fix(release): debug 6

Author: mandarini

.github/workflows/publish.yml

@@ -24,69 +24,42 @@ jobs:
       id-token: write
 
     steps:
-      - name: Generate GitHub App token (with org members:read)
-        id: app-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
+      # If your GitHub App is configured with org Members:read, you can
+      # generate an app token instead. For now, rely on a PAT with read:org.
+      # - name: Generate GitHub App token (with org members:read)
+      #   id: app-token
+      #   uses: actions/create-github-app-token@v2
+      #   with:
+      #     app-id: ${{ secrets.APP_ID }}
+      #     private-key: ${{ secrets.PRIVATE_KEY }}
+      #     owner: supabase
 
       - name: Check if actor is member of admin or client-libs team
         id: team-check
         uses: actions/github-script@v7
         with:
-          github-token: ${{ steps.app-token.outputs.token }}
+          github-token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
           script: |
             const org = 'supabase'
             const { actor } = context
 
-            async function isOrgAdmin() {
-              try {
-                const res = await github.rest.orgs.getMembershipForUser({ org, username: actor })
-                return res?.status === 200 && res.data?.role === 'admin' && res.data?.state === 'active'
-              } catch (e) {
-                console.log('Org membership check failed', e)
-                return false
-              }
-            }
-
-            async function resolveTeamSlug(preferredSlugs) {
-              try {
-                const teams = await github.paginate(github.rest.teams.list, { org })
-                const lower = (s) => (s || '').toLowerCase()
-                const candidates = preferredSlugs.map(lower)
-                const team = teams.find((t) => {
-                  const slug = lower(t.slug)
-                  const name = lower(t.name)
-                  return candidates.includes(slug) || candidates.includes(name)
-                })
-                return team?.slug
-              } catch (e) {
-                console.log('Failed to list teams', e)
-                return undefined
-              }
-            }
-
-            async function isTeamMemberByResolvedSlug(preferredSlugs) {
-              const resolved = await resolveTeamSlug(preferredSlugs)
-              if (!resolved) return false
+            async function isTeamMember(team_slug) {
               try {
                 const res = await github.rest.teams.getMembershipForUserInOrg({
                   org,
-                  team_slug: resolved,
+                  team_slug,
                   username: actor,
                 })
                 return res?.status === 200
               } catch (err) {
-                console.log(`Membership check failed for slug ${resolved}`, err)
+                // 404 means not a member or team not visible to token
                 return false
               }
             }
 
-            const isAdminOrg = await isOrgAdmin()
-            const isAdminTeam = await isTeamMemberByResolvedSlug(['admin','admins','owners'])
-            const isClientLibs = await isTeamMemberByResolvedSlug(['client-libs','clientlibs','client-libraries'])
-            const isMember = Boolean(isAdminOrg || isAdminTeam || isClientLibs)
+            const isAdmin = await isTeamMember('admin')
+            const isClientLibs = await isTeamMember('client-libs')
+            const isMember = Boolean(isAdmin || isClientLibs)
             core.setOutput('is_team_member', isMember ? 'true' : 'false')
 
       - name: Fail if not authorized