feat: use fine-grained token for organization membership checking

sfreudenthaler · claude · sfreudenthaler · commit b321687263da · 2025-09-26T23:06:50.000-04:00
Switch from GITHUB_TOKEN to fine-grained token with membership read permissions: - Resolves private membership visibility issues - Uses MACHINE_USER_CORE_ORG_MEMBERSHIP_CHECK fine-grained token - Enables checking both public and private organization members - Updates action to accept github_token input parameter - Updates workflow to pass fine-grained token secret to action - Updates documentation with fine-grained token requirements This should now correctly authorize sfreudenthaler and other private members. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/actions/security/org-membership-check/README.md b/.github/actions/security/org-membership-check/README.md
@@ -13,6 +13,7 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
 | `username` | GitHub username to check | Yes | N/A |
+| `github_token` | Fine-grained GitHub token with organization membership read permissions | Yes | N/A |
 
 ## Outputs
 
@@ -29,6 +30,7 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
   uses: ./.github/actions/security/org-membership-check
   with:
     username: ${{ github.actor }}
+    github_token: ${{ secrets.MACHINE_USER_CORE_ORG_MEMBERSHIP_CHECK }}
 
 - name: Conditional step based on membership
   if: steps.membership-check.outputs.is_member == 'true'
@@ -37,7 +39,12 @@ This composite action checks if a GitHub user is a member of the dotCMS organiza
 
 ## Implementation Details
 
-The action uses the GitHub CLI (`gh`) with the repository's `GITHUB_TOKEN` to check organization membership via the GitHub API endpoint `GET /orgs/dotCMS/members/{username}`.
+The action uses the GitHub CLI (`gh`) with a fine-grained GitHub token to check organization membership via the GitHub API endpoint `GET /orgs/dotCMS/members/{username}`.
+
+**Token Requirements:**
+- Fine-grained token with organization membership read permissions
+- Should be from a machine/service account for security
+- Stored as repository secret: `MACHINE_USER_CORE_ORG_MEMBERSHIP_CHECK`
 
 **Key Design Decision: Status Code vs Response Body**
 
@@ -57,4 +64,5 @@ This approach correctly authorizes all organization members (including owners wi
 - Only checks membership in the dotCMS organization (hardcoded)
 - Does not expose whether membership is public or private
 - Logs authorization results without sensitive details
-- Uses repository's built-in `GITHUB_TOKEN` for API access
+- Uses fine-grained token with minimal required permissions (organization membership read)
+- Token should be regularly rotated and monitored for usage
diff --git a/.github/actions/security/org-membership-check/action.yml b/.github/actions/security/org-membership-check/action.yml
@@ -5,6 +5,9 @@ inputs:
   username:
     description: 'GitHub username to check'
     required: true
+  github_token:
+    description: 'Fine-grained GitHub token with organization membership read permissions'
+    required: true
 
 outputs:
   is_member:
@@ -24,31 +27,30 @@ runs:
         echo "Checking organization membership for user: ${{ inputs.username }} in dotCMS organization"
 
         # Use GitHub CLI to check organization membership
-        # This uses the GITHUB_TOKEN which has read access to organization membership
+        # This uses a fine-grained token with organization membership read permissions
 
         set +e  # Don't exit on error, we want to handle it gracefully
 
-        # Check organization membership using GitHub API
-        #
-        # IMPORTANT: We check the HTTP status code (via exit code) rather than parsing
-        # the response body because GitHub's membership API has specific behavior:
+        # Check organization membership using GitHub API with fine-grained token
         #
-        # HTTP 200 (exit code 0) = User IS a member (regardless of response content)
-        #   - Public member: Returns user object with populated fields
-        #   - Private member: Returns empty response body (but still 200 OK)
+        # Uses a fine-grained token with organization membership read permissions
+        # to check both public and private organization membership reliably.
         #
-        # HTTP 404 (exit code 1) = User is NOT a member
-        #   - Returns {"message":"Not Found",...} error response
-        #
-        # This approach correctly handles both public and private organization members
-        # without needing to distinguish between their visibility settings.
+        # API Behavior:
+        # - HTTP 200 + user object = Public member
+        # - HTTP 200 + empty response = Private member
+        # - HTTP 404 = Not a member
+        # - Other errors = API/token issues
+
+        echo "Checking organization membership for ${{ inputs.username }} in dotCMS..."
 
-        response=$(gh api orgs/dotCMS/members/${{ inputs.username }} 2>/dev/null)
+        # Use the provided fine-grained token instead of default GITHUB_TOKEN
+        response=$(gh api orgs/dotCMS/members/${{ inputs.username }} \
+          --header "Authorization: token ${{ inputs.github_token }}" 2>/dev/null)
         api_exit_code=$?
 
         if [ $api_exit_code -eq 0 ]; then
           # HTTP 200: User is a member (public or private)
-          # We check response content only for logging clarity, not authorization logic
           if [ -n "$response" ]; then
             echo "✅ User ${{ inputs.username }} is a member of dotCMS (public membership)"
           else
@@ -57,7 +59,7 @@ runs:
           echo "is_member=true" >> $GITHUB_OUTPUT
           echo "membership_status=member" >> $GITHUB_OUTPUT
         else
-          # HTTP 404 or other error: User is not a member
+          # HTTP 404 or other error: User is not a member or API issue
           echo "❌ User ${{ inputs.username }} is not a member of dotCMS (API exit code: $api_exit_code)"
           echo "is_member=false" >> $GITHUB_OUTPUT
           echo "membership_status=non-member" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/issue_comment_claude-code-review.yaml b/.github/workflows/issue_comment_claude-code-review.yaml
@@ -22,6 +22,11 @@ jobs:
   # Security gate: Check if user is dotCMS organization member
   security-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read           # Allow repository checkout
+      metadata: read          # Allow reading repository metadata
+      # Note: Organization membership checking uses the actor's permissions
+      # not the GITHUB_TOKEN, so no additional permissions needed for that API
     outputs:
       authorized: ${{ steps.membership-check.outputs.is_member }}
     steps:
@@ -33,6 +38,7 @@ jobs:
         uses: ./.github/actions/security/org-membership-check
         with:
           username: ${{ github.event.comment.user.login || github.actor }}
+          github_token: ${{ secrets.MACHINE_USER_CORE_ORG_MEMBERSHIP_CHECK }}
 
       - name: Log security decision
         run: |
