Skip to content
Latchkey

How to Verify a Command Author Is a Maintainer in GitHub Actions

For sensitive commands, checking repository write access is the floor; confirming team membership or an explicit allowlist is stronger.

Beyond the permission level, verify the author belongs to a maintainers team via teams.getMembershipForUserInOrg, or match against a maintained allowlist. This is the primary defense for chat-triggered deploys.

Steps

  • Resolve the command author login.
  • Check maintainers team membership or an allowlist.
  • Fail closed when the author is not a maintainer.

Maintainer check

.github/workflows/ci.yml
- uses: actions/github-script@v7
  with:
    github-token: ${{ secrets.ORG_READ_PAT }}
    script: |
      const user = context.payload.comment.user.login
      try {
        const { data } = await github.rest.teams.getMembershipForUserInOrg({
          org: context.repo.owner, team_slug: 'maintainers', username: user
        })
        if (data.state !== 'active') core.setFailed('Not an active maintainer')
      } catch {
        core.setFailed(`${user} is not a maintainer`)
      }

Gotchas

  • Fail closed: any error in the check must block the command, not allow it.
  • Reading org team membership needs a token with org read scope, not GITHUB_TOKEN.
  • Keep the allowlist or team small and reviewed for deploy-capable commands.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →