ci(release): gate npm telegram e2e by release team

2026-05-06 10:20:42 +00:00 · 2026-04-24 11:54:20 +05:30
parent ed6b487e20
commit 02d7215005
2 changed files with 17 additions and 14 deletions
--- a/.github/workflows/npm-telegram-beta-e2e.yml
+++ b/.github/workflows/npm-telegram-beta-e2e.yml
@@ -48,22 +48,22 @@ jobs:
            exit 1
          fi

-      - name: Require maintainer-level repository access
+      - name: Require release manager team membership
        uses: actions/github-script@v8
        with:
          script: |
-            const allowedRoles = new Set(["admin", "maintain"]);
-            const { owner, repo } = context.repo;
-            const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
-              owner,
-              repo,
-              username: context.actor,
+            const { owner } = context.repo;
+            const teamSlug = "openclaw-release-managers";
+            const members = await github.paginate(github.rest.teams.listMembersInOrg, {
+              org: owner,
+              team_slug: teamSlug,
+              per_page: 100,
            });
-            const role = data.role_name ?? data.permission;
-            core.info(`Actor ${context.actor} role: ${role}`);
-            if (!allowedRoles.has(role)) {
+            const memberLogins = new Set(members.map((member) => member.login));
+            core.info(`${teamSlug} members loaded: ${memberLogins.size}`);
+            if (!memberLogins.has(context.actor)) {
              core.setFailed(
-                `Workflow requires maintainer/admin access. Actor "${context.actor}" has "${role}".`,
+                `Workflow requires active ${teamSlug} membership. Actor "${context.actor}" is not a member of ${owner}/${teamSlug}.`,
              );
            }

--- a/test/scripts/npm-telegram-live.test.ts
+++ b/test/scripts/npm-telegram-live.test.ts
@@ -42,12 +42,15 @@ describe("npm Telegram live Docker E2E", () => {
    expect(script).toContain('credential_role="ci"');
  });

-  it("limits the manual npm beta workflow to maintainer-level actors", () => {
+  it("limits the manual npm beta workflow to release managers", () => {
    const workflow = readFileSync(WORKFLOW_PATH, "utf8");

-    expect(workflow).toContain('const allowedRoles = new Set(["admin", "maintain"]);');
-    expect(workflow).toContain("const role = data.role_name ?? data.permission;");
+    expect(workflow).toContain('const teamSlug = "openclaw-release-managers";');
+    expect(workflow).toContain("github.rest.teams.listMembersInOrg");
+    expect(workflow).toContain("memberLogins.has(context.actor)");
    expect(workflow).not.toContain('new Set(["admin", "write"])');
+    expect(workflow).not.toContain("data.role_name");
+    expect(workflow).not.toContain("getMembershipForUserInOrg");
  });

  it("lets npm-specific credential aliases override shared QA env", () => {