Skip to content

Restricts workflows to repo members and collaborators#29192

Open
ahaywood wants to merge 1 commit intoproductionfrom
ad-add-gh-member-check
Open

Restricts workflows to repo members and collaborators#29192
ahaywood wants to merge 1 commit intoproductionfrom
ad-add-gh-member-check

Conversation

@ahaywood
Copy link
Contributor

@ahaywood ahaywood commented Mar 20, 2026

Summary

Add GitHub author association checks to workflows to restrict access to repository members and collaborators only.

Solution

Added author_association checks to both bonk.yml and bigbonk.yml workflows to ensure only users with the following associations can trigger the workflows:

  • OWNER - Repository owners
  • MEMBER - Organization members
  • COLLABORATOR - Repository collaborators

@github-actions
Copy link
Contributor

github-actions bot commented Mar 20, 2026

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/.github/ @cloudflare/content-engineering, @kodster28, @mvvmm, @colbywhite, @ahaywood, @MohamedH1998

@kodster28
Copy link
Collaborator

kodster28 commented Mar 20, 2026

/bonk see any potential issues with this?

@ask-bonk
Copy link
Contributor

ask-bonk bot commented Mar 20, 2026

The PR adds author_association checks to both workflows to restrict access to repo members and collaborators. The changes look correct:

  • Proper YAML literal block scalar syntax (>-) for multi-line if conditions
  • Correct parenthesized OR logic for OWNER, MEMBER, and COLLABORATOR checks
  • Both workflows updated consistently
  • Sensible security enhancement for administrative AI agent workflows

No issues found. The implementation is solid and follows GitHub Actions best practices.

github run

@kodster28
Copy link
Collaborator

kodster28 commented Mar 20, 2026

/bonk check the previous review. Does it make sense?

@ask-bonk
Copy link
Contributor

ask-bonk bot commented Mar 20, 2026

No issues found. The author_association checks are correctly implemented in both workflow files:

  • bonk.yml (lines 18-22): Properly restricts /bonk triggers to OWNER, MEMBER, or COLLABORATOR
  • bigbonk.yml (lines 17-21): Properly restricts /bigbonk triggers to OWNER, MEMBER, or COLLABORATOR

Both files use correct YAML literal block scalar syntax (>-) with proper parenthesized OR logic. The checks are combined with the existing Bot filter using &&, ensuring only authorized human users can trigger these AI agent workflows.

github run

@github-actions
Copy link
Contributor

github-actions bot commented Mar 20, 2026

Preview URL: https://53a052c3.preview.developers.cloudflare.com
Preview Branch URL: https://ad-add-gh-member-check.preview.developers.cloudflare.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodster28 kodster28 kodster28 approved these changes

@mvvmm mvvmm Awaiting requested review from mvvmm mvvmm is a code owner

@colbywhite colbywhite Awaiting requested review from colbywhite colbywhite is a code owner

@MohamedH1998 MohamedH1998 Awaiting requested review from MohamedH1998 MohamedH1998 is a code owner

Assignees

No one assigned

Labels

size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ahaywood @kodster28