gh-team-allowlist does not work with nested groups

[ben-dov]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

gh-team-allowlist does not work with nested groups. Important to note, because of issue #3627, I am using the environment variable ATLANTIS_GH_TEAM_ALLOWLIST instead. If this is not a bug but intended (not sure why), then the docs should mention it.

Reproduction Steps

1. create two Github groups A and B.
2. add group B under A.
3. have a user named C, and add him to group B.
4. add permission for group A to run atlantis plan (using ATLANTIS_GH_TEAM_ALLOWLIST).
5. try to run atlantis plan from a PR using user C (it will fail because of permissions).
6. add user C to group A (directly).
7. try to run atlantis plan from a PR using user C (it will succeed).

Additional Context

Atlantis version: 0.23.1

[jamengual]

I can recall in which version we changed it but we started using the graphql API from github to check for the users that required Org permissions and I believe that is documented

[jamengual]

we might not have support for nested groups, PRs are welcome.