spawn/.github/workflows/gate.yml

name: Gate

on:
  pull_request_target:
    types: [opened]

permissions:
  issues: write
  pull-requests: write

jobs:
  check-membership:
    runs-on: ubuntu-latest
    steps:
      - name: Check org membership and close if external
        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b  # v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const sender = context.payload.sender.login;
            const { owner, repo } = context.repo;

            // Check if user is an org member
            let isMember = false;
            try {
              const { status } = await github.rest.orgs.checkMembershipForUser({
                org: owner,
                username: sender,
              });
              isMember = status === 204 || status === 302;
            } catch (e) {
              isMember = false;
            }

            if (isMember) {
              console.log(`${sender} is an org member of ${owner}, allowing.`);
              return;
            }

            // Check if user is a repo collaborator
            let isCollaborator = false;
            try {
              const { status } = await github.rest.repos.checkCollaborator({
                owner,
                repo,
                username: sender,
              });
              isCollaborator = status === 204;
            } catch (e) {
              isCollaborator = false;
            }

            if (isCollaborator) {
              console.log(`${sender} is a collaborator on ${owner}/${repo}, allowing.`);
              return;
            }

            console.log(`${sender} is NOT a member or collaborator, closing PR.`);

            await github.rest.pulls.update({
              ...context.repo,
              pull_number: context.payload.pull_request.number,
              state: 'closed',
            });
            await github.rest.issues.createComment({
              ...context.repo,
              issue_number: context.payload.pull_request.number,
              body: 'This repository only accepts pull requests from organization members and collaborators. Your PR has been closed automatically.',
            });