From 24d7b524d75af00f6d3bb48b9ef03488e001c835 Mon Sep 17 00:00:00 2001
From: Steven Chong <25894545+teamchong@users.noreply.github.com>
Date: Mon, 15 Jun 2026 18:17:45 -0400
Subject: [PATCH] ci: gate Bonk on author_association instead of an
 org-membership API call

Both Bonk workflows previously authorized the triggering user with a
dedicated step that called the GitHub API at
/orgs/cloudflare/members/{user}. That required provisioning and storing a
READ_ONLY_ORG_GITHUB_TOKEN secret and cost an extra API round-trip on
every invocation.

The webhook payload already carries what we need: author_association
describes the actor's relationship to the repository, is populated by
GitHub itself (so the commenter can't forge it), and reports MEMBER for
organization members regardless of whether their membership is public.
Gating each job's `if:` on that field lets us drop the extra step and the
token entirely.

This admits MEMBER, OWNER, and COLLABORATOR. COLLABORATOR is broader than
the old org-membership check: it also includes outside collaborators who
have been granted access to this repository without being part of the
Cloudflare org. That is intentional -- anyone trusted with collaborator
access on the repo should be able to invoke Bonk -- but it is a real
widening of the trust boundary relative to the previous behavior, and
worth calling out, since these jobs run with contents/issues/
pull-requests write and the Cloudflare AI Gateway secrets.

READ_ONLY_ORG_GITHUB_TOKEN is no longer referenced by any workflow and
can be deprovisioned.
---
 .github/workflows/bonk-pr-review.yml | 23 ++++++-----------------
 .github/workflows/bonk.yml           | 25 ++++++++-----------------
 2 files changed, 14 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/bonk-pr-review.yml b/.github/workflows/bonk-pr-review.yml
index a19e00b..9411393 100644
--- a/.github/workflows/bonk-pr-review.yml
+++ b/.github/workflows/bonk-pr-review.yml
@@ -9,7 +9,12 @@ jobs:
     # Skip Version Packages PRs (auto-generated by the changesets action) since they don't need a Bonk review
     if: |
       github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name &&
-      !(github.event.pull_request.base.repo.owner.login == 'cloudflare' && github.event.pull_request.head.ref == 'changeset-release/main')
+      !(github.event.pull_request.base.repo.owner.login == 'cloudflare' && github.event.pull_request.head.ref == 'changeset-release/main') &&
+      (
+        github.event.pull_request.author_association == 'MEMBER' ||
+        github.event.pull_request.author_association == 'COLLABORATOR' ||
+        github.event.pull_request.author_association == 'OWNER'
+      )
     runs-on: ubuntu-latest
     timeout-minutes: 30
     concurrency:
@@ -21,22 +26,6 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - name: Check if PR author is Cloudflare org member
-        run: |
-          STATUS=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/orgs/cloudflare/members/${PR_AUTHOR}" \
-            --silent -i 2>/dev/null | head -1 | awk '{print $2}') || true
-          if [ "$STATUS" != "204" ]; then
-            echo "User ${PR_AUTHOR} is not a member of the Cloudflare organization"
-            exit 1
-          fi
-          echo "User ${PR_AUTHOR} is a Cloudflare org member"
-        env:
-          GH_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }}
-          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
-
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
diff --git a/.github/workflows/bonk.yml b/.github/workflows/bonk.yml
index e26078f..b9516ce 100644
--- a/.github/workflows/bonk.yml
+++ b/.github/workflows/bonk.yml
@@ -12,7 +12,14 @@ concurrency:
 
 jobs:
   bonk:
-    if: github.event.sender.type != 'Bot' && (contains(github.event.comment.body, '/bonk') || contains(github.event.comment.body, '@ask-bonk'))
+    if: >-
+      github.event.sender.type != 'Bot' &&
+      (contains(github.event.comment.body, '/bonk') || contains(github.event.comment.body, '@ask-bonk')) &&
+      (
+        github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.author_association == 'COLLABORATOR' ||
+        github.event.comment.author_association == 'OWNER'
+      )
     runs-on: ubuntu-latest
     timeout-minutes: 60
     permissions:
@@ -21,22 +28,6 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - name: Check if comment author is Cloudflare org member
-        run: |
-          STATUS=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/orgs/cloudflare/members/${COMMENT_AUTHOR}" \
-            --silent -i 2>/dev/null | head -1 | awk '{print $2}') || true
-          if [ "$STATUS" != "204" ]; then
-            echo "User ${COMMENT_AUTHOR} is not a member of the Cloudflare organization"
-            exit 1
-          fi
-          echo "User ${COMMENT_AUTHOR} is a Cloudflare org member"
-        env:
-          GH_TOKEN: ${{ secrets.READ_ONLY_ORG_GITHUB_TOKEN }}
-          COMMENT_AUTHOR: ${{ github.event.comment.user.login }}
-
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with: