From 02311be51ae4b2604590ae24b19561d30bee51c7 Mon Sep 17 00:00:00 2001
From: notgitika <gitijh@gmail.com>
Date: Mon, 4 May 2026 17:59:55 -0400
Subject: [PATCH] fix: use GitHub Teams for E2E authorization instead of
 AUTHORIZED_USERS secret

Replace the AUTHORIZED_USERS secret-based check with a GitHub Teams
membership check against aws/agentcore-devex-devs. The secret was
silently overwritten on Apr 29, causing all E2E tests to skip on PRs
with no visible error.

Team membership is managed by org admins and changes are tracked in
GitHub's org audit log, preventing silent overwrites.

Requires a TEAM_CHECK_TOKEN secret (PAT with read:org scope) to query
team membership via the GitHub API.
---
 .github/workflows/e2e-tests.yml | 44 +++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index e5f4aa9e2..8f74dcfde 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -23,23 +23,35 @@ jobs:
     outputs:
       is_authorized: ${{ steps.check.outputs.is_authorized }}
     steps:
-      - name: Check authorization
+      - name: Check team membership
         id: check
-        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "✅ Manual workflow dispatch — authorized"
-            echo "is_authorized=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          AUTHORIZED_USERS="${{ secrets.AUTHORIZED_USERS }}"
-          if [[ ",$AUTHORIZED_USERS," == *",${{ github.actor }},"* ]]; then
-            echo "✅ User ${{ github.actor }} is authorized"
-            echo "is_authorized=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "⏭️ User ${{ github.actor }} is not in AUTHORIZED_USERS — skipping E2E tests."
-            echo "ℹ️ External contributors: ask a maintainer to run the E2E tests manually via workflow_dispatch."
-            echo "is_authorized=false" >> "$GITHUB_OUTPUT"
-          fi
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.TEAM_CHECK_TOKEN }}
+          script: |
+            if (context.eventName === 'workflow_dispatch') {
+              core.info('✅ Manual workflow dispatch — authorized');
+              core.setOutput('is_authorized', 'true');
+              return;
+            }
+            try {
+              const { data } = await github.rest.teams.getMembershipForUserInOrg({
+                org: 'aws',
+                team_slug: 'agentcore-devex-devs',
+                username: context.actor,
+              });
+              if (data.state === 'active') {
+                core.info(`✅ User ${context.actor} is a member of aws/agentcore-devex-devs`);
+                core.setOutput('is_authorized', 'true');
+              } else {
+                core.info(`⏭️ User ${context.actor} has pending membership — skipping E2E tests.`);
+                core.setOutput('is_authorized', 'false');
+              }
+            } catch (error) {
+              core.info(`⏭️ User ${context.actor} is not a member of aws/agentcore-devex-devs — skipping E2E tests.`);
+              core.info('ℹ️ External contributors: ask a maintainer to run the E2E tests manually via workflow_dispatch.');
+              core.setOutput('is_authorized', 'false');
+            }
 
   e2e:
     needs: authorize