GitHub Issue: Automated Quality Control Bypass in `auto-pr-merge.yml`

[kuramaSeige-OFC]

Security/Logic Bypass: Lack of Content Validation in auto-pr-merge.yml

Problem

The auto-pr-merge.yml workflow is designed to automate the merging of single-line additions to Contributors.md. However, the current implementation only validates the quantity of changes (1 line) and does not inspect the content of that line.

This creates a logic bypass where any user can automatically merge:

• Non-formatted text that breaks the project's list structure.
• Automated spam or malicious links.
• Vandalism that bypasses human review.

Proof of Concept (PoC)

I have successfully demonstrated this vulnerability in PR #113266.

• Action: I submitted a PR adding a line that did not follow the standard - [Name](Link) format.
• Result: The github-actions[bot] automatically squashed and merged the commit 051acdc into main without any maintainer intervention.

Goal

The goal is to harden the automated contribution pipeline. By adding a content validation step, we can ensure that every auto-merged PR strictly adheres to the repository's formatting standards, protecting the project from spam while keeping the "first contribution" experience smooth for valid users.

Possible Solutions

The most effective fix is to introduce a Regex (Regular Expression) validation step in the GitHub Action. The workflow should extract the specific line added and verify it matches the required Markdown pattern before proceeding to the merge step.

Required Pattern: ^- \[.*\]\(https?://.*\)$

Suggested Validation Script (Bash):

# Extract the added line from the diff
ADDED_CONTENT=$(git diff HEAD^ HEAD -U0 | grep '^+' | grep -v '+++' | sed 's/^+//')

# Validate against the required format
if [[ "$ADDED_CONTENT" =~ ^-[[:space:]]\[.*\]\(https?://.*\) ]]; then
  echo "content_valid=true" >> $GITHUB_ENV
else
  echo "content_valid=false" >> $GITHUB_ENV
  echo "::error::Invalid format. Please use: - [Name](Link)"
  exit 1
fi

[kuramaSeige-OFC]

[BUG 2] Improvement: Solving the "Out-of-Sync" Race Condition

The Problem

Currently, the workflow uses ${{ github.event.pull_request.additions }}. If a contributor's fork is behind and they use the GitHub "Sync fork" button (which creates a merge commit), their additions count will include every line from every other PR merged since they started. This causes the auto-merge to fail even if their own contribution is just one line.

The Solution: Direct Git Diffing

We should switch from using GitHub PR metadata to a direct git diff against the target branch. This ensures that only the net changes to Contributors.md are counted.

Proposed Logic Update:

Instead of checking API metadata, use this in the GitHub Action:

# 1. Fetch the target branch to ensure we are comparing against the latest
git fetch origin main

# 2. Get the net additions in Contributors.md specifically from this branch
# The '...' syntax compares the common ancestor to the PR head (ignoring merge commits)
NET_ADDITIONS=$(git diff origin/main...HEAD -U0 Contributors.md | grep '^+[^+]' | wc -l)

if [ "$NET_ADDITIONS" -eq 1 ]; then
  echo "one_line_change=true" >> $GITHUB_ENV
else
  echo "one_line_change=false" >> $GITHUB_ENV
fi