Integrity filtering filters content by org admins (it doesn't know about org admin status of a user)

[dsyme]

Problem

If you are admin in an org, but don't have explicit status in a repo, then GitHub reports you as having "CONTRIBUTOR" status in the repo. As a result, your comments etc. will be default be filtered.

This is a fundamental limitation of the GitHub API and what you can do with the GITHUB_TOKEN for GitHub Actions.

Workarounds

One workaround is to add the user as an admin/maintain/write on the particular repository. This will mean they have COLLABORATOR or similar permission.

Another workaround is to use a GitHub App or to register a PAT for integrity filtering with org membership access permission.

Another workaround is to disable integrity filtering for the repository via min-integrity: none

[pelikhan]

@lpcox we should consider supporting a github app to mint a token that can query org level properties like this.

[dsyme]

Seems it's possible and we already do it for /slash_command filting (see checkRepositoryPermission) invoked via this YAML:

- name: Check team membership for command workflow
        id: check_membership
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        env:
          GH_AW_REQUIRED_ROLES: "admin,maintainer,write"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
            setupGlobals(core, github, context, exec, io);
            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs');
            await main();

Don asks:

I seem to be able to call this using the standard GitHub Actions token

const repoPermission = await github.rest.repos.getCollaboratorPermissionLevel({
      owner,
      repo,
      username: actor,
    });

for the actor on an event

GPT says:

You’ve stumbled onto one of those GitHub quirks where the documentation suggests one thing, but the runtime behaviour is more permissive than expected. And yes — what you’re seeing is real and consistent with how GitHub Actions behaves today.
Let’s unpack what’s going on so you can rely on it with confidence (or avoid relying on it if it’s too shaky for your use case).
🔍 Why getCollaboratorPermissionLevel works with the default GITHUB_TOKEN
Even though GitHub says the GITHUB_TOKEN is scoped to the repository and cannot inspect user permissions broadly, it can call:
CodeGET /repos/{owner}/{repo}/collaborators/{username}/permissionas long as:
The workflow is running inside that repository, and
You are querying the same repository.
This endpoint is considered repo‑scoped, not org‑scoped, so GitHub allows it.
That’s why your code works:
jsconst repoPermission = await github.rest.repos.getCollaboratorPermissionLevel({
owner,
repo,
username: actor,
});You’re not asking GitHub:
“What permissions does this user have across the org?”
“What teams are they in?”
“Are they an org admin?”
You’re asking:
“For this repository, what is this user’s permission level?”
And GitHub considers that safe for the workflow token to answer.