Enable automatic workflow approval for Liatrio Labs organization members

This commit updates the Claude Code and OpenCode GPT-5 Codex workflows to
automatically allow workflow execution for members of the liatrio-labs
GitHub organization without requiring manual approval.

Changes:
- Added check-org-membership job to both workflows
- Checks author_association first (OWNER, MEMBER, COLLABORATOR)
- Falls back to checking liatrio-labs organization membership via GitHub API
- Main workflow jobs now depend on authorization check passing

This ensures that:
1. Existing collaborators continue to work without changes
2. Any member of liatrio-labs organization can trigger workflows
3. Non-members and non-collaborators are still blocked

🤖 Generated with Claude Code

Co-Authored-By: Claude <[email protected]>

Author: iaminawe

.github/workflows/claude.yml

@@ -11,33 +11,70 @@ on:
     types: [submitted]
 
 jobs:
-  claude:
-    timeout-minutes: 10
-    concurrency:
-      group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
-      cancel-in-progress: true
+  # Check if the user is a member of liatrio-labs organization
+  check-org-membership:
+    runs-on: ubuntu-latest
     if: |
       (
         github.event_name == 'issue_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+        contains(github.event.comment.body, '@claude')
       ) || (
         github.event_name == 'pull_request_review_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+        contains(github.event.comment.body, '@claude')
       ) || (
         github.event_name == 'pull_request_review' &&
         github.event.review.body != null &&
-        contains(github.event.review.body, '@claude') &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
+        contains(github.event.review.body, '@claude')
       ) || (
         github.event_name == 'issues' &&
         (
           (github.event.issue.body != null && contains(github.event.issue.body, '@claude')) ||
           contains(github.event.issue.title, '@claude')
-        ) &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+        )
       )
+    outputs:
+      is-authorized: ${{ steps.check.outputs.authorized }}
+    steps:
+      - name: Check authorization
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ACTOR="${{ github.actor }}"
+
+          # Check if user is a repo collaborator/owner/member first
+          if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
+            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
+            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
+            AUTHOR_ASSOC="${{ github.event.review.author_association }}"
+          elif [[ "${{ github.event_name }}" == "issues" ]]; then
+            AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
+          fi
+
+          if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
+            echo "User is authorized via author_association: $AUTHOR_ASSOC"
+            echo "authorized=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Check if user is a member of liatrio-labs organization
+          if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
+            echo "User is authorized as liatrio-labs organization member"
+            echo "authorized=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "User is not authorized"
+            echo "authorized=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  claude:
+    needs: check-org-membership
+    if: needs.check-org-membership.outputs.is-authorized == 'true'
+    timeout-minutes: 10
+    concurrency:
+      group: claude-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: true
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/opencode-gpt-5-codex.yml

@@ -11,33 +11,70 @@ on:
     types: [submitted]
 
 jobs:
-  opencode:
-    timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods
-    concurrency:
-      group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
-      cancel-in-progress: true
+  # Check if the user is a member of liatrio-labs organization
+  check-org-membership:
+    runs-on: ubuntu-latest
     if: |
       (
         github.event_name == 'issue_comment' &&
-        contains(github.event.comment.body, '/oc-codex') &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+        contains(github.event.comment.body, '/oc-codex')
       ) || (
         github.event_name == 'pull_request_review_comment' &&
-        contains(github.event.comment.body, '/oc-codex') &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+        contains(github.event.comment.body, '/oc-codex')
       ) || (
         github.event_name == 'pull_request_review' &&
         github.event.review.body != null &&
-        contains(github.event.review.body, '/oc-codex') &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.review.author_association)
+        contains(github.event.review.body, '/oc-codex')
       ) || (
         github.event_name == 'issues' &&
         (
           (github.event.issue.body != null && contains(github.event.issue.body, '/oc-codex')) ||
           contains(github.event.issue.title, '/oc-codex')
-        ) &&
-        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+        )
       )
+    outputs:
+      is-authorized: ${{ steps.check.outputs.authorized }}
+    steps:
+      - name: Check authorization
+        id: check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          ACTOR="${{ github.actor }}"
+
+          # Check if user is a repo collaborator/owner/member first
+          if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
+            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
+            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
+          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
+            AUTHOR_ASSOC="${{ github.event.review.author_association }}"
+          elif [[ "${{ github.event_name }}" == "issues" ]]; then
+            AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
+          fi
+
+          if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
+            echo "User is authorized via author_association: $AUTHOR_ASSOC"
+            echo "authorized=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          # Check if user is a member of liatrio-labs organization
+          if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
+            echo "User is authorized as liatrio-labs organization member"
+            echo "authorized=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "User is not authorized"
+            echo "authorized=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  opencode:
+    needs: check-org-membership
+    if: needs.check-org-membership.outputs.is-authorized == 'true'
+    timeout-minutes: 30 # to accommodate Codex's ability to run for extended periods
+    concurrency:
+      group: opencode-${{ github.event_name }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
+      cancel-in-progress: true
     runs-on: ubuntu-latest
     permissions:
       contents: read