Authorization Check Action A reusable GitHub Action that validates user permissions and determines the appropriate approval environment for workflow execution.
Validates user permissions via GitHub's collaborator API Configurable role-based authorization via allowed-roles input Supports auto-approval for users with matching roles Handles workflow_dispatch events with automatic approval Safe defaults: requires manual approval on errors or insufficient permissions Clear logging of authorization decisions jobs : authorization-check : permissions : read-all runs-on : ubuntu-latest outputs : approval-env : ${{ steps.auth.outputs.approval-env }} steps : - name : Check Authorization id : auth uses : strands-agents/devtools/authorization-check@main with : skip-check : ${{ github.event_name == 'workflow_dispatch' }} username : ${{ github.event.comment.user.login }} allowed-roles : ' triage,write,admin' protected-job : needs : [authorization-check] environment : ${{ needs.authorization-check.outputs.approval-env }} runs-on : ubuntu-latest steps : - run : echo "This job requires approval based on user permissions" Input Description Required Default skip-checkSkip collaborator check (for workflow_dispatch events) No false usernameUsername to check Yes - allowed-rolesComma-separated list of allowed roles (e.g., "triage,write,admin") Yes -
Output Description Values approval-envApproval environment name auto-approve or manual-approval
Collaborator Check Mode (skip-check: false) Calls GitHub API: repos.getCollaboratorPermissionLevel Checks user's role_name against the roles specified in allowed-roles input Returns: auto-approve: User has a role matching one in allowed-rolesmanual-approval: User lacks matching role or API error occurs Skip Check Mode (skip-check: true) Always returns auto-approve Used for workflow_dispatch events or trusted contexts