Update sync-issue-labels-compute.yml

[manishdait24-bot]

testpr
fixes #7

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Replaced a two-stage workflow with a single sync job that parses PR bodies for fix/close/resolve ... #<number> references, fetches referenced issues to collect labels, skips bot authors via skip=true, uploads labels.json artifact, and emits labels, has_new_labels, and skip outputs.

Changes

Cohort / File(s)	Summary
Workflow file \.github/workflows/sync-issue-labels-compute.yml	Renamed workflow/job to sync; removed workflow_dispatch inputs and downstream dispatch-add; simplified outputs to labels, has_new_labels, skip; replaced previous multi-output/artifact payload with a labels.json artifact upload and removed cross-workflow dispatch.
Label extraction & aggregation logic \.github/workflows/sync-issue-labels-compute.yml (steps)	Narrowed regex to match only fix/close/resolve ... #<number> patterns; stopped line-splitting/dedup utilities and max-count enforcement; collect labels from fetched issues (skip issue fetch errors), ignore linked PRs, compute newLabels by filtering out labels already on the PR, set has_new_labels accordingly; bot authors set skip=true and return early.
Error handling & control flow \.github/workflows/sync-issue-labels-compute.yml (behavior)	Removed explicit 404/error branching and many prior outputs (dry_run, is_fork_pr, source_event); fetch failures are logged and loop continues; job exits gracefully when no labels.json is produced.

Sequence Diagram

sequenceDiagram
    participant WF as GitHub Workflow
    participant Sync as Sync Job
    participant API as GitHub REST API
    participant Issues as GitHub Issues API

    WF->>Sync: start `sync` job
    Sync->>API: get PR metadata & body
    API-->>Sync: PR author, body, existing PR labels
    Sync->>Sync: if author is bot -> set `skip=true` and exit
    alt not skipped
        Sync->>Sync: parse body for `fix/close/resolve ... #<number>`
        Sync->>API: fetch referenced issue details (loop)
        API-->>Sync: issue labels or error (errors logged, continue)
        Sync->>Sync: accumulate & filter labels -> compute `newLabels`
        alt has_new_labels
            Sync->>Issues: call `issues.addLabels` with `newLabels`
            Issues-->>Sync: labels applied response
        end
        Sync->>Sync: write `labels.json` and upload artifact
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 4

❌ Failed checks (2 warnings, 2 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR claims to fix issue #7 (Scheduled Markdown Link Check Found Broken Links) but the changes only modify a workflow YAML file structure; there is no evidence that broken markdown links were actually fixed.	Clarify whether the PR actually fixes broken links or if it addresses the workflow itself. If the workflow file changes are intended to fix link detection, provide evidence of which links were fixed.
Out of Scope Changes check	⚠️ Warning	The PR modifies sync-issue-labels-compute.yml with substantial refactoring of job structure, outputs, and label aggregation logic, which appears unrelated to fixing broken markdown links as stated in linked issue #7.	Either clarify how the workflow refactoring addresses the broken links issue, or link to a different issue that documents the workflow improvements as in-scope objectives.
Title check	❓ Inconclusive	The title 'Update sync-issue-labels-compute.yml' is too generic and vague—it merely states that a file is being updated without conveying the specific nature or purpose of the changes.	Provide a more descriptive title that summarizes the key change, such as 'Refactor sync-issue-labels workflow to simplify label aggregation and outputs' or similar.
Description check	❓ Inconclusive	The description 'testpr fixes #7' is extremely vague and does not meaningfully describe what changes are being made or why, despite mentioning it fixes a linked issue.	Expand the description to explain what changes were made and how they address the linked issue, even briefly.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 82cb4698-5686-4ce2-bf31-8675ad17f4c7

📥 Commits

Reviewing files that changed from the base of the PR and between d0cb48b and 04232ba.

📒 Files selected for processing (1)

• .github/workflows/sync-issue-labels-compute.yml

[coderabbitai]

♻️ Duplicate comments (4)

.github/workflows/sync-issue-labels-compute.yml (4)

35-35: ⚠️ Potential issue | 🔴 Critical

Third-party actions must be pinned to full commit SHAs.

Per coding guidelines, all third-party actions require immutable SHA pinning. The following still use mutable version tags:

Line	Action	Current
35	step-security/harden-runner	@v2
46	actions/github-script	@v7
109	actions/upload-artifact	@v4
123	actions/github-script	@v7

#!/bin/bash
# Fetch latest commit SHAs for pinning

echo "=== step-security/harden-runner v2 ==="
gh api repos/step-security/harden-runner/git/ref/tags/v2 --jq '.object.sha' 2>/dev/null || echo "Tag not found directly, check releases"

echo "=== actions/github-script v7 ==="
gh api repos/actions/github-script/git/ref/tags/v7 --jq '.object.sha' 2>/dev/null || echo "Tag not found directly, check releases"

echo "=== actions/upload-artifact v4 ==="
gh api repos/actions/upload-artifact/git/ref/tags/v4 --jq '.object.sha' 2>/dev/null || echo "Tag not found directly, check releases"

Also applies to: 46-46, 109-109, 123-123

---

45-45: ⚠️ Potential issue | 🟠 Major

Fork PR detection is hardcoded, breaking safety checks.

IS_FORK_PR is hardcoded to 'false' instead of being derived from PR metadata. This defeats downstream logic that relies on fork detection for security.

Compute fork status from prData inside the script:

const isForkPr = prData.head.repo?.fork === true || 
                 prData.head.repo?.full_name !== prData.base.repo?.full_name;
core.setOutput('is_fork_pr', String(isForkPr));

---

93-105: ⚠️ Potential issue | 🔴 Critical

Command injection via untrusted label names.

The shell script directly interpolates ${{ steps.compute.outputs.labels }} which contains user-controlled issue label names. GitHub expression interpolation happens before shell parsing, so an attacker with label-creation permission could craft malicious label names to execute arbitrary commands.

🔒 Proposed fix using environment variables and jq

      - name: Write labels artifact
        if: steps.compute.outputs.has_labels == 'true'
+       env:
+         LABELS_JSON: ${{ steps.compute.outputs.labels }}
+         PR_NUMBER: ${{ steps.compute.outputs.pr_number }}
+         IS_FORK_PR: ${{ steps.compute.outputs.is_fork_pr }}
+         DRY_RUN: ${{ steps.compute.outputs.dry_run }}
        run: |
-         echo '${{ steps.compute.outputs.labels }}' > labels_only.json
-         echo "{" > labels.json
-         echo "  \"pr_number\": \"${{ steps.compute.outputs.pr_number }}\"," >> labels.json
-         echo "  \"labels\": $(cat labels_only.json)," >> labels.json
-         echo "  \"is_fork_pr\": ${{ steps.compute.outputs.is_fork_pr }}," >> labels.json
-         echo "  \"dry_run\": \"${{ steps.compute.outputs.dry_run }}\"," >> labels.json
-         echo "  \"source_event\": \"workflow_dispatch\"" >> labels.json
-         echo "}" >> labels.json
+         jq -n \
+           --arg pr_number "$PR_NUMBER" \
+           --argjson labels "$LABELS_JSON" \
+           --argjson is_fork_pr "$IS_FORK_PR" \
+           --arg dry_run "$DRY_RUN" \
+           '{pr_number: $pr_number, labels: $labels, is_fork_pr: $is_fork_pr, dry_run: $dry_run, source_event: "workflow_dispatch"}' \
+           > labels.json

---

82-82: 🧹 Nitpick | 🔵 Trivial

Silent error handling hides failure details.

The catch block discards the actual error, making debugging difficult. Log the error message and status code.

-             } catch (e) { console.log(`Error fetching #${num}`); }
+             } catch (e) {
+               const status = e.status || 'unknown';
+               console.log(`Skipping #${num}: ${e.message || e} (status: ${status})`);
+             }

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1a3678f4-f95f-470f-8bbb-549995f9f247

📥 Commits

Reviewing files that changed from the base of the PR and between 04232ba and dbf667f.

📒 Files selected for processing (1)

• .github/workflows/sync-issue-labels-compute.yml

[coderabbitai]

♻️ Duplicate comments (3)

.github/workflows/sync-issue-labels-compute.yml (3)

26-37: ⚠️ Potential issue | 🟠 Major

Skip fork PRs before reaching the write step.

On pull_request runs from forks, GitHub downgrades requested GITHUB_TOKEN write scopes to read-only unless the repository explicitly enables sending write tokens, so this workflow will fail in Apply Labels instead of cleanly skipping external PRs. (docs.github.com)

🛡️ Proposed fix

             const prNumber = context.payload.pull_request.number;
+            const isForkPr =
+              context.payload.pull_request.head.repo.full_name !==
+              context.payload.pull_request.base.repo.full_name;
             console.log(`--- Processing PR #${prNumber} ---`);

+            if (isForkPr) {
+              console.log('Skipping fork PR: label writes are not allowed on pull_request from forks.');
+              core.setOutput('has_new_labels', 'false');
+              core.setOutput('skip', 'true');
+              return;
+            }
+
             const { data: prData } = await github.rest.pulls.get({
               owner: context.repo.owner, repo: context.repo.repo, pull_number: prNumber
             });

As per coding guidelines, workflows must behave safely when executed from forks.

---

68-70: ⚠️ Potential issue | 🟠 Major

Don't treat every fetch error as a harmless miss.

A 404 is safe to skip, but 401/403/429/5xx means label discovery failed and this run can still go green with missing labels. Re-throw non-404 errors; if you want best-effort resiliency, actions/github-script also supports built-in retries for transient API failures. (github.com)

🔁 Proposed fix

-              } catch (e) { 
-                console.log(`Error fetching labels for issue #${num}: ${e.message}`); 
+              } catch (e) {
+                if (e.status === 404) {
+                  console.log(`Skipping missing issue #${num}.`);
+                  continue;
+                }
+                throw e;
               }

As per coding guidelines, log key decisions and early exits — avoid silent skips.

---

92-95: ⚠️ Potential issue | 🔴 Critical

Pass labels through env, not ${{ }} inside the script.

actions/github-script evaluates workflow expressions before the JavaScript function body is parsed and explicitly recommends using environment variables instead. Here, label names are untrusted input, so a backtick or ${...} in a label can break this template literal or inject code before JSON.parse runs. (github.com)

🔒 Proposed fix

       - name: Apply Labels
         if: steps.compute.outputs.skip == 'false' && steps.compute.outputs.has_new_labels == 'true'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          LABELS_JSON: ${{ steps.compute.outputs.labels }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            const labels = JSON.parse(`${{ steps.compute.outputs.labels }}`);
+            const labels = JSON.parse(process.env.LABELS_JSON);
             const prNumber = context.payload.pull_request.number;

As per coding guidelines, treat all GitHub event data as potentially untrusted input: issue titles, bodies, comments, labels, usernames, branch names.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 38c8057e-837c-46dc-8786-6eed8b5402bb

📥 Commits

Reviewing files that changed from the base of the PR and between dbf667f and 6ca606c.

📒 Files selected for processing (1)

• .github/workflows/sync-issue-labels-compute.yml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/sync-issue-labels-compute.yml (2)

33-37: ⚠️ Potential issue | 🟠 Major

Skip fork PRs before the workflow reaches the label-write path.

On pull_request, fork-originated runs do not get a token that can mutate PR state. As written, a fork PR with linked issue labels will fall through to Apply Labels and fail the job instead of exiting cleanly.

🔧 Proposed fix

             const prAuthor = prData.user.login;
+            const isForkPr =
+              context.payload.pull_request.head.repo.full_name !==
+              `${context.repo.owner}/${context.repo.repo}`;
+
+            if (isForkPr) {
+              console.log('Skipping fork PR: label sync is read-only on pull_request runs from forks.');
+              core.setOutput('has_new_labels', 'false');
+              core.setOutput('skip', 'true');
+              return;
+            }
+
             if (/\[bot\]$/i.test(prAuthor) || /dependabot/i.test(prAuthor)) {
               console.log(`Skipping bot-authored PR (Author: ${prAuthor})`);
               core.setOutput('skip', 'true');

For GitHub Actions `pull_request` events from forks, are `GITHUB_TOKEN` write permissions downgraded to read-only, and what is the recommended pattern for workflows that would otherwise mutate PR state?

As per coding guidelines, "Workflows must behave safely when executed from forks."

---

93-93: ⚠️ Potential issue | 🔴 Critical

Do not splice untrusted label JSON into the github-script source.

steps.compute.outputs.labels is built from issue label names, so it is untrusted text. Injecting it into a JS template literal means a label containing a backtick or ${...} can break parsing or change what executes.

🔧 Proposed fix

       - name: Apply Labels
         if: steps.compute.outputs.skip == 'false' && steps.compute.outputs.has_new_labels == 'true'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          LABELS_JSON: ${{ steps.compute.outputs.labels }}
         with:
           script: |
-            const labels = JSON.parse(`${{ steps.compute.outputs.labels }}`);
+            const labels = JSON.parse(process.env.LABELS_JSON || '[]');
             const prNumber = context.payload.pull_request.number;

In `actions/github-script`, are `${{ ... }}` expressions rendered before the JavaScript runs, and what is the safe way to pass JSON outputs containing untrusted characters into the script?

As per coding guidelines, "Treat all GitHub event data as potentially untrusted input: issue titles, bodies, comments, labels, usernames, branch names."

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b508778c-8318-42a0-8acd-f5a3b51ff776

📥 Commits

Reviewing files that changed from the base of the PR and between 6ca606c and abfc0f9.

📒 Files selected for processing (1)

• .github/workflows/sync-issue-labels-compute.yml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (3)

.github/workflows/sync-issue-labels-compute.yml (3)

7-10: ⚠️ Potential issue | 🟠 Major

Reduce this token to the permissions the job actually uses.

This job only reads PR/issue metadata and uploads an artifact. pull-requests: write is broader than needed here, and contents: read appears unused.

What minimum `GITHUB_TOKEN` permissions are required for GitHub REST `pulls.get`, `issues.get`, and `actions/upload-artifact@v4` in GitHub Actions?

As per coding guidelines, "permissions: must be explicitly declared and scoped to the minimum needed. Flag over-permissioned or under-permissioned workflows, and any reliance on broad default permissions."

---

57-70: ⚠️ Potential issue | 🟠 Major

Don't turn GitHub API failures into silent label loss.

The catch block continues on every issues.get error. That means auth, rate-limit, or 5xx failures can be reported as “no labels found,” and the workflow still succeeds with incomplete results. Only swallow expected misses like 404; rethrow the rest.

What HTTP status codes does GitHub REST `GET /repos/{owner}/{repo}/issues/{issue_number}` return for not-found versus permission, rate-limit, and server errors?

🔧 Suggested change

-              } catch (e) { 
-                console.log(`Error fetching labels for issue #${num}: ${e.message}`); 
+              } catch (e) {
+                if (e.status === 404) {
+                  console.log(`Skipping #${num}: issue not found`);
+                  continue;
+                }
+                throw e;
               }

---

102-102: ⚠️ Potential issue | 🔴 Critical

Pin actions/upload-artifact to a full commit SHA.

This step reintroduces a mutable @v4 tag while the other actions in this workflow are SHA-pinned. That regresses the workflow's immutability guarantees.

Does GitHub recommend pinning Actions like `actions/upload-artifact` to full commit SHAs instead of version tags, and what commit SHA currently backs `actions/upload-artifact` v4?

As per coding guidelines, "All third-party actions must be pinned to full commit SHAs, consistent with other workflows in this repository."

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 43ebe537-cc28-4ec9-8978-8dabf0b3f932

📥 Commits

Reviewing files that changed from the base of the PR and between abfc0f9 and 60b11d5.

📒 Files selected for processing (1)

• .github/workflows/sync-issue-labels-compute.yml