ci: use GH API to get reviewer permissions

serhalp · serhalp · commit 05183de189e8 · 2026-04-06T18:27:34.000-04:00
diff --git a/.github/workflows/remove-needs-review-on-review.yml b/.github/workflows/remove-needs-review-on-review.yml
@@ -8,23 +8,44 @@ on:
 jobs:
   remove-needs-review:
     name: 🏷️ Remove needs review label
-    if: github.repository == 'npmx-dev/npmx.dev' && contains(fromJson('["MEMBER","OWNER"]'), github.event.review.author_association)
+    if: github.repository == 'npmx-dev/npmx.dev'
     runs-on: ubuntu-slim
     permissions:
+      contents: read
       issues: write
     steps:
       - name: 🏷️ Remove needs review label
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const pr = context.payload.pull_request;
+            const review = context.payload.review;
             const LABEL = 'needs review';
+            const reviewer = review?.user?.login;
+
+            if (!reviewer) {
+              console.log('No reviewer login found in payload, skipping.');
+              return;
+            }
 
             if (!pr.labels.some(({ name }) => name === LABEL)) {
               console.log(`PR #${pr.number} does not have the "${LABEL}" label.`);
               return;
             }
 
+            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: reviewer,
+            });
+
+            console.log(`Reviewer @${reviewer} permission is "${permission.permission}".`);
+
+            if (!['admin', 'maintain', 'write'].includes(permission.permission)) {
+              console.log(`Reviewer @${reviewer} is not a maintainer, skipping.`);
+              return;
+            }
+
             await github.rest.issues.removeLabel({
               owner: context.repo.owner,
               repo: context.repo.repo,
