Set up application labelling and commenting #924
Conversation
jodyheavener
added
the
2024-program-updates
jodyheavener
force-pushed
the
jh/application-label-comment
branch
2 times, most recently
from
fda14fb to
8aa1341
Compare
There was a problem hiding this comment.
Overall, I love the structure of this. I have one idiomatic suggestion. I don't think that the response messages fit with our tone. I've tried to link to the 1Password Style Guide or the base Apple Style Guide upon which ours is built. My intent here is to make it sound like we're all writing in one voice. Feel free to disagree. Ping me when you want me to take another look!
script/reviewer.go
Outdated
| func (r *Reviewer) createComment(status Status) { | ||
| title := "" | ||
| body := "" | ||
| details := fmt.Sprintf("<details>\n<summary>Application data...</summary>\n\n```json\n%s\n```\n</details>", r.application.GetData()) |
There was a problem hiding this comment.
On a second look here... you're making a GitHub comment using untrusted input from our users. What's to prevent them from adding their own HTML or XSS attacks here? Which user is making these comments and could be hijacked? I don't think that GitHub supports slash commands like GitLab (where they could force your bot to /approve the issue), but am I missing something there?
There was a problem hiding this comment.
GitHub has extremely strict markdown sanitization rules (otherwise any Issue/PR/Readme could XSS you). GH doesn't directly support any slash commands that perform actions, however, if we implemented chat/slash commands with GH Actions down the road, yes this could be a problem.
There was a problem hiding this comment.
Great callout! By and large json.MarshalIndent, used by the GetData method, escapes <, >, & and produces valid JSON, reducing the chances of breaking out of the printed JSON.
That said, I've hardened this even further by parsing all input data as Markdown into HTML, then retrieving only the text content of the HTML. This will help:
- Protect us against Markdown syntax being used to break out of the JSON. After all, the JSON is itself being printed inside of a Markdown code block in the issue comment, so a user might have tried to use three backticks to end the code block.
- Protect consumers of this data down the road are better protected if they directly render one of the JSON values (like the project description).
Which user is making these comments and could be hijacked?
We are employing a bot account to make these comments. A PAT for that account is stored as a secret on this repository and passed to the script when the workflow is invoked. Absent this PAT the script will bail.
I don't think that GitHub supports slash commands like GitLab (where they could force your bot to /approve the issue), but am I missing something there?
On the approval side, the workflow to approve and commit the data to the repository is only invoked when the status: approved label is added to the issue, and labels can only be added by a collaborator on the repository. Only AgileBits employees can be collaborators on the repository.
script/reviewer.go
Outdated
| if status == Invalid && r.application.IsValid() { | ||
| if err := r.gitHub.RemoveIssueLabel(LabelStatusInvalid); err != nil { | ||
| r.printErrorAndExit( | ||
| fmt.Errorf("could not remove issue label '%s': %s", LabelStatusInvalid, err.Error()), | ||
| ) | ||
| } | ||
| } |
There was a problem hiding this comment.
Any reason to not move this block to line 93 where it is also inside the if r.application.IsValid() block?
script/reviewer.go
Outdated
| // TODO: replace FILE_NAME with Application.FileName once available | ||
| dataPath := fmt.Sprintf("https://github.com/1Password/1password-teams-open-source/blob/main/data/%s", "FILE_NAME") |
There was a problem hiding this comment.
Is this TODO for this PR or for the future?
There was a problem hiding this comment.
Future, once #925 is merged
There was a problem hiding this comment.
Update: that PR was merged so I've updated!
script/reviewer.go
Outdated
| } | ||
| } else { | ||
| title = "### ❌ Your application is invalid" | ||
| body = fmt.Sprintf("\n\n%s\n\nOur automated pre-checks have detected the following issues:\n\n%s", details, r.application.RenderProblems()) |
There was a problem hiding this comment.
Perhaps some sort of "Please fix these problems by updating the PR" language would be helpful
There was a problem hiding this comment.
Nice one. Updated to add:
Update this issue to correct these problems and we’ll automatically re-evaluate your application.
…issue, based on issue status and validity
…using custom Status type
tatus/validity check when creating comment
…h to application file
jodyheavener
force-pushed
the
jh/application-label-comment
branch
from
87b528d to
26f627a
Compare
/dev/web/developer.1password.com/-/issues/1065Summary
We are working on improvements to the 1Password for Open Source program. This PR continues from #918 and sets up application labelling and commenting from the bot account based on the application's status and validity.
What's changed?
The main change here is setting up what our "bot" account does in response to an issue. Now, when an application issue is opened or updated, we do the following:
Additionally the following was changed:
Testing
There are no new unit/integration tests just yet (but there will be), but there are several updates to the manual testing flow to help debug and validate the application processor, like the last issue. Here's how to use it:
This command will print the application input it received and the parsed data.
Example output
In addition to this information this will output the automated bot comment's message, as well as any labels being added or removed.
The following test issues are available:
valid-projectThis is a valid application for a project. It will result in the
status: reviewinglabel being added, and a helpful comment about what's next.Bot comment
✅ Your application is valid
Application data...
{ "account": "testdb.1password.com", "project": { "name": "TestDB", "description": "TestDB is a free and open source, community-based forum software project.", "contributors": 1, "home_url": "https://github.com/wendyappleed/test-db", "repo_url": "https://github.com/wendyappleed/test-db", "license_type": "MIT", "license_url": "https://github.com/wendyappleed/test-db/blob/main/LICENSE.md", "is_event": false, "is_team": false }, "applicant": { "name": "Wendy Appleseed", "email": "[email protected]", "role": "Core Maintainer", "id": 38230737 }, "can_contact": true, "issue_number": 6, "created_at": "2023-07-12T19:49:35Z" }Thanks for applying! Next step: our team will review your application and may have follow-up questions. You can still make changes to your application and we'll process it again.
The
valid-teamandvalid-eventtest issues will have a similar output.valid-project-reviewingThis is a valid application, where the application was previously valid. This will not result in any label changes.
Bot comment
👍 Application still valid
Application data...
{ "account": "testdb.1password.com", "project": { "name": "TestDB", "description": "TestDB is a free and open source, community-based forum software project.", "contributors": 1, "home_url": "https://github.com/wendyappleed/test-db", "repo_url": "https://github.com/wendyappleed/test-db", "license_type": "MIT", "license_url": "https://github.com/wendyappleed/test-db/blob/main/LICENSE.md", "is_event": false, "is_team": false }, "applicant": { "name": "Wendy Appleseed", "email": "[email protected]", "role": "Core Maintainer", "id": 38230737 }, "can_contact": true, "issue_number": 6, "created_at": "2023-07-12T19:49:35Z" }We've processed your updated application and everything still looks good.
valid-project-closedThis is a valid application for a project, but the issue for the application is already closed and therefor cannot be modified in any way - processing aborted. This will not result in any label changes.
Bot comment
Oops! This application is closed can no longer be processed. If this is an error, please reach out to [email protected].
valid-project-approvedThis is a valid application for a project, but it was already approved and therefor cannot be modified in any way - processing aborted. This will not result in any label changes.
Bot comment
Oops! This application has been updated but has already been approved and can no longer be processed. If this is an error, please reach out to [email protected].
invalid-examples-1This is an application that contains validation errors. It will result in the
status: invalidlabel being added, and a comment that contains the errors that need to be addressed.Bot comment
❌ Your application needs some work
Application data...
{ "account": "foo", "project": { "name": "TestDB 🎁", "description": "TestDB is a free and open source, community-based forum software project.", "contributors": 0, "home_url": "@wendyappleed", "repo_url": "https://github.com/wendyappleed/test-db", "license_type": "MIT", "license_url": "https://github.com/wendyappleed/test-db/blob/main/LICENSE.md", "is_event": false, "is_team": false }, "applicant": { "name": "Wendy Appleseed", "email": "[email protected]", "role": "Lead Dev", "id": 38230737 }, "can_contact": true, "issue_number": 6, "created_at": "2023-07-12T19:49:35Z" }The following issues need to be addressed:
The
invalid-empty-bodyandinvalid-no-responsestest issues will have a similar output.