revert: switch to public membership only approach

Remove fine-grained token implementation and revert to checking only
public organization membership using default GITHUB_TOKEN:

- Remove github_token input parameter from action
- Remove token passing from workflow
- Update logic to only detect public members (HTTP 200 + content)
- Block private members and provide clear instructions to make membership public
- Update documentation to explain public membership requirement
- Add helpful messaging directing users to github.com/orgs/dotCMS/people

This approach requires dotCMS team members to make their org membership
public to access Claude workflows, but avoids token management complexity.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: sfreudenthaler

.github/actions/security/org-membership-check/README.md

@@ -5,15 +5,15 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
 ## Security Features
 
 - **Hardcoded Organization**: The organization name "dotCMS" is hardcoded and cannot be overridden
-- **No Information Leakage**: Does not distinguish between public/private membership in outputs
+- **Public Membership Only**: Only detects public organization members for security
+- **Clear Instructions**: Provides guidance for private members to make membership public
 - **Graceful Error Handling**: Returns clear status without exposing internal API details
 
 ## Inputs
 
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
 | `username` | GitHub username to check | Yes | N/A |
-| `github_token` | Fine-grained GitHub token with organization membership read permissions | Yes | N/A |
 
 ## Outputs
 
@@ -30,7 +30,6 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
   uses: ./.github/actions/security/org-membership-check
   with:
     username: ${{ github.actor }}
-    github_token: ${{ secrets.MACHINE_USER_CORE_ORG_MEMBERSHIP_CHECK }}
 
 - name: Conditional step based on membership
   if: steps.membership-check.outputs.is_member == 'true'
@@ -41,23 +40,27 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
 
 The action uses the GitHub CLI (`gh`) with the repository's `GITHUB_TOKEN` to check organization membership via the GitHub API endpoint `GET /orgs/dotCMS/members/{username}`.
 
-**Key Design Decision: Status Code vs Response Body**
+**Important Limitation: Public Membership Only**
 
-The action relies on HTTP status codes rather than parsing response content because:
+This approach only detects users with **public** organization membership:
 
-- **HTTP 200 (Success)**: User is a member of the organization
-  - Public members: API returns user object with populated fields
-  - Private members: API returns empty response body (but still 200 OK)
+- **HTTP 200 + user object**: User is a PUBLIC member → **AUTHORIZED**
+- **HTTP 404**: User has private membership OR is not a member → **BLOCKED**
 
-- **HTTP 404 (Not Found)**: User is not a member of the organization
-  - Returns error object with "Not Found" message
+**For dotCMS Team Members with Private Membership:**
 
-This approach correctly authorizes all organization members (including owners with private membership) without needing to handle different response formats or visibility settings.
+If you are a dotCMS organization member but have private membership visibility, you must make your membership public to access Claude workflows:
+
+1. Visit: https://github.com/orgs/dotCMS/people
+2. Find your username in the list
+3. Click "Make public" next to your name
+
+This ensures the security gate can detect your organization membership without requiring additional API tokens.
 
 ## Security Considerations
 
 - Only checks membership in the dotCMS organization (hardcoded)
-- Does not expose whether membership is public or private
+- Only authorizes users with public organization membership
 - Logs authorization results without sensitive details
-- Uses fine-grained token with minimal required permissions (organization membership read)
-- Token should be regularly rotated and monitored for usage
+- Uses default GITHUB_TOKEN (no additional secrets required)
+- Provides clear instructions for private members to become public

.github/actions/security/org-membership-check/action.yml

@@ -5,9 +5,6 @@ inputs:
   username:
     description: 'GitHub username to check'
     required: true
-  github_token:
-    description: 'Fine-grained GitHub token with organization membership read permissions'
-    required: true
 
 outputs:
   is_member:
@@ -26,44 +23,38 @@ runs:
       run: |
         echo "Checking organization membership for user: ${{ inputs.username }} in dotCMS organization"
 
-        # Use GitHub CLI to check organization membership
-        # This uses a fine-grained token with organization membership read permissions
+        # Use GitHub CLI to check PUBLIC organization membership
+        # This uses the default GITHUB_TOKEN and only detects public members
 
         set +e  # Don't exit on error, we want to handle it gracefully
 
-        # Check organization membership using GitHub API
-        #
-        # IMPORTANT: We check the HTTP status code (via exit code) rather than parsing
-        # the response body because GitHub's membership API has specific behavior:
+        # Check PUBLIC organization membership using GitHub API
         #
-        # HTTP 200 (exit code 0) = User IS a member (regardless of response content)
-        #   - Public member: Returns user object with populated fields
-        #   - Private member: Returns empty response body (but still 200 OK)
+        # IMPORTANT: This approach only detects PUBLIC organization members.
+        # Private members will appear as non-members and be blocked.
         #
-        # HTTP 404 (exit code 1) = User is NOT a member
-        #   - Returns {"message":"Not Found",...} error response
+        # API Behavior:
+        # - HTTP 200 + user object = Public member (AUTHORIZED)
+        # - HTTP 404 = Private member OR non-member (BLOCKED)
         #
-        # This approach correctly handles both public and private organization members
-        # without needing to distinguish between their visibility settings.
+        # Team members with private membership must make their membership public
+        # to access Claude workflows: github.com/orgs/dotCMS/people
 
-        response=$(gh api orgs/dotCMS/members/${{ inputs.username }} \
-          --header "Authorization: token ${{ inputs.github_token }}" 2>/dev/null)
+        echo "Checking PUBLIC organization membership for ${{ inputs.username }} in dotCMS..."
+
+        response=$(gh api orgs/dotCMS/members/${{ inputs.username }} 2>/dev/null)
         api_exit_code=$?
 
-        if [ $api_exit_code -eq 0 ]; then
-          # HTTP 200: User is a member (public or private)
-          # We check response content only for logging clarity, not authorization logic
-          if [ -n "$response" ]; then
-            echo "✅ User ${{ inputs.username }} is a member of dotCMS (public membership)"
-          else
-            echo "✅ User ${{ inputs.username }} is a member of dotCMS (private membership)"
-          fi
+        if [ $api_exit_code -eq 0 ] && [ -n "$response" ]; then
+          # HTTP 200 with content: User is a PUBLIC member
+          echo "✅ User ${{ inputs.username }} is a PUBLIC member of dotCMS"
           echo "is_member=true" >> $GITHUB_OUTPUT
           echo "membership_status=member" >> $GITHUB_OUTPUT
         else
-          # HTTP 404 or other error: User is not a member
-
-          echo "❌ User ${{ inputs.username }} is not a member of dotCMS (API exit code: $api_exit_code)"
+          # HTTP 404 or empty response: Private member or non-member
+          echo "❌ User ${{ inputs.username }} is not a PUBLIC member of dotCMS"
+          echo "⚠️  If you are a dotCMS team member with private membership, please make it public:"
+          echo "   Visit: https://github.com/orgs/dotCMS/people"
           echo "is_member=false" >> $GITHUB_OUTPUT
           echo "membership_status=non-member" >> $GITHUB_OUTPUT
         fi

.github/workflows/issue_comment_claude-code-review.yaml

@@ -37,14 +37,15 @@ jobs:
         uses: ./.github/actions/security/org-membership-check
         with:
           username: ${{ github.event.comment.user.login || github.actor }}
-          github_token: ${{ secrets.MACHINE_USER_CORE_ORG_MEMBERSHIP_CHECK }}
 
       - name: Log security decision
         run: |
           if [ "${{ steps.membership-check.outputs.is_member }}" = "true" ]; then
-            echo "✅ Access granted: User is a dotCMS organization member"
+            echo "✅ Access granted: User is a PUBLIC dotCMS organization member"
           else
-            echo "❌ Access denied: User is not a dotCMS organization member"
+            echo "❌ Access denied: User is not a PUBLIC dotCMS organization member"
+            echo "⚠️  If you are a dotCMS team member, please make your membership public:"
+            echo "   Visit: https://github.com/orgs/dotCMS/people"
             echo "::warning::Unauthorized user attempted to trigger Claude workflow: ${{ github.event.comment.user.login || github.actor }}"
           fi