Bug/issue-903

[madkoo]

This pull request enhances the handling of GitHub organization "Security Manager" teams by updating permissions, refactoring the teams plugin to use the new organization roles API, and improving normalization and matching of team names. It also adds robust error handling and expands test coverage to ensure correct behavior when working with security manager teams.

Key changes include:

Security Manager Team Handling:

• Refactored the teams plugin to use the new organization roles API (/orgs/{org}/organization-roles and /orgs/{org}/organization-roles/{role_id}/teams) to identify and exclude security manager teams from repository team management, replacing the deprecated security managers endpoint. The plugin now normalizes team names and slugs for accurate matching and skips deletion of security manager teams if role lookups fail gracefully.

Permissions and Documentation:

• Added the organization_custom_roles: read permission in app.yml and updated deployment documentation to reflect the new required permission for accessing organization roles.

Team Name Normalization:

• Improved normalization of team names and slugs throughout the teams plugin to ensure consistent matching and prevent unnecessary add/remove operations due to formatting differences.

Testing Enhancements:

• Expanded integration and unit tests to cover security manager team exclusion, error handling for failed API calls, and normalization logic, ensuring robust and predictable plugin behavior.

These changes ensure that security manager teams are properly identified and protected from accidental removal, while keeping the codebase up to date with GitHub API changes.

[Copilot]

Pull request overview

This PR updates the teams plugin to identify “Security Manager” teams via the GitHub Organization Roles API (instead of the deprecated security managers endpoint), improves team name/slug normalization to reduce churn, and updates required GitHub App permissions + docs, with expanded unit/integration test coverage.

Changes:

• Refactor security-manager team detection to use /orgs/{org}/organization-roles and /orgs/{org}/organization-roles/{role_id}/teams, with graceful failure behavior.
• Normalize team identifiers (name/slug) for matching and for getByName lookups.
• Add required organization_custom_roles: read permission and document it; expand tests to cover the new behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
lib/plugins/teams.js	Uses org roles API to discover security-manager teams, adds normalization helpers, and introduces deletion-skipping behavior on discovery failures.
test/unit/lib/plugins/teams.test.js	Adds/updates unit tests for security-manager exclusion, failure modes, and normalization behavior.
test/integration/plugins/teams.test.js	Extends integration test to mock org roles API calls and ensure security-manager teams aren’t removed.
docs/deploy.md	Documents the new “Custom organization roles: Read-only” permission requirement.
app.yml	Adds organization_custom_roles: read to app default permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.