Implementation:OpenHands OpenHands GithubManager Is Job Requested
| Knowledge Sources | |
|---|---|
| Domains | Platform_Integration, GitHub_API |
| Last Updated | 2026-02-11 21:00 GMT |
Overview
Concrete tool for validating user permissions and determining whether a GitHub webhook event qualifies for automated resolver job creation, provided by the OpenHands enterprise integration layer.
Description
GithubManager.is_job_requested evaluates an incoming webhook Message to decide whether it should trigger the creation of a resolver job. The method performs two distinct checks:
- Event qualification -- Determines whether the event type and content match the criteria for automated processing (e.g., the comment mentions the bot, the event is an issue or PR comment rather than a label change).
- Permission verification -- Calls the helper method _user_has_write_access_to_repo to confirm the triggering user has at least write-level access to the target repository.
The helper method _user_has_write_access_to_repo authenticates as the GitHub App installation, retrieves the user's permission level for the repository via the GitHub API, and checks that it meets the minimum threshold (write or admin).
Usage
This method is called internally by receive_message as a gate before proceeding with view creation and job dispatch. If it returns False, the entire webhook processing pipeline halts for that event.
Code Reference
Source Location
- Repository: OpenHands
- File:
enterprise/integrations/github/github_manager.py - Lines: L129-163 (is_job_requested), L103-127 (_user_has_write_access_to_repo)
Signature
async def is_job_requested(self, message: Message) -> bool:
Helper Signature
def _user_has_write_access_to_repo(
self,
installation_id: str,
full_repo_name: str,
username: str,
) -> bool:
Import
from integrations.github.github_manager import GithubManager
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| message | Message |
Yes | dict, and ephemeral: bool.
|
Helper method inputs:
| Name | Type | Required | Description |
|---|---|---|---|
| installation_id | str |
Yes | The GitHub App installation ID for the repository. |
| full_repo_name | str |
Yes | The full repository name in owner/repo format.
|
| username | str |
Yes | The GitHub username of the event sender. |
Outputs
| Name | Type | Description |
|---|---|---|
| result | bool |
True if the event qualifies for job creation and the user has write access; False otherwise.
|
Permission Check Logic
The _user_has_write_access_to_repo method follows this flow:
- Obtain an installation access token using the GitHub App's private key and the installation ID.
- Authenticate to the GitHub API using
github.Auth.Token(installation_token). - Call
repo.get_collaborator_permission(username)to retrieve the user's permission level. - Compare the returned permission string against the set
{"write", "admin"}. - Return
Trueif the user's level is in the allowed set,Falseotherwise. - On any exception (API error, network failure), return
False(fail-closed).
Usage Examples
Basic Usage
from integrations.github.github_manager import GithubManager
from integrations.models import Message, SourceType
manager = GithubManager(
token_manager=token_manager,
data_collector=data_collector,
)
message = Message(
source=SourceType.GITHUB,
message=webhook_payload_dict,
ephemeral=False,
)
# Check if this event should trigger a resolver job
should_process = await manager.is_job_requested(message)
if should_process:
# Proceed with view creation and job dispatch
...
Direct Permission Check
# Check if a specific user has write access
has_access = manager._user_has_write_access_to_repo(
installation_id="12345678",
full_repo_name="All-Hands-AI/OpenHands",
username="contributor-username",
)