fix(actions): improve onboarding messaging & remove invalid token check

[Ubayed-Bin-Sufian]

Fixes: #18

Summary by Sourcery

Improve the organization onboarding GitHub Action to better handle missing secrets, distinguish between existing members and new invites, and provide clearer feedback messages.

Bug Fixes:

• Stop treating a valid but unset ORG_ADMIN_TOKEN as an invalid runtime token inside the GitHub Script step by relying on an explicit pre-check instead.
• Correct organization membership handling by first checking existing membership and only attempting to invite users who are not yet members, avoiding failures when users already belong to the org.

Enhancements:

• Add an explicit debug step to detect and fail early when the ORG_ADMIN_TOKEN secret is not available in the workflow environment.
• Refine onboarding comments to clearly differentiate between new invitations and existing active members, and to provide actionable guidance when an invitation is pending.
• Improve error reporting for failures when retrieving organization membership or sending invitations, including more descriptive user-facing messages.

[sourcery-ai]

Sorry @Ubayed-Bin-Sufian, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[Copilot]

Pull request overview

This PR improves the onboarding workflow by enhancing user-facing messages and removing a redundant token validation check. The changes aim to provide clearer feedback based on whether a user is newly invited or already a member.

• Adds a debug step to verify the presence of ORG_ADMIN_TOKEN before execution
• Refactors org membership logic to distinguish between new invitations and existing memberships
• Improves messaging to provide context-specific instructions based on membership status

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Ubayed-Bin-Sufian]

@sourcery-ai review

[sourcery-ai]

Reviewer's Guide

GitHub Actions onboarding workflow was updated to validate the presence of the org admin token at the shell level, refine how organization membership is checked and invitations are sent, and improve the clarity and robustness of the onboarding status messaging posted back to the issue.

Sequence diagram for the updated onboarding GitHub Action workflow

sequenceDiagram
    actor User
    participant GitHub
    participant Workflow_org_invite
    participant GitHub_API

    User->>GitHub: Open onboarding issue
    GitHub-->>Workflow_org_invite: Trigger org-invite-codeheat workflow

    rect rgb(230,230,230)
      Workflow_org_invite->>Workflow_org_invite: Debug secret presence step
      Workflow_org_invite->>Workflow_org_invite: Read ORG_ADMIN_TOKEN from secrets
      alt ORG_ADMIN_TOKEN missing
        Workflow_org_invite-->>GitHub: Log ORG_ADMIN_TOKEN is NOT available
        Workflow_org_invite-->>Workflow_org_invite: Exit with failure
      else ORG_ADMIN_TOKEN present
        Workflow_org_invite-->>GitHub: Log ORG_ADMIN_TOKEN is available
      end
    end

    Workflow_org_invite->>GitHub_API: getMembershipForUser(org, username)
    alt Membership found (200)
      GitHub_API-->>Workflow_org_invite: membership(state = active or pending)
      Workflow_org_invite->>GitHub_API: addOrUpdateTeamMembershipForUser(org, team_slug, username)
      GitHub_API-->>Workflow_org_invite: teamMembership or error
      Workflow_org_invite-->>GitHub: Post onboarding comment with orgStatusLine "Org membership: already active" or orgStatusLine with membership state
      Workflow_org_invite-->>GitHub: Close issue (best effort)
    else Membership not found (404)
      GitHub_API-->>Workflow_org_invite: 404 not found error
      Workflow_org_invite->>GitHub_API: setMembershipForUser(org, username)
      alt Invitation succeeds
        GitHub_API-->>Workflow_org_invite: membership(state = pending)
        Workflow_org_invite->>GitHub_API: addOrUpdateTeamMembershipForUser(org, team_slug, username)
        GitHub_API-->>Workflow_org_invite: teamMembership or error
        Workflow_org_invite-->>GitHub: Post onboarding comment with orgStatusLine "Org invitation" and actionMessage
        Workflow_org_invite-->>GitHub: Close issue (best effort)
      else Invitation fails
        GitHub_API-->>Workflow_org_invite: inviteError
        Workflow_org_invite-->>GitHub: Comment Onboarding failed (invite error)
        Workflow_org_invite-->>Workflow_org_invite: Mark job failed
      end
    else Unexpected error retrieving membership
      GitHub_API-->>Workflow_org_invite: error(status != 404)
      Workflow_org_invite-->>GitHub: Comment Onboarding failed (membership lookup)
      Workflow_org_invite-->>Workflow_org_invite: Mark job failed
    end

Loading

File-Level Changes

Change	Details	Files
Add an explicit shell-level check to ensure the ORG_ADMIN_TOKEN secret is present before running the onboarding script.	Introduce a preliminary workflow step that reads ORG_ADMIN_TOKEN from secrets into the environment and conditionally exits with a non-zero status if it is missing or empty Log a clear success or failure message about ORG_ADMIN_TOKEN availability to aid in diagnosing misconfigured secrets	.github/workflows/org-invite-codeheat.yml
Refine org membership handling so that existing members are detected via getMembershipForUser and only missing users are invited, with clearer failure messages.	Replace the direct setMembershipForUser call with getMembershipForUser to check for existing organization membership Handle 404 from getMembershipForUser as a signal to attempt an org invitation using setMembershipForUser Add tailored error handling and comments for failures when fetching membership or sending invitations, marking the workflow as failed and guiding maintainers on what went wrong	.github/workflows/org-invite-codeheat.yml
Improve onboarding status comment formatting to distinguish between new invites and existing members, and provide next-step guidance to the user.	Introduce an invited flag to track whether the workflow sent a new org invite or found an existing active member Generate separate status lines for org invitation vs existing membership and for team membership success/failure Add conditional guidance telling users to accept pending invitations or confirming that no further action is required, and tweak the overall success message wording	.github/workflows/org-invite-codeheat.yml

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#18	Differentiate onboarding messaging between newly invited users and existing organization/team members, including clear instructions for pending invitations and explicit messaging that existing members are already onboarded.	✅
#18	Remove the misleading ORG_ADMIN_TOKEN validation inside the github-script step that caused false-negative failures, while still ensuring the secret is present in a reliable way.	✅
#18	Preserve the existing behavior of closing the issue after processing the onboarding request, without attempting to wait for invitation acceptance events.	✅

Possibly linked issues

• Improve onboarding workflow messaging for pending and existing members #18: The PR updates org/team onboarding comments for pending/existing members and removes the failing ORG_ADMIN_TOKEN validation.
• #(unknown): PR adjusts the same org-invite workflow defined in the issue, improving membership checks, error handling, and messages.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The separate Debug secret presence step will now fail the workflow before any user-facing comment is posted if ORG_ADMIN_TOKEN is missing; if you still want contributors to get guidance in-issue, consider keeping a lightweight in-script validation or adding an explicit issue comment in this early step before exiting.
• The Debug secret presence step permanently logs whether ORG_ADMIN_TOKEN exists on every run; if this is only needed for troubleshooting, consider guarding it behind a condition (e.g., on a debug input or branch) or removing it once the issue is resolved.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The separate `Debug secret presence` step will now fail the workflow before any user-facing comment is posted if `ORG_ADMIN_TOKEN` is missing; if you still want contributors to get guidance in-issue, consider keeping a lightweight in-script validation or adding an explicit issue comment in this early step before exiting.
- The `Debug secret presence` step permanently logs whether `ORG_ADMIN_TOKEN` exists on every run; if this is only needed for troubleshooting, consider guarding it behind a condition (e.g., on a debug input or branch) or removing it once the issue is resolved.

## Individual Comments

### Comment 1
<location> `.github/workflows/org-invite-codeheat.yml:131-133` </location>
<code_context>
               );
             }

+            const orgStatusLine = invited
+              ? `• Org invitation: **${membership.data.state}**\n`
+              : `• Org membership: **already active**\n`;
+
             const teamStatusLine = teamMembership
</code_context>

<issue_to_address>
**issue (bug_risk):** Org membership text can be incorrect for existing but pending members.

When `getMembershipForUser` returns `state === 'pending'` for an existing membership, `invited` stays `false`, so `orgStatusLine` becomes `"• Org membership: **already active**"`, even though the later `actionMessage` logic correctly treats this as pending. Please derive `orgStatusLine` from `membership.data.state` in both cases (or at least special-case `pending` when `invited === false`) so the status text matches the actual membership state.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Org membership text can be incorrect for existing but pending members.

When getMembershipForUser returns state === 'pending' for an existing membership, invited stays false, so orgStatusLine becomes "• Org membership: **already active**", even though the later actionMessage logic correctly treats this as pending. Please derive orgStatusLine from membership.data.state in both cases (or at least special-case pending when invited === false) so the status text matches the actual membership state.