Add organization membership check and PAT support

- Added organization membership verification for issue requests
- Added personal access token support for custom commit attribution
- Updated documentation with new features
- Bumped version to 0.6.0

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: phernandez

README.md

@@ -30,7 +30,7 @@ on:
 
 jobs:
   claude-integration:
-    uses: fractureinc/claude-code-github-action/.github/workflows/claude-full.yml@v0.5.6
+    uses: fractureinc/claude-code-github-action/.github/workflows/claude-full.yml@v0.6.0
     with:
       issue-label: 'claude-fix'  # Optional: customize the trigger label
     secrets:
@@ -47,7 +47,7 @@ on:
 
 jobs:
   claude-label-fix:
-    uses: fractureinc/claude-code-github-action/.github/workflows/claude-label-fix.yml@v0.5.6
+    uses: fractureinc/claude-code-github-action/.github/workflows/claude-label-fix.yml@v0.6.0
     with:
       issue-label: 'claude-fix'  # Must match your chosen label
     secrets:
@@ -97,30 +97,36 @@ The reusable workflows support several configuration options:
 ```yaml
 jobs:
   claude-integration:
-    uses: fractureinc/claude-code-github-action/.github/workflows/claude-full.yml@v0.5.6
+    uses: fractureinc/claude-code-github-action/.github/workflows/claude-full.yml@v0.6.0
     with:
       # All parameters are optional with sensible defaults
-      issue-label: 'claude-fix'  # Label that triggers issue fixes
-      branch-prefix: 'fix'       # Prefix for branches created by fixes
-      debug-mode: false          # Enable verbose logging
-      strict-mode: true          # When false, allows Claude to add improvements
+      issue-label: 'claude-fix'    # Label that triggers issue fixes
+      branch-prefix: 'fix'         # Prefix for branches created by fixes
+      require-org-membership: true # Only process issues from org members
+      organization: 'my-org'       # Organization to check membership against
+      debug-mode: false            # Enable verbose logging
+      strict-mode: true            # When false, allows Claude to add improvements
     secrets:
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}  # Optional: For commit attribution
 ```
 
 ### Label-Based Integration (`claude-label-fix.yml`)
 
 ```yaml
 jobs:
   claude-label-fix:
-    uses: fractureinc/claude-code-github-action/.github/workflows/claude-label-fix.yml@v0.5.6
+    uses: fractureinc/claude-code-github-action/.github/workflows/claude-label-fix.yml@v0.6.0
     with:
       # All parameters are optional with sensible defaults
-      issue-label: 'claude-fix'  # Must match the label you're using
-      branch-prefix: 'fix'       # Prefix for branches created by fixes
-      debug-mode: false          # Enable verbose logging
+      issue-label: 'claude-fix'    # Must match the label you're using
+      branch-prefix: 'fix'         # Prefix for branches created by fixes
+      require-org-membership: true # Only process issues from org members
+      organization: 'my-org'       # Organization to check membership against
+      debug-mode: false            # Enable verbose logging
     secrets:
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}  # Optional: For commit attribution
 ```
 
 Only repo maintainers with write access can add labels, providing security control over which issues Claude will fix.
@@ -145,14 +151,17 @@ When using our reusable workflows, you only need to configure a few key options:
 |-----------|-------------|---------|---------|
 | `issue-label` | Label that triggers issue fixes | `claude-fix` | Both workflows |
 | `branch-prefix` | Prefix for branches created by fixes | `fix` | Both workflows |
+| `require-org-membership` | Require the issue creator to be an organization member | `true` | Both workflows |
+| `organization` | Organization name to check membership against | Repository owner | Both workflows |
+| `personal-access-token` | Token for commits to override the default GitHub token | None | Both workflows |
 | `debug-mode` | Enable verbose logging | `false` | Both workflows |
 | `strict-mode` | Controls whether Claude adds improvements beyond what's requested | `true` | Comment workflow only |
 
 All parameters are optional and have sensible defaults.
 
 ## Enhanced Context for Claude
 
-With version 0.5.6, Claude now receives complete context for your PRs and issues, including:
+With version 0.6.0, Claude now receives complete context for your PRs and issues, including:
 
 - PR metadata (title, description, branch info)
 - Issue details (title, description, labels)
@@ -211,6 +220,8 @@ permissions:
 - Only users with appropriate GitHub permissions can trigger Claude Code actions
 - For issue fixes, using the label-based approach gives you more control over who can trigger code changes
 - The `strict-mode` parameter limits Claude to only making requested changes
+- The `require-org-membership` option ensures only organization members can use Claude for issues
+- Using a personal access token for commits ensures proper attribution and bypasses CLA requirements
 
 ## License
 

action.yml

@@ -29,6 +29,13 @@ inputs:
     description: 'Label that triggers issue fix workflows'
     required: false
     default: 'claude-fix'
+  require-org-membership:
+    description: 'Whether to require the issue creator to be an organization member to process the issue'
+    required: false
+    default: 'true'
+  organization:
+    description: 'The GitHub organization name to check membership against (defaults to the repo owner)'
+    required: false
   debug-mode:
     description: 'Enable full debug mode with shell tracing and Claude debug output'
     required: false
@@ -55,6 +62,9 @@ inputs:
   github-token:
     description: 'GitHub token for API access'
     required: true
+  personal-access-token:
+    description: 'Optional personal access token for commits, to override the default GitHub token'
+    required: false
   output-file:
     description: 'Path to write the output to (for direct mode)'
     required: false
@@ -111,11 +121,11 @@ runs:
       shell: bash
       run: |
         chmod +x ${{ github.action_path }}/scripts/issue-fix-mode.sh
-        ${{ github.action_path }}/scripts/issue-fix-mode.sh "${{ inputs.issue-number }}" "${{ inputs.repo-owner }}" "${{ inputs.repo-name }}" "${{ inputs.branch-prefix }}" "${{ inputs.anthropic-api-key }}" "${{ inputs.github-token }}" "${{ inputs.issue-label }}" "${{ inputs.debug-mode }}" "${{ inputs.feedback }}"
+        ${{ github.action_path }}/scripts/issue-fix-mode.sh "${{ inputs.issue-number }}" "${{ inputs.repo-owner }}" "${{ inputs.repo-name }}" "${{ inputs.branch-prefix }}" "${{ inputs.anthropic-api-key }}" "${{ inputs.github-token }}" "${{ inputs.issue-label }}" "${{ inputs.debug-mode }}" "${{ inputs.feedback }}" "${{ inputs.require-org-membership }}" "${{ inputs.organization }}" "${{ inputs.personal-access-token }}"
         
     - name: Process Issue Analysis
       if: inputs.mode == 'issue-analyze'
       shell: bash
       run: |
         chmod +x ${{ github.action_path }}/scripts/issue-analyze-mode.sh
-        ${{ github.action_path }}/scripts/issue-analyze-mode.sh "${{ inputs.issue-number }}" "${{ inputs.repo-owner }}" "${{ inputs.repo-name }}" "${{ inputs.anthropic-api-key }}" "${{ inputs.github-token }}" "${{ inputs.debug-mode }}" "${{ inputs.feedback }}"
+        ${{ github.action_path }}/scripts/issue-analyze-mode.sh "${{ inputs.issue-number }}" "${{ inputs.repo-owner }}" "${{ inputs.repo-name }}" "${{ inputs.anthropic-api-key }}" "${{ inputs.github-token }}" "${{ inputs.debug-mode }}" "${{ inputs.feedback }}" "${{ inputs.require-org-membership }}" "${{ inputs.organization }}"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-code-github-action",
-  "version": "0.5.6",
+  "version": "0.6.0",
   "description": "GitHub action for Claude Code Integration in PR comments, reviews, inline code suggestions, and issue-based fixes",
   "main": "index.js",
   "scripts": {

scripts/issue-analyze-mode.sh

@@ -10,6 +10,8 @@ ANTHROPIC_API_KEY=$4
 GITHUB_TOKEN=$5
 DEBUG_MODE=${6:-"false"}
 FEEDBACK=$7
+REQUIRE_ORG_MEMBERSHIP=${8:-"true"}
+ORGANIZATION=${9:-$REPO_OWNER}
 
 # Enable debug mode if requested
 if [[ "$DEBUG_MODE" == "true" ]]; then
@@ -92,7 +94,7 @@ else
   FULL_REPO="$REPO_OWNER/$REPO_NAME"
 fi
 echo "Using repository: $FULL_REPO"
-if ! ISSUE_DETAILS=$(gh issue view $ISSUE_NUMBER --repo "$FULL_REPO" --json title,body,labels); then
+if ! ISSUE_DETAILS=$(gh issue view $ISSUE_NUMBER --repo "$FULL_REPO" --json title,body,labels,author); then
   echo "Error fetching issue details"
   exit 1
 fi
@@ -101,6 +103,39 @@ fi
 ISSUE_TITLE=$(echo "$ISSUE_DETAILS" | jq -r '.title')
 ISSUE_BODY=$(echo "$ISSUE_DETAILS" | jq -r '.body')
 ISSUE_LABELS=$(echo "$ISSUE_DETAILS" | jq -r '.labels[].name' | tr '\n' ',' | sed 's/,$//' || echo "none")
+ISSUE_AUTHOR=$(echo "$ISSUE_DETAILS" | jq -r '.author.login')
+
+# Check if user is a member of the organization if required
+if [[ "$REQUIRE_ORG_MEMBERSHIP" == "true" ]]; then
+  echo "Checking if $ISSUE_AUTHOR is a member of organization $ORGANIZATION"
+  ORG_CHECK=$(gh api -X GET /orgs/$ORGANIZATION/members/$ISSUE_AUTHOR --silent -i || true)
+  STATUS_CODE=$(echo "$ORG_CHECK" | head -n 1 | cut -d' ' -f2)
+  
+  if [[ "$STATUS_CODE" != "204" ]]; then
+    echo "User $ISSUE_AUTHOR is not a member of organization $ORGANIZATION. Skipping Claude analysis."
+    
+    # Leave a comment on the issue explaining why the analysis is skipped
+    ISSUE_COMMENT=$(cat <<EOF
+# Claude Code Analysis Skipped
+
+Sorry, Claude Code can only analyze issues created by organization members.
+
+This is to prevent API usage from users outside the organization.
+
+---
+🤖 Generated with Claude Code GitHub Action
+EOF
+)
+    
+    echo "Adding comment to issue #$ISSUE_NUMBER explaining why analysis was skipped"
+    gh issue comment "$ISSUE_NUMBER" --repo "$FULL_REPO" --body "$ISSUE_COMMENT"
+    
+    echo "Exiting due to non-organization member request"
+    exit 0
+  else
+    echo "User $ISSUE_AUTHOR is a member of organization $ORGANIZATION. Proceeding with Claude analysis."
+  fi
+fi
 
 # Create prompt for Claude
 CLAUDE_PROMPT=$(cat <<EOF

scripts/issue-fix-mode.sh

@@ -12,6 +12,9 @@ GITHUB_TOKEN=$6
 ISSUE_LABEL=${7:-"claude-fix"}
 DEBUG_MODE=${8:-"false"}
 FEEDBACK=$9
+REQUIRE_ORG_MEMBERSHIP=${10:-"true"}
+ORGANIZATION=${11:-$REPO_OWNER}
+PERSONAL_ACCESS_TOKEN=${12:-$GITHUB_TOKEN}
 
 # Enable debug mode if requested
 if [[ "$DEBUG_MODE" == "true" ]]; then
@@ -66,10 +69,34 @@ echo "Repo Owner: $REPO_OWNER"
 echo "Repo Name: $REPO_NAME"
 echo "Branch Prefix: ${BRANCH_PREFIX:-fix}"
 
-# Set up authentication
+# Set up authentication for GitHub CLI
 echo "$GITHUB_TOKEN" | gh auth login --with-token
 export ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY"
 
+# Set up git identity if personal access token is provided
+if [[ "$PERSONAL_ACCESS_TOKEN" != "$GITHUB_TOKEN" ]]; then
+  echo "Using personal access token for git operations"
+  
+  # Extract user info from the token
+  USER_INFO=$(curl -s -H "Authorization: token $PERSONAL_ACCESS_TOKEN" https://api.github.com/user)
+  GIT_USER_NAME=$(echo "$USER_INFO" | jq -r '.name // .login')
+  GIT_USER_EMAIL=$(echo "$USER_INFO" | jq -r '.email // "\(.login)@users.noreply.github.com"')
+  
+  # Configure git to use the personal identity
+  git config --global user.name "$GIT_USER_NAME"
+  git config --global user.email "$GIT_USER_EMAIL"
+  
+  # Set credentials for remote push
+  REPO_URL=$(git config --get remote.origin.url)
+  # Convert HTTP URLs to use token authentication
+  if [[ "$REPO_URL" == https://* ]]; then
+    NEW_REPO_URL="https://x-access-token:$PERSONAL_ACCESS_TOKEN@${REPO_URL#https://}"
+    git remote set-url origin "$NEW_REPO_URL"
+  fi
+else
+  echo "Using default GitHub token for git operations"
+fi
+
 # Check Claude CLI availability and version
 echo "Checking Claude CLI installation..."
 which claude || echo "Claude CLI not found in PATH"
@@ -99,7 +126,7 @@ else
   FULL_REPO="$REPO_OWNER/$REPO_NAME"
 fi
 echo "Using repository: $FULL_REPO"
-if ! ISSUE_DETAILS=$(gh issue view $ISSUE_NUMBER --repo "$FULL_REPO" --json title,body,labels); then
+if ! ISSUE_DETAILS=$(gh issue view $ISSUE_NUMBER --repo "$FULL_REPO" --json title,body,labels,author); then
   echo "Error fetching issue details"
   exit 1
 fi
@@ -108,6 +135,39 @@ fi
 ISSUE_TITLE=$(echo "$ISSUE_DETAILS" | jq -r '.title')
 ISSUE_BODY=$(echo "$ISSUE_DETAILS" | jq -r '.body')
 ISSUE_LABELS=$(echo "$ISSUE_DETAILS" | jq -r '.labels[].name' | tr '\n' ',' | sed 's/,$//' || echo "none")
+ISSUE_AUTHOR=$(echo "$ISSUE_DETAILS" | jq -r '.author.login')
+
+# Check if user is a member of the organization if required
+if [[ "$REQUIRE_ORG_MEMBERSHIP" == "true" ]]; then
+  echo "Checking if $ISSUE_AUTHOR is a member of organization $ORGANIZATION"
+  ORG_CHECK=$(gh api -X GET /orgs/$ORGANIZATION/members/$ISSUE_AUTHOR --silent -i || true)
+  STATUS_CODE=$(echo "$ORG_CHECK" | head -n 1 | cut -d' ' -f2)
+  
+  if [[ "$STATUS_CODE" != "204" ]]; then
+    echo "User $ISSUE_AUTHOR is not a member of organization $ORGANIZATION. Skipping Claude fix."
+    
+    # Leave a comment on the issue explaining why the fix is skipped
+    ISSUE_COMMENT=$(cat <<EOF
+# Claude Code Fix Skipped
+
+Sorry, Claude Code can only fix issues created by organization members.
+
+This is to prevent API usage from users outside the organization.
+
+---
+🤖 Generated with Claude Code GitHub Action
+EOF
+)
+    
+    echo "Adding comment to issue #$ISSUE_NUMBER explaining why fix was skipped"
+    gh issue comment "$ISSUE_NUMBER" --repo "$FULL_REPO" --body "$ISSUE_COMMENT"
+    
+    echo "Exiting due to non-organization member request"
+    exit 0
+  else
+    echo "User $ISSUE_AUTHOR is a member of organization $ORGANIZATION. Proceeding with Claude fix."
+  fi
+fi
 
 # Get repo info for default branch
 REPO_INFO=$(gh repo view "$FULL_REPO" --json name,description,defaultBranchRef)