From 51c24f67e1284365fa54828922c9a6fbd9c8b177 Mon Sep 17 00:00:00 2001
From: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com>
Date: Wed, 22 Oct 2025 10:34:18 +0530
Subject: [PATCH] fix(gha): allowlist staff, and revert commits (#62894)

---
 .github/workflows/github-no-web-commits.yml | 28 +++++++++++++--------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/github-no-web-commits.yml b/.github/workflows/github-no-web-commits.yml
index 268e0eeef67..b37dd5de879 100644
--- a/.github/workflows/github-no-web-commits.yml
+++ b/.github/workflows/github-no-web-commits.yml
@@ -21,16 +21,22 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const prAuthor = context.payload.pull_request.user.login;
-            const response = await github.rest.teams
-              .getMembershipForUserInOrg({
-                org: context.repo.owner,
-                team_slug: 'moderators',
-                username: prAuthor
-              })
-              .catch(() => ({ status: 404 }));
-            let isAllowListed = false;
-            if (prAuthor === 'renovate[bot]' || response.status === 200) {
-              isAllowListed = true;
+            const allowedTeams = ['moderators', 'staff'];
+            let isAllowListed = prAuthor === 'renovate[bot]';
+            if (!isAllowListed) {
+              for (const team of allowedTeams) {
+                const response = await github.rest.teams
+                  .getMembershipForUserInOrg({
+                    org: context.repo.owner,
+                    team_slug: team,
+                    username: prAuthor
+                  })
+                  .catch(() => ({ status: 404 }));
+                if (response.status === 200) {
+                  isAllowListed = true;
+                  break;
+                }
+              }
             }
             core.setOutput('is_allow_listed', isAllowListed);
 
@@ -40,7 +46,7 @@ jobs:
         run: |
           PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
           COMMITS_URL="https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/commits"
-          IS_GITHUB_COMMIT=$(curl --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$COMMITS_URL" | jq '[.[] | .commit.committer.name] | any(.[]; . == "GitHub")')
+          IS_GITHUB_COMMIT=$(curl --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$COMMITS_URL" | jq '[.[] | select(.commit.committer.name == "GitHub") | select(.commit.message | test("revert"; "i") | not)] | length > 0')
           if [ "$IS_GITHUB_COMMIT" = "true" ]; then
             echo "IS_GITHUB_COMMIT=true" >> $GITHUB_ENV
           fi