feat: add Discord notification workflow for PR and Issue events (#106)

masami-agent · Masami · web-flow · commit 10ce0f917be1 · 2026-05-05T16:18:30.000-04:00
* feat: add Discord notification workflow for PR and Issue events

* fix(ci): prevent script injection in notify-discord workflow

Move all ${{ }} expressions to env: block to prevent script injection
via user-controlled inputs (PR/issue titles). Use jq for safe JSON
construction to handle special characters in titles.

* fix(ci): address review nits — add reopened trigger, webhook guard, curl error check

* fix(ci): differentiate reopened action types and sync docs

- Use EVENT_ACTION to produce pr_reopened/issue_reopened (not just pr_opened)
- Update docs/github-webhook-integration.md to match workflow changes:
  - issues trigger now includes reopened
  - Workflow example updated with secure env: pattern
  - Document supported event_type values

---------

Co-authored-by: Masami &lt;masami@agent&gt;
Co-authored-by: Masami &lt;masami-agent@users.noreply.github.com&gt;
diff --git a/.github/workflows/notify-discord.yml b/.github/workflows/notify-discord.yml
@@ -0,0 +1,52 @@
+name: Notify Discord
+
+on:
+  pull_request:
+    types: [opened, reopened]
+  issues:
+    types: [opened, reopened]
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send to Discord
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+          EVENT_NAME: ${{ github.event_name }}
+          EVENT_ACTION: ${{ github.event.action }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          [ -z "$DISCORD_WEBHOOK_URL" ] && { echo "::warning::DISCORD_WEBHOOK_URL not set"; exit 0; }
+
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            TITLE="$PR_TITLE"
+            URL="$PR_URL"
+            AUTHOR="$PR_AUTHOR"
+            NUM="$PR_NUMBER"
+            TYPE="pr_${EVENT_ACTION}"
+            LABEL="PR #${NUM}"
+          else
+            TITLE="$ISSUE_TITLE"
+            URL="$ISSUE_URL"
+            AUTHOR="$ISSUE_AUTHOR"
+            NUM="$ISSUE_NUMBER"
+            TYPE="issue_${EVENT_ACTION}"
+            LABEL="Issue #${NUM}"
+          fi
+
+          PAYLOAD=$(jq -n \
+            --arg content "[GH-EVENT] repo:${REPO} action:${TYPE} ${LABEL}
+**${TITLE}**
+by ${AUTHOR}
+${URL}" \
+            '{"content": $content}')
+          curl --fail-with-body -s -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
diff --git a/docs/github-webhook-integration.md b/docs/github-webhook-integration.md
@@ -46,7 +46,7 @@ on:
   pull_request:
     types: [opened, reopened]
   issues:
-    types: [opened]
+    types: [opened, reopened]
 
 jobs:
   notify:
@@ -55,27 +55,43 @@ jobs:
       - name: Send to Discord
         env:
           DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+          EVENT_NAME: ${{ github.event_name }}
+          EVENT_ACTION: ${{ github.event.action }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
         run: |
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            TITLE="${{ github.event.pull_request.title }}"
-            URL="${{ github.event.pull_request.html_url }}"
-            AUTHOR="${{ github.event.pull_request.user.login }}"
-            NUM="${{ github.event.pull_request.number }}"
-            TYPE="pr_opened"
+          [ -z "$DISCORD_WEBHOOK_URL" ] && { echo "::warning::DISCORD_WEBHOOK_URL not set"; exit 0; }
+
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            TITLE="$PR_TITLE"
+            URL="$PR_URL"
+            AUTHOR="$PR_AUTHOR"
+            NUM="$PR_NUMBER"
+            TYPE="pr_${EVENT_ACTION}"
             LABEL="PR #${NUM}"
           else
-            TITLE="${{ github.event.issue.title }}"
-            URL="${{ github.event.issue.html_url }}"
-            AUTHOR="${{ github.event.issue.user.login }}"
-            NUM="${{ github.event.issue.number }}"
-            TYPE="issue_opened"
+            TITLE="$ISSUE_TITLE"
+            URL="$ISSUE_URL"
+            AUTHOR="$ISSUE_AUTHOR"
+            NUM="$ISSUE_NUMBER"
+            TYPE="issue_${EVENT_ACTION}"
             LABEL="Issue #${NUM}"
           fi
 
-          MSG="[GH-EVENT] repo:${{ github.repository }} action:${TYPE} ${LABEL}"
-          MSG="${MSG}\n**${TITLE}**\nby ${AUTHOR}\n${URL}"
-          PAYLOAD=$(printf '%s' "$MSG" | jq -Rs '{content: .}')
-          curl -s -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
+          PAYLOAD=$(jq -n \
+            --arg content "[GH-EVENT] repo:${REPO} action:${TYPE} ${LABEL}
+**${TITLE}**
+by ${AUTHOR}
+${URL}" \
+            '{"content": $content}')
+          curl --fail-with-body -s -H "Content-Type: application/json" -d "$PAYLOAD" "$DISCORD_WEBHOOK_URL"
 ```
 
 ## Message Format Convention
@@ -89,6 +105,8 @@ by {author}
 {url}
 ```
 
+Supported `event_type` values: `pr_opened`, `pr_reopened`, `issue_opened`, `issue_reopened`
+
 Example:
 ```
 [GH-EVENT] repo:openabdev/openab action:pr_opened PR #42
