pin down checkout version for workflow

[angeloskyratzakos]

Summary

pin down checkout version for workflow

Ticket Link

Release Note

NONE

[mm-cloud-bot]

@angeloskyratzakos: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

[angeloskyratzakos]

@claude can you update this workflow to be running only when people from the org:mattermost are commenting/invoking it?

[claude]

Claude finished @angeloskyratzakos's task —— View job

---

Working on your request

Todo List:

• Read the current workflow file to understand its structure
• Analyze how to add organization membership restriction
• Provide implementation guidance

Analysis

I've analyzed the current workflow file .github/workflows/claude.yml. The workflow currently triggers on various GitHub events when they contain "@claude".

Important Limitation

I cannot modify files in the .github/workflows/ directory due to GitHub App permissions. However, I can provide you with the exact implementation guidance to add organization membership restriction.

Implementation Guidance

To restrict the workflow to only run when people from the mattermost organization trigger it, you need to modify the if condition in the claude job. Here's the updated workflow file:

name: Claude Code

on:
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened, assigned]
  pull_request_review:
    types: [submitted]

jobs:
  claude:
    if: |
      (
        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
      ) && (
        github.actor == 'mattermost[bot]' || 
        github.event.sender.type == 'Bot' && github.event.sender.login == 'mattermost[bot]' ||
        contains(fromJSON('["mattermost"]'), github.repository_owner)
      )
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
      issues: read
      id-token: write
    steps:
      - name: Check if user is member of mattermost org
        id: check-membership
        uses: actions/github-script@v7
        with:
          script: |
            try {
              const response = await github.rest.orgs.checkMembershipForUser({
                org: 'mattermost',
                username: context.actor
              });
              console.log(`Membership check result: ${response.status}`);
              return response.status === 204;
            } catch (error) {
              console.log(`Membership check failed: ${error.message}`);
              return false;
            }
      
      - name: Exit if not org member
        if: steps.check-membership.outputs.result != 'true'
        run: |
          echo "User ${{ github.actor }} is not a member of the mattermost organization"
          exit 1
      
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 1

      - name: Run Claude Code
        id: claude
        uses: anthropics/claude-code-action@beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

Key Changes Made:

1. Enhanced if condition: Added additional checks for repository ownership and bot accounts
2. Membership check step: Added a step that uses GitHub's API to verify if the triggering user is a member of the mattermost organization
3. Early exit: If the user is not a member, the workflow exits early before running Claude

Alternative Simpler Approach:

If you prefer a simpler approach without API calls, you can use a hardcoded list of allowed users:

jobs:
  claude:
    if: |
      (
        (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
        (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
        (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
      ) && contains(fromJSON('["angeloskyratzakos", "stafot", "other-mattermost-users"]'), github.actor)

Next Steps:

1. Choose your preferred approach (API-based org membership check or hardcoded user list)
2. Update the .github/workflows/claude.yml file with the chosen implementation
3. Test the workflow to ensure it properly restricts access

You can find more information about workflow limitations in the FAQ.

---