WorkoutGen Vulnerability Disclosure Program #100
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🆕 Add program entry | |
| on: | |
| issues: | |
| types: [opened, edited, labeled] | |
| jobs: | |
| process: | |
| if: | | |
| ( | |
| github.event.action == 'edited' | |
| && ( | |
| startsWith(github.event.issue.title, '[Program]:') | |
| || contains(github.event.issue.labels.*.name, 'program-submission') | |
| ) | |
| ) | |
| || ( | |
| !contains(github.event.issue.labels.*.name, 'submission-processed') | |
| && ( | |
| (github.event.action == 'labeled' && github.event.label.name == 'program-submission') | |
| || ( | |
| github.event.action == 'opened' | |
| && startsWith(github.event.issue.title, '[Program]:') | |
| && !contains(github.event.issue.labels.*.name, 'program-submission') | |
| ) | |
| ) | |
| ) | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: program-data-mutation | |
| permissions: | |
| issues: write | |
| pull-requests: write | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| token: ${{ secrets.BOT_TOKEN }} | |
| - name: Setup Python | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies | |
| run: pip install -r lib/requirements.txt | |
| - name: Process submission | |
| id: process | |
| env: | |
| ISSUE_BODY: ${{ github.event.issue.body }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| ISSUE_AUTHOR: ${{ github.event.issue.user.login }} | |
| run: python lib/process-submission.py | |
| - name: Create PR | |
| if: steps.process.outputs.valid == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| BRANCH: ${{ steps.process.outputs.branch }} | |
| COMPANY: ${{ steps.process.outputs.company }} | |
| PR_BODY: ${{ steps.process.outputs.pr_body }} | |
| AUTHOR_LOGIN: ${{ github.event.issue.user.login }} | |
| run: | | |
| # Resolve author info (so they get contributor credit), fallback to ghost | |
| AUTHOR_LOGIN="${AUTHOR_LOGIN:-ghost}" | |
| AUTHOR_API=$(gh api "/users/${AUTHOR_LOGIN}" 2>/dev/null || echo '{}') | |
| AUTHOR_NAME=$(echo "$AUTHOR_API" | jq -r '.name // empty') | |
| AUTHOR_NAME="${AUTHOR_NAME//[<>]/}" | |
| AUTHOR_NAME="${AUTHOR_NAME:-$AUTHOR_LOGIN}" | |
| AUTHOR_EMAIL=$(echo "$AUTHOR_API" | jq -r '.email // empty') | |
| if [ -z "$AUTHOR_EMAIL" ]; then | |
| AUTHOR_ID=$(echo "$AUTHOR_API" | jq -r '.id // empty') | |
| if [ -n "$AUTHOR_ID" ]; then | |
| AUTHOR_EMAIL="${AUTHOR_ID}+${AUTHOR_LOGIN}@users.noreply.github.com" | |
| else | |
| AUTHOR_EMAIL="${AUTHOR_LOGIN}@users.noreply.github.com" | |
| fi | |
| fi | |
| # Bot is committer (and co-author trailer); issue opener is author | |
| git config user.name "Liss-Bot" | |
| git config user.email "alicia-gh-bot@mail.as93.net" | |
| git checkout -b "$BRANCH" | |
| git add independent-programs.yml | |
| git commit \ | |
| --author="$AUTHOR_NAME <$AUTHOR_EMAIL>" \ | |
| -m "$(printf 'Add program: %s\n\nCo-Authored-By: Liss-Bot <alicia-gh-bot@mail.as93.net>' "$COMPANY")" | |
| git push -u origin "$BRANCH" --force | |
| # Create PR, or update the existing one if re-triggered | |
| if gh pr view "$BRANCH" --json number -q .number >/dev/null 2>&1; then | |
| gh pr edit "$BRANCH" --title "Add program: $COMPANY" --body "$PR_BODY" | |
| else | |
| gh pr create --head "$BRANCH" --base main --title "Add program: $COMPANY" --body "$PR_BODY" | |
| fi | |
| - name: Upsert status comment | |
| if: steps.process.outputs.valid == 'true' || steps.process.outputs.valid == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| ISSUE: ${{ github.event.issue.number }} | |
| BRANCH: ${{ steps.process.outputs.branch }} | |
| AUTHOR_LOGIN: ${{ github.event.issue.user.login }} | |
| VALID: ${{ steps.process.outputs.valid }} | |
| ERROR_MESSAGE: ${{ steps.process.outputs.error_message }} | |
| run: | | |
| if [ "$VALID" = "true" ]; then | |
| PR_URL=$(gh pr view "$BRANCH" --json url -q .url) | |
| BODY=$(cat <<EOF | |
| Hey @${AUTHOR_LOGIN}, thank you for your submission! | |
| I've created a PR at ${PR_URL} to get this merged in 😊 | |
| <!-- liss-bot-submission --> | |
| EOF | |
| ) | |
| else | |
| BODY=$(cat <<EOF | |
| Hey @${AUTHOR_LOGIN} - thanks for your submission! | |
| It looks like there were some validation errors in the content you entered. | |
| ${ERROR_MESSAGE} | |
| Either edit the issue to fix the errors and retry, or wait for a maintainer to take a look. | |
| <!-- liss-bot-submission --> | |
| EOF | |
| ) | |
| fi | |
| EXISTING=$(gh api "/repos/${REPO}/issues/${ISSUE}/comments" \ | |
| --jq '[.[] | select(.user.login == "Liss-Bot" and (.body | contains("<!-- liss-bot-submission -->")))] | last | .id // empty') | |
| if [ -n "$EXISTING" ]; then | |
| gh api -X PATCH "/repos/${REPO}/issues/comments/${EXISTING}" -f body="$BODY" > /dev/null | |
| else | |
| gh issue comment "$ISSUE" --repo "$REPO" --body "$BODY" | |
| fi | |
| - name: Mark as processed | |
| if: steps.process.outputs.valid == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.BOT_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| ISSUE: ${{ github.event.issue.number }} | |
| LABEL_DESC: Bot has parsed this submission and opened a PR | |
| run: | | |
| gh label create submission-processed --color 0E8A16 --description "$LABEL_DESC" 2>/dev/null || true | |
| gh issue edit "$ISSUE" --repo "$REPO" --add-label submission-processed |