Skip to content

[FEATURE] Configuration file-based ACL for /agentready assess command #249

Closed
#251
Closed
[FEATURE] Configuration file-based ACL for /agentready assess command#249
#251
Labels
enhancementNew feature or requestreleased
@kami619

Description

@kami619
kami619
opened on Jan 14, 2026

Problem Statement

The /agentready assess command authorization in the GitHub Actions workflow (agentready-assessment.yml) is currently hardcoded to a single username (jeremyeder). This makes it difficult to manage access at scale, requiring direct workflow file edits to add or remove authorized users, and provides no audit trail for access changes.

Proposed Solution

Implement a configuration file-based ACL (Access Control List) at .github/agentready-acl.yml that defines authorized users for the /agentready assess command. The workflow would read this file to determine authorization, replacing the hardcoded username check.

Example configuration:

# Authorized users for /agentready assess command
authorized_users:
  - jeremyeder
  - contributor1
  - contributor2

Alternatives Considered

  1. GitHub Repository Variables: Store authorized users in a repository variable (e.g., AGENTREADY_ALLOWED_USERS). Pros: Easy to manage via GitHub UI. Cons: Less visible, no audit trail, requires repo admin access.

  2. GitHub Team Membership: Check if the user belongs to a specific GitHub team. Pros: Scalable, org-level control. Cons: Requires org admin setup, API calls, more complex implementation.

  3. CODEOWNERS Integration: Use CODEOWNERS file to determine authorization. Cons: Mixes code review responsibilities with command authorization.

Use Cases

  1. Multi-maintainer repositories: Projects with multiple maintainers can grant /agentready assess access to their team without modifying workflow files.
  2. Community contribution: External contributors can be granted access via a simple PR to add their username to the ACL.
  3. Access audit: Repository owners can easily see who has access by viewing the ACL file, with full git history of changes.
  4. Temporary access: Grant and revoke access through documented PRs, enabling review and approval workflows.

Additional Context

Current implementation in agentready-assessment.yml:

if: |
  (github.event_name == 'issue_comment' && contains(github.event.comment.body, '/agentready assess') && github.event.comment.user.login == 'jeremyeder') ||
  ...

Proposed workflow structure:

┌─────────────────┐
│  Comment Event  │
└────────┬────────┘
         ▼
┌─────────────────┐
│  check-acl job  │──► Read .github/agentready-acl.yml
└────────┬────────┘
         ▼
    ┌────┴────┐
    │Authorized?│
    └────┬────┘
    Yes  │  No
    ▼    ▼
┌──────┐ ┌────────────┐
│assess│ │unauthorized│
└──────┘ └────────────┘

Acceptance Criteria

  • Create .github/agentready-acl.yml schema with authorized_users list
  • Add check-acl job to workflow that reads and parses the ACL file
  • Update assess job to depend on check-acl output for authorization
  • Update unauthorized job to depend on check-acl output
  • Maintain backward compatibility with workflow_dispatch (always authorized)
  • Document the ACL file format and usage in README or contributing guide

Priority

How important is this feature to you?

  • Critical (blocking my work)
  • High (significantly improves workflow)
  • Medium (nice to have)
  • Low (minor enhancement)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestreleased

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions