Add upstream bugfix note on PR merge#761
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow intended to attach upstream bugfix origin references (as Git notes) to commits when a PR is merged (or via manual dispatch), to help track upstream PR provenance in this repository.
Changes:
- Introduces a new workflow to detect an upstream PR reference from either workflow inputs or the merged PR description.
- Appends a
git notesentry (“Upstream PR: …”) to one or more commits and pushes notes torefs/notes/commits.
Comments suppressed due to low confidence (2)
.github/workflows/add-upstream-bugfix-note.yml:60
- The upstream-link detection regex
github\.com/salt/pull/([0-9]+)is missing the/<repo>/path segment (and doesn’t match the commonsaltstack/saltrepo). This will cause the job to skip adding notes even when the PR description contains a valid upstream PR link. Adjust the regex to match the actual upstream URL patterns you want to support.
BODY="${{ github.event.pull_request.body }}"
if [[ "$BODY" =~ (https://)?github\.com/salt/pull/([0-9]+) ]]; then
URL="${BASH_REMATCH[0]}"
if [[ ! "$URL" =~ ^https:// ]]; then URL="https://$URL"; fi
echo "URL=$URL" >> $GITHUB_ENV
.github/workflows/add-upstream-bugfix-note.yml:71
- The “rebase merge detected” fallback derives SHAs by taking the last
pull_request.commitscommits from the base branch. That’s not guaranteed to correspond to the commits introduced by this PR (it can include unrelated commits if other changes land on the base branch around the same time), so notes may be attached to the wrong commits. Prefer determining the exact merged commit SHAs for the PR (e.g., via the GitHub API/GraphQL for the PR’s commit SHAs or by computing the exact commit range introduced by the merge) rather than usinggit log ... -n COUNTon the base branch tip.
COUNT=${{ github.event.pull_request.commits }}
echo "Rebase merge detected. Using last $COUNT commits from ${{ github.event.pull_request.base.ref }}"
git fetch origin ${{ github.event.pull_request.base.ref }}
COMMITS=$(git log origin/${{ github.event.pull_request.base.ref }} -n "$COUNT" --pretty=format:"%H" | tr '\n' ' ')
echo "COMMITS=$COMMITS" >> $GITHUB_ENV
fi
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
55690bb to
5dea5e3
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
.github/workflows/add-upstream-bugfix-note.yml:124
- Same env-file injection concern here: the PR body content is untrusted input and could include the chosen delimiter string. Prefer a unique delimiter per write and/or validate/sanitize values before appending to
$GITHUB_ENV.
# Use heredoc delimiters to prevent env-file injection
{
echo "URL<<EOF"
echo "$URL"
echo "EOF"
echo "COMMITS<<EOF"
echo "$COMMITS"
echo "EOF"
} >> $GITHUB_ENV
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (2)
.github/workflows/add-upstream-bugfix-note.yml:147
- This second write to
$GITHUB_ENVshould also be quoted (use>> "$GITHUB_ENV") for shell safety/consistency.
DELIMITER="ghadelimiter_${RANDOM}_${RANDOM}_${RANDOM}"
{
echo "URL<<${DELIMITER}"
echo "$URL"
echo "${DELIMITER}"
echo "COMMITS<<${DELIMITER}"
echo "$COMMITS"
echo "${DELIMITER}"
} >> $GITHUB_ENV
.github/workflows/add-upstream-bugfix-note.yml:176
- This
$GITHUB_ENVwrite should be quoted as well (>> "$GITHUB_ENV") to avoid potential word-splitting/globbing issues.
done
echo "NOTES_ADDED=$NOTES_ADDED" >> $GITHUB_ENV
What does this PR do?
Add bug-fix origins to merged PR as Git notes.
What issues does this PR fix or reference?
Fixes: https://github.com/SUSE/spacewalk/issues/30385
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
Commits signed with GPG?
Yes
Please review Salt's Contributing Guide for best practices.
See GitHub's page on GPG signing for more information about signing commits with GPG.