Skip to content

test#2272

Closed
seanconroy2021 wants to merge 1 commit into
konflux-ci:developmentfrom
seanconroy2021:auto-pr
Closed

test#2272
seanconroy2021 wants to merge 1 commit into
konflux-ci:developmentfrom
seanconroy2021:auto-pr

Conversation

@seanconroy2021

Copy link
Copy Markdown
Member

Signed-off-by: Sean Conroy sconroy@redhat.com

Describe your changes

Relevant Jira

Checklist before requesting a review

  • I have marked as draft or added do not merge label if there's a dependency PR
    • If you want reviews on your draft PR, you can add reviewers or add the release-service-maintainers handle if you are unsure who to tag
  • My commit message includes Signed-off-by: My name <email>
  • I read CONTRIBUTING.MD and commit formatting
  • I have run the README.md generator script in .github/scripts/readme_generator.sh and verified the results using .github/scripts/check_readme.sh
  • If an AI agent was used, I marked that via a commit footer like Assisted-By: Cursor

@qodo-code-review

qodo-code-review Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

PR Reviewer Guide 🔍

(Review updated until commit 1cd91b5)

Warning

/review is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns

Supply chain risk:
the workflow now uses an action reference seanconroy2021/release-service-automations/pr-assigner@auto-pr (mutable ref) while passing sensitive secrets (e.g., secrets.PR_ASSIGNER_PAT_TOKEN, secrets.PR_ASSIGNER_SLACK_WEBHOOK, secrets.PTO_CALENDAR_URL). If that ref changes or is compromised, secrets could be exfiltrated. Pin to a specific commit SHA (and ideally a trusted org/repo) to reduce risk.

⚡ Recommended focus areas for review

Workflow Trigger

Changing the trigger from pull_request_target to pull_request impacts permission/secrets availability (especially for PRs from forks). Validate that this workflow still receives the required secrets and has the intended security posture and behavior for external contributors.

on:
  pull_request:
    types: [opened, ready_for_review, unassigned]
Action Pinning

The action is referenced by a mutable ref rather than a pinned commit SHA. This increases supply-chain risk and can make builds non-reproducible; consider pinning to a specific commit digest and documenting update cadence.

- name: Assign reviewers using shared action
  uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
  with:
    event-type: ${{ github.event.action }}
    pr-number: ${{ github.event.pull_request.number }}
    removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
    github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
    slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
    pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}
📄 References
  1. konflux-ci/release-service-catalog/tasks/managed/embargo-check/tests/test-embargo-check-jira-conversion.yaml [6-29]
  2. konflux-ci/release-service-catalog/tasks/managed/populate-release-notes/tests/test-populate-release-notes-cross-image-cve-dedup.yaml [220-244]
  3. konflux-ci/release-service-catalog/tasks/managed/populate-release-notes/tests/test-populate-release-notes-bulk-cves.yaml [180-206]
  4. konflux-ci/release-service-catalog/integration-tests/release-to-github-idempotent/resources/managed/sa.yaml [1-2]
  5. konflux-ci/release-service-catalog/pipelines/managed/rh-advisories/rh-advisories.yaml [645-650]
  6. konflux-ci/release-service-catalog/integration-tests/collectors/resources/tenant/rp.yaml [11-27]
  7. konflux-ci/release-service-catalog/integration-tests/rh-advisories-large-snapshot/resources/managed/rpa.yaml [19-43]
  8. konflux-ci/release-service-catalog/integration-tests/rh-advisories-large-snapshot/resources/managed/rpa.yaml [71-82]

@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Reviewer Guide 🔍

Warning

/review is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪
🧪 No relevant tests
🔒 Security concerns

Supply chain risk:
.github/workflows/pr-assigner.yaml switches from a pinned commit SHA to seanconroy2021/release-service-automations/pr-assigner@auto-pr (a mutable ref). GitHub Actions best practice is to pin to a commit SHA to reduce the risk of malicious or unexpected updates being pulled into CI.

⚡ Recommended focus areas for review

Robustness

YAML parsing and field extraction assume specific shapes (e.g., params entries always have name/value, step entries always have name). Malformed or unexpected YAML could raise KeyError/TypeError instead of producing a clean validation error.

def extract_rpa_fields(rpa: dict) -> Tuple[str, str, List[dict]]:
    """Extract the revision, pipeline path, and taskRunSpecs from an RPA.

    Args:
        rpa: Parsed RPA document.

    Returns:
        Tuple of (revision, pathInRepo, taskRunSpecs list).
    """
    pipeline = rpa.get("spec", {}).get("pipeline", {})
    ref_params = pipeline.get("pipelineRef", {}).get("params", [])
    params = {p["name"]: p["value"] for p in ref_params}

    revision = params.get("revision", "")
    path_in_repo = params.get("pathInRepo", "")
    task_run_specs = pipeline.get("taskRunSpecs", [])

    return revision, path_in_repo, task_run_specs
📚 Focus areas based on broader codebase context

Supply Chain

The workflow now references the pr-assigner action via a mutable ref (@auto-pr) rather than a pinned commit SHA. This makes PR behavior non-reproducible and increases the risk of unintended changes or compromised upstream code being pulled into CI. Consider pinning the action to an immutable commit digest and updating via controlled bumps. (Ref 3, Ref 5)

uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
  event-type: ${{ github.event.action }}
  pr-number: ${{ github.event.pull_request.number }}
  removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
  github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
  slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
  pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

Reference reasoning: Existing YAML in the repo consistently pins externally-fetched artifacts (e.g., test step images) to immutable @sha256: digests, which provides reproducibility and reduces supply-chain risk. Applying the same immutability principle to GitHub Actions by pinning uses: to a commit SHA aligns with that established pattern.

📄 References
  1. konflux-ci/release-service-catalog/tasks/managed/populate-release-notes/tests/test-populate-release-notes-cross-image-cve-dedup.yaml [220-244]
  2. konflux-ci/release-service-catalog/tasks/managed/populate-release-notes/tests/test-populate-release-notes-bulk-cves.yaml [180-206]
  3. konflux-ci/release-service-catalog/tasks/managed/embargo-check/tests/test-embargo-check-non-vuln-rh-issue.yaml [48-73]
  4. konflux-ci/release-service-catalog/tasks/managed/embargo-check/tests/test-embargo-check-nonexistent-rh-issue.yaml [50-75]
  5. konflux-ci/release-service-catalog/tasks/managed/close-advisory-issues/tests/test-close-advisory-issues.yaml [48-73]
  6. konflux-ci/release-service-catalog/tasks/managed/embargo-check/tests/test-embargo-check-jira-conversion.yaml [6-29]
  7. konflux-ci/release-service-catalog/tasks/managed/embargo-check/tests/test-embargo-check-jira-conversion.yaml [153-172]
  8. konflux-ci/release-service-catalog/tasks/managed/set-advisory-severity/tests/test-set-advisory-severity-not-rhsa.yaml [50-74]

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment on lines 16 to +17
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to a specific commit SHA instead of a mutable branch. [security, importance: 8]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<COMMIT_SHA>

@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment on lines 16 to +17
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to an immutable commit SHA instead of a movable branch like @auto-pr. [security, importance: 9]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<COMMIT_SHA>

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High-level Suggestion

Restore the original canonical GitHub Action reference and its secure commit SHA. [High-level, importance: 9]

Solution Walkthrough:

Before:

jobs:
  assign-reviewers:
    runs-on: ubuntu-latest
    steps:
      - name: Assign reviewers using shared action
        uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
        with:
          event-type: ${{ github.event.action }}

After:

jobs:
  assign-reviewers:
    runs-on: ubuntu-latest
    steps:
      - name: Assign reviewers using shared action
        uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8
        with:
          event-type: ${{ github.event.action }}

Comment thread scripts/validate-taskrunspecs.py Outdated
Comment on lines +210 to +232
def extract_pipeline_tasks(pipeline_yaml: str) -> Dict[str, str]:
"""Parse a pipeline definition and return a map of task name to pathInRepo.

Args:
pipeline_yaml: Raw YAML content of the pipeline file.

Returns:
Dict mapping each pipeline task name to its pathInRepo value.
Tasks without a pathInRepo get an empty string.
"""
doc = yaml.safe_load(pipeline_yaml)
tasks: Dict[str, str] = {}
task_blocks = doc.get("spec", {}).get("tasks", [])
finally_blocks = doc.get("spec", {}).get("finally", [])

for block in task_blocks + finally_blocks:
name = block.get("name", "")
ref = block.get("taskRef", {})
if not isinstance(ref, dict):
tasks[name] = ""
continue

params = {p["name"]: p["value"] for p in ref.get("params", [])}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Suggest using or fallbacks when parsing YAML dictionaries to prevent errors from null values. [possible issue, importance: 7]

Suggested change
def extract_pipeline_tasks(pipeline_yaml: str) -> Dict[str, str]:
"""Parse a pipeline definition and return a map of task name to pathInRepo.
Args:
pipeline_yaml: Raw YAML content of the pipeline file.
Returns:
Dict mapping each pipeline task name to its pathInRepo value.
Tasks without a pathInRepo get an empty string.
"""
doc = yaml.safe_load(pipeline_yaml)
tasks: Dict[str, str] = {}
task_blocks = doc.get("spec", {}).get("tasks", [])
finally_blocks = doc.get("spec", {}).get("finally", [])
for block in task_blocks + finally_blocks:
name = block.get("name", "")
ref = block.get("taskRef", {})
if not isinstance(ref, dict):
tasks[name] = ""
continue
params = {p["name"]: p["value"] for p in ref.get("params", [])}
def extract_pipeline_tasks(pipeline_yaml: str) -> Dict[str, str]:
"""Parse a pipeline definition and return a map of task name to pathInRepo.
...
"""
doc = yaml.safe_load(pipeline_yaml) or {}
tasks: Dict[str, str] = {}
spec = doc.get("spec") or {}
task_blocks = spec.get("tasks") or []
finally_blocks = spec.get("finally") or []
for block in task_blocks + finally_blocks:
name = block.get("name", "")
ref = block.get("taskRef") or {}
if not isinstance(ref, dict):
tasks[name] = ""
continue
params = {p["name"]: p["value"] for p in (ref.get("params") or [])}

Comment thread scripts/validate-taskrunspecs.py Outdated
Comment on lines +91 to +106
def extract_rpa_fields(rpa: dict) -> Tuple[str, str, List[dict]]:
"""Extract the revision, pipeline path, and taskRunSpecs from an RPA.

Args:
rpa: Parsed RPA document.

Returns:
Tuple of (revision, pathInRepo, taskRunSpecs list).
"""
pipeline = rpa.get("spec", {}).get("pipeline", {})
ref_params = pipeline.get("pipelineRef", {}).get("params", [])
params = {p["name"]: p["value"] for p in ref_params}

revision = params.get("revision", "")
path_in_repo = params.get("pathInRepo", "")
task_run_specs = pipeline.get("taskRunSpecs", [])

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Recommend boolean or evaluations to safely handle null mappings in YAML and avoid exceptions. [possible issue, importance: 7]

Suggested change
def extract_rpa_fields(rpa: dict) -> Tuple[str, str, List[dict]]:
"""Extract the revision, pipeline path, and taskRunSpecs from an RPA.
Args:
rpa: Parsed RPA document.
Returns:
Tuple of (revision, pathInRepo, taskRunSpecs list).
"""
pipeline = rpa.get("spec", {}).get("pipeline", {})
ref_params = pipeline.get("pipelineRef", {}).get("params", [])
params = {p["name"]: p["value"] for p in ref_params}
revision = params.get("revision", "")
path_in_repo = params.get("pathInRepo", "")
task_run_specs = pipeline.get("taskRunSpecs", [])
def extract_rpa_fields(rpa: dict) -> Tuple[str, str, List[dict]]:
"""Extract the revision, pipeline path, and taskRunSpecs from an RPA.
...
"""
spec = rpa.get("spec") or {}
pipeline = spec.get("pipeline") or {}
pipeline_ref = pipeline.get("pipelineRef") or {}
ref_params = pipeline_ref.get("params") or []
params = {p["name"]: p["value"] for p in ref_params}
revision = params.get("revision", "")
path_in_repo = params.get("pathInRepo", "")
task_run_specs = pipeline.get("taskRunSpecs") or []

Comment thread scripts/validate-taskrunspecs.py Outdated
LOGGER.error("Could not extract revision or pathInRepo from the RPA")
return 1

has_template_vars = "${" in revision or "${" in pipeline_path

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Suggest expanding template variable detection to include the $() pattern. [possible issue, importance: 6]

Suggested change
has_template_vars = "${" in revision or "${" in pipeline_path
has_template_vars = any(token in revision for token in ("${", "$(")) \
or any(token in pipeline_path for token in ("${", "$("))

Comment thread scripts/validate-taskrunspecs.py Outdated
else:
LOGGER.info(f"Validation passed: {warnings} warning(s)")

return 1 if errors else 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Recommend removing the temporary clone_dir before successful script exit to avoid leaking directories. [general, importance: 4]

Suggested change
return 1 if errors else 0
code = 1 if errors else 0
if clone_dir and not local:
shutil.rmtree(clone_dir, ignore_errors=True)
return code

Comment on lines 16 to +24
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Add an in-file comment explaining why the action source was changed and what the new PTO_CALENDAR_URL secret is expected to contain/affect, to avoid surprising CI behavior and configuration drift. [organization best practice, importance: 6]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}
- name: Assign reviewers using shared action
# NOTE: This workflow uses a custom PR assigner action fork; update rationale/owner here if changed.
# Requires `PTO_CALENDAR_URL` secret (calendar feed used to avoid assigning reviewers who are OOO).
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment on lines 16 to 18
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Revert the GitHub Action to use the official repository and a specific commit SHA. [security, importance: 9]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
with:

Comment thread scripts/validate-taskrunspecs.py Outdated
Comment on lines +286 to +291
clone_dir = None
if not local:
LOGGER.info(f"Cloning {repo_url} at {revision}")
clone_dir = clone_repo(repo_url, revision)

pipeline_content = resolve_file(pipeline_path, revision, local, clone_dir)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Use atexit to ensure the temporary clone directory is reliably cleaned up. [possible issue, importance: 6]

Suggested change
clone_dir = None
if not local:
LOGGER.info(f"Cloning {repo_url} at {revision}")
clone_dir = clone_repo(repo_url, revision)
pipeline_content = resolve_file(pipeline_path, revision, local, clone_dir)
import atexit
clone_dir = None
if not local:
LOGGER.info(f"Cloning {repo_url} at {revision}")
clone_dir = clone_repo(repo_url, revision)
atexit.register(shutil.rmtree, clone_dir, ignore_errors=True)
pipeline_content = resolve_file(pipeline_path, revision, local, clone_dir)

Comment thread scripts/validate-taskrunspecs.py Outdated
Comment on lines +220 to +223
doc = yaml.safe_load(pipeline_yaml)
tasks: Dict[str, str] = {}
task_blocks = doc.get("spec", {}).get("tasks", [])
finally_blocks = doc.get("spec", {}).get("finally", [])

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Add fallback values to prevent crashes when parsing empty or null YAML documents. [general, importance: 8]

Suggested change
doc = yaml.safe_load(pipeline_yaml)
tasks: Dict[str, str] = {}
task_blocks = doc.get("spec", {}).get("tasks", [])
finally_blocks = doc.get("spec", {}).get("finally", [])
doc = yaml.safe_load(pipeline_yaml) or {}
tasks: Dict[str, str] = {}
task_blocks = (doc.get("spec") or {}).get("tasks") or []
finally_blocks = (doc.get("spec") or {}).get("finally") or []

Comment thread scripts/validate-taskrunspecs.py Outdated
LOGGER.error("Could not extract revision or pathInRepo from the RPA")
return 1

has_template_vars = "${" in revision or "${" in pipeline_path

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Expand template variable detection to include Tekton-style $() expressions. [possible issue, importance: 4]

Suggested change
has_template_vars = "${" in revision or "${" in pipeline_path
has_template_vars = any(token in revision for token in ("${", "$(")) \
or any(token in pipeline_path for token in ("${", "$("))

Signed-off-by: Sean Conroy <sconroy@redhat.com>
@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment on lines 4 to 6
on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Revert to pull_request_target to ensure the workflow can access secrets for external contributor PRs. [possible issue, importance: 9]

Suggested change
on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]
on:
pull_request_target:
types: [opened, ready_for_review, unassigned]
...
jobs:
assign-reviewers:
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latest
steps:
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

Comment on lines 16 to +17
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to a specific commit SHA instead of a mutable branch reference. [security, importance: 7]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<PINNED_COMMIT_SHA>

@qodo-app-for-konflux-ci

Copy link
Copy Markdown

PR Code Suggestions ✨

Warning

/improve is deprecated. Use /agentic_review instead (removal date not yet scheduled).

Inline suggestions were posted as code suggestions.

Comment on lines 4 to 6
on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Revert the trigger to pull_request_target and add a job-level guard to limit execution to same-repo branches. [possible issue, importance: 3]

Suggested change
on:
pull_request_target:
pull_request:
types: [opened, ready_for_review, unassigned]
on:
pull_request_target:
types: [opened, ready_for_review, unassigned]
...
jobs:
assign-reviewers:
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
runs-on: ubuntu-latest
steps:
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
with:
event-type: ${{ github.event.action }}
pr-number: ${{ github.event.pull_request.number }}
removed-assignee: ${{ github.event.action == 'unassigned' && github.event.assignee.login || '' }}
github-token: ${{ secrets.PR_ASSIGNER_PAT_TOKEN }}
slack-webhook: ${{ secrets.PR_ASSIGNER_SLACK_WEBHOOK }}
pto-calendar-url: ${{ secrets.PTO_CALENDAR_URL }}

Comment on lines 16 to +17
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Pin the GitHub Action to a specific commit SHA instead of using a mutable branch reference. [security, importance: 5]

Suggested change
- name: Assign reviewers using shared action
uses: konflux-ci/release-service-automations/pr-assigner@5da461efb1b29e523d01989ee09758e85099bda8 # main
uses: seanconroy2021/release-service-automations/pr-assigner@auto-pr
- name: Assign reviewers using shared action
uses: seanconroy2021/release-service-automations/pr-assigner@<PINNED_COMMIT_SHA>

@seanconroy2021

Copy link
Copy Markdown
Member Author

Going to test a different way

@seanconroy2021 seanconroy2021 deleted the auto-pr branch June 16, 2026 07:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants