How to Verify a Command Author Is a Maintainer in GitHub Actions
For sensitive commands, checking repository write access is the floor; confirming team membership or an explicit allowlist is stronger.
Beyond the permission level, verify the author belongs to a maintainers team via teams.getMembershipForUserInOrg, or match against a maintained allowlist. This is the primary defense for chat-triggered deploys.
Steps
- Resolve the command author login.
- Check maintainers team membership or an allowlist.
- Fail closed when the author is not a maintainer.
Maintainer check
.github/workflows/ci.yml
- uses: actions/github-script@v7
with:
github-token: ${{ secrets.ORG_READ_PAT }}
script: |
const user = context.payload.comment.user.login
try {
const { data } = await github.rest.teams.getMembershipForUserInOrg({
org: context.repo.owner, team_slug: 'maintainers', username: user
})
if (data.state !== 'active') core.setFailed('Not an active maintainer')
} catch {
core.setFailed(`${user} is not a maintainer`)
}Gotchas
- Fail closed: any error in the check must block the command, not allow it.
- Reading org team membership needs a token with org read scope, not GITHUB_TOKEN.
- Keep the allowlist or team small and reviewed for deploy-capable commands.
Related guides
How to Restrict Who Can Run Slash Commands in GitHub ActionsRestrict who can run chat-triggered CI commands in GitHub Actions by checking the commenter repository permis…
How to Audit Chat-Triggered Actions in GitHub ActionsAudit chat-triggered CI/CD actions in GitHub Actions by recording who ran each command, when, and with what a…