Refactor authorization logic into reusable composite action

This addresses the CodeRabbit refactoring suggestion to eliminate
duplicated authorization logic across workflows.

Changes:
- Created .github/actions/check-org-membership composite action
- Extracted 45+ lines of duplicated bash logic into single reusable action
- Action accepts trigger-command as input parameter
- Both workflows now use the same authorization logic
- Reduced maintenance burden and ensured consistency

Benefits:
- Single source of truth for authorization logic
- DRY principle compliance
- Future updates apply consistently across all workflows
- Easier to test and maintain

The composite action:
- Checks author_association first (OWNER, MEMBER, COLLABORATOR)
- Falls back to organization membership verification
- Returns is-authorized boolean output
- Supports all event types (issue_comment, pull_request_review, etc.)

Addresses: CodeRabbit refactoring suggestion

🤖 Generated with Claude Code

Co-Authored-By: Claude <[email protected]>

Author: iaminawe

.github/actions/check-org-membership/action.yml

@@ -0,0 +1,98 @@
+name: Check Organization Membership
+description: Checks if a user is authorized via repository permissions or organization membership
+
+inputs:
+  trigger-command:
+    description: 'The trigger command to check for (e.g., @claude or /oc-codex)'
+    required: true
+  github-token:
+    description: 'GitHub token with org membership read permissions'
+    required: true
+  event-name:
+    description: 'The GitHub event name (github.event_name)'
+    required: true
+  comment-body:
+    description: 'The comment body if applicable'
+    required: false
+    default: ''
+  comment-author-association:
+    description: 'The comment author association if applicable'
+    required: false
+    default: ''
+  review-body:
+    description: 'The review body if applicable'
+    required: false
+    default: ''
+  review-author-association:
+    description: 'The review author association if applicable'
+    required: false
+    default: ''
+  issue-body:
+    description: 'The issue body if applicable'
+    required: false
+    default: ''
+  issue-title:
+    description: 'The issue title if applicable'
+    required: false
+    default: ''
+  issue-author-association:
+    description: 'The issue author association if applicable'
+    required: false
+    default: ''
+  actor:
+    description: 'The GitHub actor (github.actor)'
+    required: true
+  organization:
+    description: 'The organization name to check membership in'
+    required: true
+    default: 'liatrio-labs'
+
+outputs:
+  is-authorized:
+    description: 'Whether the user is authorized to trigger the workflow'
+    value: ${{ steps.check.outputs.authorized }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Check authorization
+      id: check
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        TRIGGER_COMMAND: ${{ inputs.trigger-command }}
+        EVENT_NAME: ${{ inputs.event-name }}
+        COMMENT_BODY: ${{ inputs.comment-body }}
+        COMMENT_AUTHOR_ASSOC: ${{ inputs.comment-author-association }}
+        REVIEW_BODY: ${{ inputs.review-body }}
+        REVIEW_AUTHOR_ASSOC: ${{ inputs.review-author-association }}
+        ISSUE_BODY: ${{ inputs.issue-body }}
+        ISSUE_TITLE: ${{ inputs.issue-title }}
+        ISSUE_AUTHOR_ASSOC: ${{ inputs.issue-author-association }}
+        ACTOR: ${{ inputs.actor }}
+        ORGANIZATION: ${{ inputs.organization }}
+      run: |
+        # Determine the author association based on event type
+        if [[ "$EVENT_NAME" == "issue_comment" ]] || [[ "$EVENT_NAME" == "pull_request_review_comment" ]]; then
+          AUTHOR_ASSOC="$COMMENT_AUTHOR_ASSOC"
+        elif [[ "$EVENT_NAME" == "pull_request_review" ]]; then
+          AUTHOR_ASSOC="$REVIEW_AUTHOR_ASSOC"
+        elif [[ "$EVENT_NAME" == "issues" ]]; then
+          AUTHOR_ASSOC="$ISSUE_AUTHOR_ASSOC"
+        fi
+
+        # Check if user is a repo collaborator/owner/member first
+        if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
+          echo "User is authorized via author_association: $AUTHOR_ASSOC"
+          echo "authorized=true" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        # Check if user is a member of the organization
+        if gh api "orgs/$ORGANIZATION/members/$ACTOR" --silent 2>/dev/null; then
+          echo "User is authorized as $ORGANIZATION organization member"
+          echo "authorized=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "User is not authorized"
+          echo "authorized=false" >> "$GITHUB_OUTPUT"
+        fi

.github/workflows/claude.yml

@@ -33,40 +33,27 @@ jobs:
         )
       )
     outputs:
-      is-authorized: ${{ steps.check.outputs.authorized }}
+      is-authorized: ${{ steps.check.outputs.is-authorized }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Check authorization
         id: check
-        env:
-          GH_TOKEN: ${{ secrets.ORG_MEMBER_CHECK_TOKEN }}
-        run: |
-          ACTOR="${{ github.actor }}"
-
-          # Check if user is a repo collaborator/owner/member first
-          if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
-            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
-          elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
-            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
-          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
-            AUTHOR_ASSOC="${{ github.event.review.author_association }}"
-          elif [[ "${{ github.event_name }}" == "issues" ]]; then
-            AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
-          fi
-
-          if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
-            echo "User is authorized via author_association: $AUTHOR_ASSOC"
-            echo "authorized=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Check if user is a member of liatrio-labs organization
-          if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
-            echo "User is authorized as liatrio-labs organization member"
-            echo "authorized=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "User is not authorized"
-            echo "authorized=false" >> "$GITHUB_OUTPUT"
-          fi
+        uses: ./.github/actions/check-org-membership
+        with:
+          trigger-command: '@claude'
+          github-token: ${{ secrets.ORG_MEMBER_CHECK_TOKEN }}
+          event-name: ${{ github.event_name }}
+          comment-body: ${{ github.event.comment.body || '' }}
+          comment-author-association: ${{ github.event.comment.author_association || '' }}
+          review-body: ${{ github.event.review.body || '' }}
+          review-author-association: ${{ github.event.review.author_association || '' }}
+          issue-body: ${{ github.event.issue.body || '' }}
+          issue-title: ${{ github.event.issue.title || '' }}
+          issue-author-association: ${{ github.event.issue.author_association || '' }}
+          actor: ${{ github.actor }}
+          organization: 'liatrio-labs'
 
   claude:
     needs: check-org-membership

.github/workflows/opencode-gpt-5-codex.yml

@@ -33,40 +33,27 @@ jobs:
         )
       )
     outputs:
-      is-authorized: ${{ steps.check.outputs.authorized }}
+      is-authorized: ${{ steps.check.outputs.is-authorized }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: Check authorization
         id: check
-        env:
-          GH_TOKEN: ${{ secrets.ORG_MEMBER_CHECK_TOKEN }}
-        run: |
-          ACTOR="${{ github.actor }}"
-
-          # Check if user is a repo collaborator/owner/member first
-          if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
-            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
-          elif [[ "${{ github.event_name }}" == "pull_request_review_comment" ]]; then
-            AUTHOR_ASSOC="${{ github.event.comment.author_association }}"
-          elif [[ "${{ github.event_name }}" == "pull_request_review" ]]; then
-            AUTHOR_ASSOC="${{ github.event.review.author_association }}"
-          elif [[ "${{ github.event_name }}" == "issues" ]]; then
-            AUTHOR_ASSOC="${{ github.event.issue.author_association }}"
-          fi
-
-          if [[ "$AUTHOR_ASSOC" == "OWNER" ]] || [[ "$AUTHOR_ASSOC" == "MEMBER" ]] || [[ "$AUTHOR_ASSOC" == "COLLABORATOR" ]]; then
-            echo "User is authorized via author_association: $AUTHOR_ASSOC"
-            echo "authorized=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Check if user is a member of liatrio-labs organization
-          if gh api "orgs/liatrio-labs/members/$ACTOR" --silent 2>/dev/null; then
-            echo "User is authorized as liatrio-labs organization member"
-            echo "authorized=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "User is not authorized"
-            echo "authorized=false" >> "$GITHUB_OUTPUT"
-          fi
+        uses: ./.github/actions/check-org-membership
+        with:
+          trigger-command: '/oc-codex'
+          github-token: ${{ secrets.ORG_MEMBER_CHECK_TOKEN }}
+          event-name: ${{ github.event_name }}
+          comment-body: ${{ github.event.comment.body || '' }}
+          comment-author-association: ${{ github.event.comment.author_association || '' }}
+          review-body: ${{ github.event.review.body || '' }}
+          review-author-association: ${{ github.event.review.author_association || '' }}
+          issue-body: ${{ github.event.issue.body || '' }}
+          issue-title: ${{ github.event.issue.title || '' }}
+          issue-author-association: ${{ github.event.issue.author_association || '' }}
+          actor: ${{ github.actor }}
+          organization: 'liatrio-labs'
 
   opencode:
     needs: check-org-membership