${username} is not an active member of the ${team_slug} team`);
+          try {
+            const result = await github.rest.orgs.checkMembershipForUser({
+              org,
+              username,
+            });
+          } catch (error) {
+            core.setFailed(`User ${username} is not an public member of the ${org} organization`);
           }
     - name: Checkout PR code
       uses: actions/checkout@v4
@@ -87,6 +88,8 @@ jobs:
     if: always() && needs.trivy_scan.result == 'failure'
     permissions:
       pull-requests: write
+    env:
+      GH_TOKEN: ${{ github.token }}
     steps:
       - name: Report Failure
         run: |