Authorization Check Action A reusable GitHub Action that validates user permissions and determines the appropriate approval environment for workflow execution.
Validates user permissions via GitHub's collaborator API
Configurable role-based authorization via allowed-roles input
Supports auto-approval for users with matching roles
Handles workflow_dispatch events with automatic approval
Safe defaults: requires manual approval on errors or insufficient permissions
Clear logging of authorization decisions
jobs :
authorization-check :
permissions :
contents : read
runs-on : ubuntu-latest
outputs :
approval-env : ${{ steps.auth.outputs.approval-env }}
steps :
- name : Check Authorization
id : auth
uses : strands-agents/devtools/authorization-check@main
with :
skip-check : ${{ github.event_name == 'workflow_dispatch' }}
username : ${{ github.event.comment.user.login }}
allowed-roles : ' triage,write,admin' protected-job :
needs : [authorization-check]
environment : ${{ needs.authorization-check.outputs.approval-env }}
runs-on : ubuntu-latest
steps :
- run : echo "This job requires approval based on user permissions"
Input
Description
Required
Default
skip-checkSkip collaborator check (for workflow_dispatch events)
No
false
usernameUsername to check
Yes
-
allowed-rolesComma-separated list of allowed roles (e.g., "triage,write,admin")
Yes
-
Output
Description
Values
approval-envApproval environment name
auto-approve or manual-approval
Collaborator Check Mode (skip-check: false)
Calls GitHub API: repos.getCollaboratorPermissionLevel
Checks user's role_name against the roles specified in allowed-roles input
Returns:
auto-approve: User has a role matching one in allowed-rolesmanual-approval: User lacks matching role or API error occurs
Skip Check Mode (skip-check: true)
Always returns auto-approve
Used for workflow_dispatch events or trusted contexts