From f7d43f8be5780d40d92ba6bf0e9c3a3e6d576262 Mon Sep 17 00:00:00 2001
From: Steven Serrata <9343811+sserrata@users.noreply.github.com>
Date: Wed, 16 Jul 2025 11:32:16 -0500
Subject: [PATCH] Improve org membership check

---
 .github/workflows/build-perf.yml     |  4 ++++
 .github/workflows/deploy-preview.yml | 17 ++++++++++++-----
 .github/workflows/release-beta.yaml  |  2 +-
 .github/workflows/release.yaml       |  2 +-
 .github/workflows/validate.yaml      |  8 ++++++++
 5 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build-perf.yml b/.github/workflows/build-perf.yml
index 1fae8af4b..826dbcd31 100644
--- a/.github/workflows/build-perf.yml
+++ b/.github/workflows/build-perf.yml
@@ -13,6 +13,8 @@ jobs:
     name: Build Size Report
     timeout-minutes: 30
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
@@ -34,6 +36,8 @@ jobs:
     name: Build Time Perf
     timeout-minutes: 30
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
index df88209cd..bd8aa5ebc 100644
--- a/.github/workflows/deploy-preview.yml
+++ b/.github/workflows/deploy-preview.yml
@@ -17,12 +17,19 @@ jobs:
     steps:
       - name: Check if actor is org member
         id: is-org-member
-        run: echo "is-org-member-result=$(gh api -X GET orgs/PaloAltoNetworks/memberships/${{ github.actor }} | jq -r .message)" >> "$GITHUB_OUTPUT"
-    env:
-      GH_TOKEN: ${{ secrets.PAT }}
+        run: |
+          status=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer $GH_TOKEN" \
+            https://api.github.com/orgs/PaloAltoNetworks/members/${{ github.actor }})
+          if [ "$status" = "204" ]; then
+            echo "is-org-member-result=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is-org-member-result=false" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.PAT }}
 
   analyze:
-    if: github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' && needs.precheck.outputs.is-org-member-result == 'null'
+    if: github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' && needs.precheck.outputs.is-org-member-result == 'true'
     name: Analyze
     needs: precheck
     runs-on: ubuntu-latest
@@ -50,7 +57,7 @@ jobs:
         uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
 
   analyze_unsafe:
-    if: github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' && needs.precheck.outputs.is-org-member-result != 'null'
+    if: github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' && needs.precheck.outputs.is-org-member-result == 'false'
     name: Analyze Unsafe
     needs: precheck
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-beta.yaml b/.github/workflows/release-beta.yaml
index fa869089e..cd6a158c6 100644
--- a/.github/workflows/release-beta.yaml
+++ b/.github/workflows/release-beta.yaml
@@ -22,7 +22,7 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
       - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2
         with:
-          node-version: "*"
+          node-version: "20"
           registry-url: "https://registry.npmjs.org"
       - name: Release Beta
         run: npx ts-node --transpile-only scripts/publish-beta.ts
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1dfaa704f..0e2f4e648 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -23,7 +23,7 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
       - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2
         with:
-          node-version: "*"
+          node-version: "20"
           registry-url: "https://registry.npmjs.org"
       - name: Release
         run: npx ts-node --transpile-only scripts/publish.ts
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
index 27d93d2cc..8df506f67 100644
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -14,6 +14,8 @@ jobs:
     if: ${{ github.repository == 'PaloAltoNetworks/docusaurus-openapi-docs' }}
     name: Prepare Cache
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
@@ -34,6 +36,8 @@ jobs:
     name: Lint
     needs: prepare-yarn-cache
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
@@ -57,6 +61,8 @@ jobs:
     name: Test
     needs: prepare-yarn-cache
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
@@ -78,6 +84,8 @@ jobs:
     name: Cypress
     needs: prepare-yarn-cache
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4