From 65da8181b8ccbcfe2e13c494b8936669b774ef53 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 19:20:17 +0000 Subject: [PATCH 1/5] Initial plan From ca2761deecd004ff093f82e04e7a2748479c96fa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 19:21:57 +0000 Subject: [PATCH 2/5] Add workflow for adding users to organization Co-authored-by: eb-oss <1403599+eb-oss@users.noreply.github.com> --- .github/workflows/add-user.yaml | 61 +++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/add-user.yaml diff --git a/.github/workflows/add-user.yaml b/.github/workflows/add-user.yaml new file mode 100644 index 0000000..29dd298 --- /dev/null +++ b/.github/workflows/add-user.yaml @@ -0,0 +1,61 @@ +# SPDX-FileCopyrightText: 2025 The Linux Foundation +# SPDX-License-Identifier: Apache-2.0 +name: Add User to Organization + +on: + workflow_dispatch: + inputs: + username: + description: 'GitHub username to add to the organization' + required: true + type: string + +jobs: + add-user: + runs-on: ubuntu-latest + steps: + - name: Check if actor is member of org-managers team + id: check-membership + env: + GH_TOKEN: ${{ secrets.PAT_TOKEN }} + ACTOR: ${{ github.actor }} + ORG: ${{ github.repository_owner }} + run: | + # Check if the actor is a member of the org-managers team + echo "Checking if ${ACTOR} is a member of org-managers team..." + + # Get the team slug for org-managers + TEAM_SLUG="org-managers" + + # Check team membership using GitHub CLI + if gh api "/orgs/${ORG}/teams/${TEAM_SLUG}/memberships/${ACTOR}" --silent 2>/dev/null; then + echo "✓ ${ACTOR} is a member of ${TEAM_SLUG}" + echo "is_member=true" >> $GITHUB_OUTPUT + else + echo "✗ ${ACTOR} is NOT a member of ${TEAM_SLUG}" + echo "is_member=false" >> $GITHUB_OUTPUT + exit 1 + fi + + - name: Add user to organization + if: steps.check-membership.outputs.is_member == 'true' + env: + GH_TOKEN: ${{ secrets.PAT_TOKEN }} + USERNAME: ${{ inputs.username }} + ORG: ${{ github.repository_owner }} + run: | + echo "Adding user ${USERNAME} to organization ${ORG}..." + + # Invite the user to the organization using GitHub CLI + # This creates an invitation for the user to join the organization + gh api \ + --method PUT \ + "/orgs/${ORG}/memberships/${USERNAME}" \ + -f role='member' \ + || { + echo "Failed to add user ${USERNAME} to organization ${ORG}" + exit 1 + } + + echo "✓ Successfully sent invitation to ${USERNAME} to join ${ORG}" + echo "The user will need to accept the invitation to complete the process." From 772e2192c128b4bd748d4a75033c2427940dfa7d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 19:22:48 +0000 Subject: [PATCH 3/5] Improve workflow security and error handling Co-authored-by: eb-oss <1403599+eb-oss@users.noreply.github.com> --- .github/workflows/add-user.yaml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/add-user.yaml b/.github/workflows/add-user.yaml index 29dd298..effe8c8 100644 --- a/.github/workflows/add-user.yaml +++ b/.github/workflows/add-user.yaml @@ -27,12 +27,17 @@ jobs: # Get the team slug for org-managers TEAM_SLUG="org-managers" - # Check team membership using GitHub CLI - if gh api "/orgs/${ORG}/teams/${TEAM_SLUG}/memberships/${ACTOR}" --silent 2>/dev/null; then + # Check team membership using GitHub CLI (members endpoint for visibility support) + HTTP_CODE=$(gh api \ + "/orgs/${ORG}/teams/${TEAM_SLUG}/members/${ACTOR}" \ + --silent \ + --include 2>&1 | head -n1 | cut -d' ' -f2 || echo "000") + + if [ "$HTTP_CODE" = "204" ]; then echo "✓ ${ACTOR} is a member of ${TEAM_SLUG}" echo "is_member=true" >> $GITHUB_OUTPUT else - echo "✗ ${ACTOR} is NOT a member of ${TEAM_SLUG}" + echo "✗ ${ACTOR} is NOT a member of ${TEAM_SLUG} (HTTP ${HTTP_CODE})" echo "is_member=false" >> $GITHUB_OUTPUT exit 1 fi @@ -44,18 +49,26 @@ jobs: USERNAME: ${{ inputs.username }} ORG: ${{ github.repository_owner }} run: | + # Validate username format (GitHub usernames: alphanumeric and hyphens, 1-39 chars) + if ! echo "${USERNAME}" | grep -Eq '^[a-zA-Z0-9]([a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$'; then + echo "✗ Invalid username format: ${USERNAME}" + echo "GitHub usernames must be 1-39 characters, alphanumeric with hyphens, not starting or ending with hyphen" + exit 1 + fi + echo "Adding user ${USERNAME} to organization ${ORG}..." # Invite the user to the organization using GitHub CLI # This creates an invitation for the user to join the organization - gh api \ + RESPONSE=$(gh api \ --method PUT \ "/orgs/${ORG}/memberships/${USERNAME}" \ -f role='member' \ - || { - echo "Failed to add user ${USERNAME} to organization ${ORG}" - exit 1 - } + 2>&1) || { + echo "✗ Failed to add user ${USERNAME} to organization ${ORG}" + echo "API Response: ${RESPONSE}" + exit 1 + } echo "✓ Successfully sent invitation to ${USERNAME} to join ${ORG}" echo "The user will need to accept the invitation to complete the process." From cc9fbc247fdf61d69fe553334c8763e49a7aa53e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 19:23:48 +0000 Subject: [PATCH 4/5] Fix regex pattern and enhance security Co-authored-by: eb-oss <1403599+eb-oss@users.noreply.github.com> --- .github/workflows/add-user.yaml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/add-user.yaml b/.github/workflows/add-user.yaml index effe8c8..e38f0e4 100644 --- a/.github/workflows/add-user.yaml +++ b/.github/workflows/add-user.yaml @@ -28,16 +28,11 @@ jobs: TEAM_SLUG="org-managers" # Check team membership using GitHub CLI (members endpoint for visibility support) - HTTP_CODE=$(gh api \ - "/orgs/${ORG}/teams/${TEAM_SLUG}/members/${ACTOR}" \ - --silent \ - --include 2>&1 | head -n1 | cut -d' ' -f2 || echo "000") - - if [ "$HTTP_CODE" = "204" ]; then + if gh api "/orgs/${ORG}/teams/${TEAM_SLUG}/members/${ACTOR}" --silent 2>/dev/null; then echo "✓ ${ACTOR} is a member of ${TEAM_SLUG}" echo "is_member=true" >> $GITHUB_OUTPUT else - echo "✗ ${ACTOR} is NOT a member of ${TEAM_SLUG} (HTTP ${HTTP_CODE})" + echo "✗ ${ACTOR} is NOT a member of ${TEAM_SLUG}" echo "is_member=false" >> $GITHUB_OUTPUT exit 1 fi @@ -50,25 +45,31 @@ jobs: ORG: ${{ github.repository_owner }} run: | # Validate username format (GitHub usernames: alphanumeric and hyphens, 1-39 chars) - if ! echo "${USERNAME}" | grep -Eq '^[a-zA-Z0-9]([a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$'; then + if ! echo "${USERNAME}" | grep -Eq '^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$'; then echo "✗ Invalid username format: ${USERNAME}" echo "GitHub usernames must be 1-39 characters, alphanumeric with hyphens, not starting or ending with hyphen" exit 1 fi + # Additional length check + if [ ${#USERNAME} -gt 39 ]; then + echo "✗ Username too long: ${USERNAME} (max 39 characters)" + exit 1 + fi + echo "Adding user ${USERNAME} to organization ${ORG}..." # Invite the user to the organization using GitHub CLI # This creates an invitation for the user to join the organization - RESPONSE=$(gh api \ + if gh api \ --method PUT \ "/orgs/${ORG}/memberships/${USERNAME}" \ -f role='member' \ - 2>&1) || { + 2>&1 | grep -q "HTTP"; then echo "✗ Failed to add user ${USERNAME} to organization ${ORG}" - echo "API Response: ${RESPONSE}" + echo "Please check that the username exists and you have proper permissions" exit 1 - } + fi echo "✓ Successfully sent invitation to ${USERNAME} to join ${ORG}" echo "The user will need to accept the invitation to complete the process." From 6259fba34419195c47ece440cfd66527eae7c00b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 22 Jan 2026 19:24:56 +0000 Subject: [PATCH 5/5] Add explicit permissions to workflow Co-authored-by: eb-oss <1403599+eb-oss@users.noreply.github.com> --- .github/workflows/add-user.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/add-user.yaml b/.github/workflows/add-user.yaml index e38f0e4..89329cc 100644 --- a/.github/workflows/add-user.yaml +++ b/.github/workflows/add-user.yaml @@ -13,6 +13,8 @@ on: jobs: add-user: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check if actor is member of org-managers team id: check-membership