From a36078519952e4fcf20dfd0ca9d8e2777e9e3650 Mon Sep 17 00:00:00 2001
From: Cian Johnston <cian@coder.com>
Date: Fri, 3 Oct 2025 15:04:20 +0100
Subject: [PATCH] ci(.github/workflows/traiage.yaml): check instead for push
 access to repo (#20163)

---
 .github/workflows/traiage.yaml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/traiage.yaml b/.github/workflows/traiage.yaml
index 15adf78242..566cfc7841 100644
--- a/.github/workflows/traiage.yaml
+++ b/.github/workflows/traiage.yaml
@@ -110,20 +110,19 @@ jobs:
             exit 1
           fi
 
-      - name: Verify organization membership
+      - name: Verify push access
         env:
-          GITHUB_ORG: ${{ github.repository_owner }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
           GITHUB_USERNAME: ${{ steps.determine-inputs.outputs.github_username }}
           GITHUB_USER_ID: ${{ steps.determine-inputs.outputs.github_user_id }}
         run: |
-          # Check if the actor is a member of the organization
-          if ! gh api "orgs/${GITHUB_ORG}/members/${GITHUB_USERNAME}" --silent 2>/dev/null; then
-            echo "::error title=Access Denied::User ${GITHUB_USERNAME} is not a member of the ${GITHUB_ORG} organization"
-            echo "::error::You must be a member of the ${GITHUB_ORG} GitHub organization to run this workflow."
+          # Query the actor’s permission on this repo
+          can_push="$(gh api "/repos/${GITHUB_REPOSITORY}/collaborators/${GITHUB_USERNAME}/permission" --jq '.user.permissions.push')"
+          if [[ "${can_push}" != "true" ]]; then
+            echo "::error title=Access Denied::${GITHUB_USERNAME} does not have push access to ${GITHUB_REPOSITORY}"
             exit 1
           fi
-          echo "::notice::User ${GITHUB_USERNAME} verified as member of ${GITHUB_ORG} organization"
 
       - name: Extract context key from issue
         id: extract-context