You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The PR-to-issue linking gate (.github/workflows/issue_open-pr.yml → issue_comp_link-issue-to-pr.yml) has three bugs that let PRs slip through unchecked or stay broken after a fix:
Shell injection in the Debug step.inputs.pr_body / inputs.pr_title were template-interpolated by GitHub Actions directly into the Debug workflow inputs bash script. PRs whose body contained backticks, $var(...), or unbalanced parens (observed on PR feat(tiptap): convert Story Block content to Markdown (#35727) #35728's $markdownTool.blockToMarkdown(json)) caused a bash syntax error → the whole job exited with code 2 → Add failure comment to PR was skipped (its if: requires failure_detected=true, which never got set) → no PR-visible signal.
Missed markdown-linked refs. The body-keyword regex (close[ds]?|fix(e[ds])?|resolve[ds]?)(:)?\s+#([0-9]+) requires a literal # immediately after the keyword and misses GitHub's other valid form fixes [#123](url) (observed on PR feat(dotAI): Dot AI LangChain4J - Amazon Bedrock #35242's fixes [#35183](url)).
Stale-on-open. The workflow only triggered on pull_request: [opened], so editing the PR body or pushing new commits never re-evaluated the gate. A once-broken PR stayed broken even after the author fixed the link.
Acceptance Criteria
PR body / title values containing bash metacharacters do not crash the workflow.
Markdown-linked refs like fixes [#123](url) are recognized as a valid issue link (via closingIssuesReferences GraphQL fallback).
The gate re-evaluates on edited, synchronize, and reopened — not just opened.
The ❌ Issue Linking Required comment is not duplicated on subsequent re-runs of the same PR.
Fork-sourced PRs are skipped (read-only token would 403 on PATCH/POST/DELETE).
GraphQL fallback failures surface via ::warning:: instead of being silently swallowed.
Additional Context
Fix tracked in PR #35761. Quick draft — created primarily as a tracking link for that PR.
Description
The PR-to-issue linking gate (
.github/workflows/issue_open-pr.yml→issue_comp_link-issue-to-pr.yml) has three bugs that let PRs slip through unchecked or stay broken after a fix:Shell injection in the Debug step.
inputs.pr_body/inputs.pr_titlewere template-interpolated by GitHub Actions directly into theDebug workflow inputsbash script. PRs whose body contained backticks,$var(...), or unbalanced parens (observed on PR feat(tiptap): convert Story Block content to Markdown (#35727) #35728's$markdownTool.blockToMarkdown(json)) caused a bash syntax error → the whole job exited with code 2 →Add failure comment to PRwas skipped (itsif:requiresfailure_detected=true, which never got set) → no PR-visible signal.Missed markdown-linked refs. The body-keyword regex
(close[ds]?|fix(e[ds])?|resolve[ds]?)(:)?\s+#([0-9]+)requires a literal#immediately after the keyword and misses GitHub's other valid formfixes [#123](url)(observed on PR feat(dotAI): Dot AI LangChain4J - Amazon Bedrock #35242'sfixes [#35183](url)).Stale-on-open. The workflow only triggered on
pull_request: [opened], so editing the PR body or pushing new commits never re-evaluated the gate. A once-broken PR stayed broken even after the author fixed the link.Acceptance Criteria
fixes [#123](url)are recognized as a valid issue link (viaclosingIssuesReferencesGraphQL fallback).edited,synchronize, andreopened— not justopened.❌ Issue Linking Requiredcomment is not duplicated on subsequent re-runs of the same PR.::warning::instead of being silently swallowed.Additional Context
Fix tracked in PR #35761. Quick draft — created primarily as a tracking link for that PR.