Skip to content

fix: validate ADDON Jira ticket in PR title#511

Open
mkolasinski-splunk wants to merge 6 commits into
developfrom
feat/validate-addon-jira-ticket-in-pr-title
Open

fix: validate ADDON Jira ticket in PR title#511
mkolasinski-splunk wants to merge 6 commits into
developfrom
feat/validate-addon-jira-ticket-in-pr-title

Conversation

@mkolasinski-splunk

@mkolasinski-splunk mkolasinski-splunk commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds a step to the validate-pr-title job that enforces ADDON-XXXXX (5–6 digit Jira ticket number) in the PR title, failing with a clear ::error:: annotation if missing (runs after the existing semantic PR title check).
  • Adds a new comment-on-jira job: on push to main/develop, scans commit messages for ADDON-XXXXX references and posts a comment on each referenced ticket linking back to the commit (and originating PR, if found), worded to match the existing GitLab→Jira integration convention ({author} mentioned this issue in a commit of {repo} on branch {branch}:).
  • Auth via ATLASSIAN_EMAIL/ATLASSIAN_TOKEN secrets (hardcoded https://splunk.atlassian.net base URL), matching the naming convention already used by addonfactory-docs-on-github-integration; posts via raw Jira REST API v3 + ADF body rather than atlassian/gajira-comment (which has a known RCE, CVE-2020-14189).
  • Never fails the workflow: a failed Jira API call only logs a ::warning::.

Test plan

  • Open a PR without ADDON-XXXXX in the title → job fails with the error message
  • Open a PR with ADDON-12345 or ADDON-123456 in the title → job passes
  • Verify existing semantic PR title validation still works
  • Live end-to-end verification against splunk/test-addonfactory-repo (sandbox repo, temporarily pointed at this branch, reverted to v5.4 after each round), commenting on real ticket ADDON-88759:
    • pull_request event → comment-on-jira correctly skipped (job only fires on push)
    • Push directly to main, no originating PR → comment posted with commit link only, no "via PR" clause (run)
    • Push to main via squash-merged PR → comment posted with commit link and correct PR link (run, PR #374)
    • Push with a mix of a ticket-referencing and a non-referencing commit → only the referencing commit produced a comment (dedup/skip logic confirmed) (run)
    • Bug found and fixed during testing: initial run 403'd on the PR lookup (job only had contents: read) and leaked the raw error JSON into the comment's link href (run, see resulting malformed comment) — fixed by adding pull-requests: read and guarding the gh api failure path (1c8ba82)
    • Final wording verified live: "mkolasinski-splunk mentioned this issue in a commit of splunk/test-addonfactory-repo on branch main:" (run)

🤖 Generated with Claude Code

Add a step to the validate-pr-title job that checks for ADDON-XXXXX
(5-6 digit number) in the PR title, failing with a clear error message
if missing.

Co-Authored-By: Claude <noreply@anthropic.com>
@mkolasinski-splunk mkolasinski-splunk requested a review from a team as a code owner July 3, 2026 10:32

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0d982f008d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

GITHUB_TOKEN: ${{ github.token }}
- name: Validate ADDON Jira ticket in PR title
run: |
PR_TITLE="${{ github.event.pull_request.title }}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid evaluating PR titles in the shell

In pull_request runs the PR title is user-controlled, and interpolating it directly into the run script lets bash evaluate title contents after GitHub splices the expression in. A semantic title like feat: $(curl attacker) ADDON-12345 becomes PR_TITLE="feat: $(curl attacker) ADDON-12345", so the command substitution executes on the runner before the validation check. Pass the title through env: or another non-evaluated channel instead of embedding it in the script text.

Useful? React with 👍 / 👎.

- name: Validate ADDON Jira ticket in PR title
run: |
PR_TITLE="${{ github.event.pull_request.title }}"
if [[ ! "$PR_TITLE" =~ ADDON-[0-9]{5,6} ]]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Bound the Jira ticket regex to reject longer IDs

Because the bash regex is unanchored, titles containing a longer number still pass by matching the first 5 or 6 digits; for example feat: ADDON-1234567 satisfies ADDON-[0-9]{5,6} via the ADDON-123456 prefix. If the gate is meant to require exactly a 5–6 digit ADDON ticket, add a non-digit/end boundary after the number.

Useful? React with 👍 / 👎.

@mkolasinski-splunk mkolasinski-splunk changed the title feat: validate ADDON Jira ticket in PR title fix: validate ADDON Jira ticket in PR title Jul 6, 2026
- Pass the PR title through env: instead of interpolating it into the
  run: script text, so a crafted title can't trigger command
  substitution on the runner.
- Anchor the ticket regex so a longer digit run (e.g. ADDON-1234567)
  no longer satisfies the check via its 5-6 digit prefix.
Adds a comment-on-jira job that posts a link back to the commit (and
originating PR, if found) on any ADDON-XXXXX ticket referenced in a
commit pushed to main/develop, giving reporters visibility into when
their fix landed.

Uses the Jira REST API directly via curl rather than a third-party
comment action (atlassian/gajira-comment has a known RCE, CVE-2020-14189).
Requires new JIRA_BASE_URL/JIRA_USER_EMAIL/JIRA_API_TOKEN secrets;
consuming repos need these added before bumping to the next tag.
addonfactory-docs-on-github-integration and issue-exploder already use
ATLASSIAN_EMAIL/ATLASSIAN_TOKEN (or JIRA_LOGIN/JIRA_API_TOKEN) against a
hardcoded splunk.atlassian.net rather than a configurable base URL.
Match that instead of introducing new JIRA_* secret names.
…a comments

Live test against test-addonfactory-repo (push to main, ADDON-88759)
showed the PR lookup 403ing (job only had contents:read) and, because
gh api's stderr/stdout still populated PR_URL before the `|| true`
swallowed the exit code, the raw JSON error body got embedded as the
"PR" link href in the posted Jira comment.
Reword the posted comment to "{author} mentioned this issue in a commit
of {repo} on branch {branch}:" followed by the commit/PR links, matching
the phrasing already used by the existing GitLab->Jira integration
(srv-ssc-gitlab) so both integrations read consistently on a ticket.
if [[ ! "$PR_TITLE" =~ ADDON-[0-9]{5,6} ]]; then
echo "::error::PR title must contain a Jira ticket in the format ADDON-XXXXX (5-6 digits). Got: $PR_TITLE"
exit 1
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check can be bypassed after it passes because the current template caller only runs PR workflows on opened,
reopened, and synchronize, not edited. A PR title can be changed after a green check. The caller workflow
should include pull_request.types: edited if this is intended to enforce the merge-time title.

GSSA_AWS_SECRET_ACCESS_KEY:
description: GSSA AWS secret access key
required: true
permissions:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These new workflow_call secrets are required, but the template caller uses an explicit secrets: map and does
not pass them yet. Existing consumers will fail workflow validation before jobs start unless the caller/template is
updated too, or these secrets are made optional.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants