name: Gate on: issues: types: [opened] pull_request_target: types: [opened] permissions: issues: write pull-requests: write jobs: check-membership: runs-on: ubuntu-latest steps: - name: Check org membership and close if external uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const sender = context.payload.sender.login; const { owner, repo } = context.repo; // Check if user is an org member let isMember = false; try { const { status } = await github.rest.orgs.checkMembershipForUser({ org: owner, username: sender, }); isMember = status === 204 || status === 302; } catch (e) { isMember = false; } if (isMember) { console.log(`${sender} is an org member of ${owner}, allowing.`); return; } // Check if user is a repo collaborator let isCollaborator = false; try { const { status } = await github.rest.repos.checkCollaborator({ owner, repo, username: sender, }); isCollaborator = status === 204; } catch (e) { isCollaborator = false; } if (isCollaborator) { console.log(`${sender} is a collaborator on ${owner}/${repo}, allowing.`); return; } console.log(`${sender} is NOT a member or collaborator, closing.`); if (context.payload.issue) { await github.rest.issues.update({ ...context.repo, issue_number: context.payload.issue.number, state: 'closed', }); await github.rest.issues.createComment({ ...context.repo, issue_number: context.payload.issue.number, body: 'This repository only accepts issues from organization members and collaborators. Your issue has been closed automatically.', }); } else if (context.payload.pull_request) { await github.rest.pulls.update({ ...context.repo, pull_number: context.payload.pull_request.number, state: 'closed', }); await github.rest.issues.createComment({ ...context.repo, issue_number: context.payload.pull_request.number, body: 'This repository only accepts pull requests from organization members and collaborators. Your PR has been closed automatically.', }); }