fix: workflow removed user access

[niazkhansap]

Summary by CodeRabbit

Release Notes

• New Features
  • Workflows now enforce real-time group membership validation when listing and transitioning workflows
  • Users automatically lose access to workflows if removed from required approval groups
  • Enhanced security with dynamic access control based on current IAM group status

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: edc8c532-e8ff-4ef2-b128-324d09c53b50

📥 Commits

Reviewing files that changed from the base of the PR and between bb125ed and c25882b.

📒 Files selected for processing (2)

• internal/manager/workflow.go
• internal/manager/workflow_test.go

---

Walkthrough

The PR introduces group-membership revalidation for workflow approvers at two points: (1) workflow listing filters results based on the caller's current IAM group membership, and (2) workflow transitions block certain actions if the user is no longer in an approver group. A new error ErrWorkflowUserRemovedFromGroup is exported to indicate membership loss. Helper functions extract current IAM groups from context, decode workflow approver group IDs, and validate membership. Tests verify that users removed from approver groups cannot list or transition workflows, while confirming positive cases where membership is maintained.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[niazkhansap]

@coderabbitai summary

[coderabbitai]

✅ Actions performed

Summary regeneration triggered.