Reject malformed issue reference suffixes#240
Merged
ramimbo merged 2 commits intoMay 25, 2026
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Tightens GitHub PR-body parsing so malformed issue references (e.g., #3abc or /issues/3abc) no longer link to a bounty, and adds regression tests to ensure such cases return missing_issue.
Changes:
- Add a webhook test covering malformed shorthand and URL issue reference suffixes.
- Update issue-reference regexes to require a non-word-ish terminator after the numeric issue id.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/test_webhooks.py | Adds a regression test ensuring malformed issue references do not trigger bounty payouts and are recorded as missing_issue. |
| app/webhooks/github.py | Tightens regex matching for linked issues / issue URLs to reject trailing alphanumeric/_/- suffixes after the issue number. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
19
to
27
| LINKED_ISSUE_RE = re.compile( | ||
| r"\b(?:close[sd]?|fix(?:e[sd])?|resolve[sd]?|refs?|references?|bounty)\s+" | ||
| r"(?:(?P<repo>[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+)#(?P<repo_number>\d+)|#(?P<number>\d+))", | ||
| r"(?:(?P<repo>[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+)#(?P<repo_number>\d+)(?![A-Za-z0-9_-])|#(?P<number>\d+)(?![A-Za-z0-9_-]))", | ||
| re.IGNORECASE, | ||
| ) | ||
| GITHUB_ISSUE_URL_RE = re.compile( | ||
| r"https://github\.com/(?P<repo>[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+)/issues/(?P<number>\d+)", | ||
| r"https://github\.com/(?P<repo>[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+)/issues/(?P<number>\d+)(?![A-Za-z0-9_-])", | ||
| re.IGNORECASE, | ||
| ) |
Comment on lines
+163
to
+167
| ("delivery-pr-malformed-shorthand-issue-ref", "Closes #3abc"), | ||
| ( | ||
| "delivery-pr-malformed-url-issue-ref", | ||
| "Implements https://github.com/ramimbo/mergework/issues/3abc", | ||
| ), |
TUPM96
force-pushed
the
codex/bounty-228-strict-webhook-label-action
branch
from
b5c8822 to
84f18f0
Compare
Contributor
Author
|
Addressed the automated review notes in the latest commit:
CI is passing again on the updated head. |
|
Review for bounty #219: no blockers from my pass on PR #240. Evidence checked:
No secrets, wallet material, payout details, private deployment values, private vulnerability details, or MRWK price claims were reviewed or disclosed. |
ayskobtw-lil
approved these changes
May 25, 2026
Contributor
ayskobtw-lil
left a comment
ayskobtw-lil
left a comment
There was a problem hiding this comment.
No blockers from my review.
Evidence checked:
- Inspected
app/webhooks/github.py; the newISSUE_NUMBER_BOUNDARYis applied to shorthand#<number>, repo-qualified<owner>/<repo>#<number>, and full GitHub issue URLs, preventing suffixes like letters,_, or-from being truncated into a valid bounty issue number. - Traced
_linked_issue_numbers()and confirmed cross-repo filtering and duplicate suppression are unchanged after the regex boundary update. - Reviewed
tests/test_webhooks.py; the new regression covers malformed shorthand and full URL suffixes forabc,_abc, and-abc, while existing tests still cover accepted valid shorthand, repo-qualified, and full GitHub issue URL references.
Validation run on current head 8cf0848:
python -m pytest tests/test_webhooks.py::test_accepted_pr_label_rejects_malformed_issue_reference_suffixes tests/test_webhooks.py::test_accepted_pr_label_pays_pr_author_for_linked_bounty_issue tests/test_webhooks.py::test_accepted_pr_label_pays_repo_qualified_multi_award_issue tests/test_webhooks.py::test_accepted_pr_label_pays_full_github_issue_url_reference -q->4 passedpython -m ruff check app/webhooks/github.py tests/test_webhooks.py->All checks passed!git diff --check origin/main...HEAD-> clean
ramimbo
added
mrwk:accepted
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
/claim #228
Bounty: #228
Summary
#3abcandhttps://github.com/ramimbo/mergework/issues/3abc.Repro before fix
An accepted PR label payload with a PR body such as
Closes #3abcorhttps://github.com/ramimbo/mergework/issues/3abccould be parsed as issue#3, which could pay the wrong bounty issue.Validation
uv run --python 3.12 --extra dev python -m pytest tests/test_webhooks.py -quv run --python 3.12 --extra dev python -m pytest -quv run --python 3.12 --extra dev ruff check app/webhooks/github.py tests/test_webhooks.pyuv run --python 3.12 --extra dev ruff format --check app/webhooks/github.py tests/test_webhooks.py