feat: add comprehensive user permission controls for Claude workflows

- Add multi-level permission checking for issue implementation workflow - Support multiple permission strategies: privileged users, admins only, combined, org-based - Add permission validation with detailed error messages - Restrict code review workflow to privileged users and repository members - Create permission configuration file (.github/claude-config.json) - Add comprehensive permission documentation Permission strategies available: - Privileged users only (most restrictive) - Repository admins only - Admins OR privileged users (default) - Organization members with write access - Everyone with write access (least restrictive) Current configuration: - Issue implementation: admins OR privileged users (bastiaan, xtr-dev-team) - Code reviews: privileged users and repository members only 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-10 02:43:24 +00:00 · 2025-09-18 21:16:51 +02:00
parent bfa214aed6
commit 534b0e440f
5 changed files with 310 additions and 222 deletions
--- a/.github/workflows/claude-implement-issue.yml
+++ b/.github/workflows/claude-implement-issue.yml
@@ -22,27 +22,81 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - name: Check if user has write access
+      - name: Check user permissions
        uses: actions/github-script@v7
        with:
          script: |
+            const username = context.actor;
+
+            // Method 1: Specific privileged users list
+            const privilegedUsers = [
+              'bastiaan',           // Repository owner
+              'xtr-dev-team',       // Core team members
+              // Add more usernames here
+            ];
+
+            // Method 2: Check repository permission level
            const { data: collaborator } = await github.rest.repos.getCollaboratorPermissionLevel({
              owner: context.repo.owner,
              repo: context.repo.repo,
-              username: context.actor
+              username: username
            });

+            // Method 3: Check organization membership (if applicable)
+            let isOrgMember = false;
+            try {
+              await github.rest.orgs.getMembershipForUser({
+                org: context.repo.owner,
+                username: username
+              });
+              isOrgMember = true;
+            } catch (error) {
+              // User is not an org member or org doesn't exist
+              isOrgMember = false;
+            }
+
+            // Combined permission check
+            const isPrivilegedUser = privilegedUsers.includes(username);
+            const hasAdminAccess = collaborator.permission === 'admin';
            const hasWriteAccess = ['admin', 'write'].includes(collaborator.permission);
-            if (!hasWriteAccess) {
+
+            // Choose your permission strategy:
+            // Option A: Only specific users
+            const allowedByUserList = isPrivilegedUser;
+
+            // Option B: Only admins
+            const allowedByAdminAccess = hasAdminAccess;
+
+            // Option C: Admin + specific users
+            const allowedByAdminOrPrivileged = hasAdminAccess || isPrivilegedUser;
+
+            // Option D: Organization members with write access
+            const allowedByOrgAndWrite = isOrgMember && hasWriteAccess;
+
+            // Set your chosen strategy here:
+            const isAllowed = allowedByAdminOrPrivileged; // Change this line to use your preferred strategy
+
+            if (!isAllowed) {
+              const errorMessage = `❌ **Access Denied**: Claude implementation is restricted to privileged users only.
+
+              **Your access level**: ${collaborator.permission}
+              **Privileged user**: ${isPrivilegedUser ? 'Yes' : 'No'}
+              **Organization member**: ${isOrgMember ? 'Yes' : 'No'}
+
+              Contact a repository administrator for access.`;
+
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
-                body: `❌ Only collaborators with write access can request Claude implementation. Your permission level: ${collaborator.permission}`
+                body: errorMessage
              });
-              throw new Error('Insufficient permissions');
+              throw new Error('Insufficient permissions for Claude implementation');
            }

+            // Log successful access
+            console.log(`✅ Access granted to ${username} (${collaborator.permission})`);
+
      - name: Checkout repository
        uses: actions/checkout@v4
        with: