From 246fde35045c7760d38cdfd2544090ca41d3c09a Mon Sep 17 00:00:00 2001 From: Bill Murdock Date: Wed, 20 May 2026 10:45:09 -0400 Subject: [PATCH 1/2] fix: treat unverifiable submitter access as warning instead of error The collaborator API requires admin access on the target repo, which the Actions token never has for external repos. This caused all leaderboard submissions for org-owned repos to fail CI with a false "no access" error. Align the GitHub path with the non-GitHub fallback: warn maintainers to verify manually rather than blocking the PR. Fixes CI for #448. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/leaderboard.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/leaderboard.yml b/.github/workflows/leaderboard.yml index e0f55c33..e7cc1da1 100644 --- a/.github/workflows/leaderboard.yml +++ b/.github/workflows/leaderboard.yml @@ -155,13 +155,14 @@ jobs: if [ "$HOST" = "github" ]; then # GitHub: verify via API ORG_REPO=$(echo "$REPO_URL" | sed 's|git@github.com:||' | sed 's|https://github.com/||' | sed 's|\.git$||') - if gh api "/repos/$ORG_REPO/collaborators/$SUBMITTER" 2>/dev/null; then + HTTP_CODE=$(gh api "/repos/$ORG_REPO/collaborators/$SUBMITTER" --silent 2>/dev/null; echo $?) + if [ "$HTTP_CODE" = "0" ]; then echo "✅ $SUBMITTER is a collaborator on $ORG_REPO" elif [ "$(gh api "/repos/$ORG_REPO" -q '.owner.login')" == "$SUBMITTER" ]; then echo "✅ $SUBMITTER is the owner of $ORG_REPO" else - echo "::error::$SUBMITTER does not have commit access to $ORG_REPO" - exit 1 + echo "::warning::Cannot verify submitter access for $ORG_REPO (API returned 403). Manual review required." + echo "⚠️ Submitter access must be verified manually by maintainers." fi else # Non-GitHub: cannot verify cross-platform access automatically From 10309b257dec6ff49bdb8baf4a0de4ab5999eea1 Mon Sep 17 00:00:00 2001 From: Bill Murdock Date: Wed, 20 May 2026 11:59:20 -0400 Subject: [PATCH 2/2] fix: simplify submitter access check per review feedback Drop the intermediate HTTP_CODE variable and restore the original inline `if gh api ...; then` pattern. Replace the hardcoded "403" in the warning message with the generic "API check failed". Co-Authored-By: Claude Opus 4.6 --- .github/workflows/leaderboard.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/leaderboard.yml b/.github/workflows/leaderboard.yml index e7cc1da1..2102ba01 100644 --- a/.github/workflows/leaderboard.yml +++ b/.github/workflows/leaderboard.yml @@ -155,13 +155,12 @@ jobs: if [ "$HOST" = "github" ]; then # GitHub: verify via API ORG_REPO=$(echo "$REPO_URL" | sed 's|git@github.com:||' | sed 's|https://github.com/||' | sed 's|\.git$||') - HTTP_CODE=$(gh api "/repos/$ORG_REPO/collaborators/$SUBMITTER" --silent 2>/dev/null; echo $?) - if [ "$HTTP_CODE" = "0" ]; then + if gh api "/repos/$ORG_REPO/collaborators/$SUBMITTER" --silent 2>/dev/null; then echo "✅ $SUBMITTER is a collaborator on $ORG_REPO" elif [ "$(gh api "/repos/$ORG_REPO" -q '.owner.login')" == "$SUBMITTER" ]; then echo "✅ $SUBMITTER is the owner of $ORG_REPO" else - echo "::warning::Cannot verify submitter access for $ORG_REPO (API returned 403). Manual review required." + echo "::warning::Cannot verify submitter access for $ORG_REPO (API check failed). Manual review required." echo "⚠️ Submitter access must be verified manually by maintainers." fi else