fix: Discord Notification

[RambokDev]

Summary by CodeRabbit

• Chores
  • Improved reliability of Discord release notifications with enhanced error handling and defensive data processing
  • Refined notification payload formatting with explicit field truncation limits to ensure consistent and reliable delivery

[coderabbitai]

📝 Walkthrough

Walkthrough

The Discord notification workflow was hardened with stricter shell options, defensive JSON extraction from the GitHub API, field-length-truncated payload generation via jq, and improved curl error handling with diagnostic output before transmission.

Changes

Discord Webhook Robustness and Field Truncation

Layer / File(s)	Summary
Environment setup and shell hardening .github/workflows/discord.yml	Step environment expanded to include RELEASE_TAG, DISCORD_TITLE, DISCORD_COLOR, and DISCORD_FOOTER; run script begins with set -euo pipefail for stricter error handling.
Release data fetching with defensive JSON extraction .github/workflows/discord.yml	GitHub API call fetches release data using RELEASE_TAG env var; jq extracts name, URL, and body with fallback defaults; RELEASE_TITLE falls back to RELEASE_TAG when missing.
Discord payload construction with field truncation .github/workflows/discord.yml	Payload written to payload.json via jq -n with explicit field-length truncation for content, embed title/description, author name, and footer text; Discord-specific configuration wired through environment variables.
Webhook request and diagnostic output .github/workflows/discord.yml	Curl invocation updated with --fail-with-body -sS for improved error reporting, -d @payload.json`` for proper JSON payload transmission, ?wait=true query parameter, and pre-send payload diagnostics.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The PR modifies a single file but introduces multiple conceptual layers: shell option hardening, API call robustness, payload field truncation logic, and curl error handling. The jq payload-generation logic (lines 53–103) is moderately dense with field-length calculations and conditional formatting that requires careful inspection to ensure Discord message constraints are respected.

Possibly related PRs

• Portabase/portabase#186: Both PRs modify the same Discord notification workflow by changing how webhook/token inputs are wired into the step environment.
• Portabase/portabase#183: Both PRs modify the Discord notification workflow logic by changing how inputs and environment variables are sourced and affecting payload construction.

Poem

🐰 A notification takes flight,
With fields truncated just right,
Jq builds the payload with care,
And curl sends it through the air,
Discord shines with freshly bright light! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'fix: Discord Notification' is related to the changeset which updates the Discord notification workflow, but it is vague and lacks specificity about what aspect of the Discord notification is being fixed.	Consider using a more specific title that describes the actual improvement, such as 'fix: Improve Discord notification reliability with defensive JSON extraction and payload validation' or 'fix: Enhance Discord webhook error handling and truncation limits'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-cd-notification-discord

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/discord.yml:
- Line 40: The run step is using template expansion inside the shell command
(RELEASE_INFO=$(gh release view "$RELEASE_TAG" -R "${{ github.repository }}"
--json name,url,body,author)); update this to use the built-in environment
variable instead to avoid template-injection patterns: replace the "${{
github.repository }}" expression with the shell env var $GITHUB_REPOSITORY in
the gh release view invocation (which populates RELEASE_INFO), keeping the rest
of the command and quoted variable usage unchanged.
- Around line 25-27: Add an explicit least-privilege permissions block to the
notify-discord job so the GITHUB_TOKEN only has read access needed for release
metadata: update the notify-discord job (job name "notify-discord") in
.github/workflows/discord.yml to include a permissions section (e.g.
permissions: contents: read) that restricts token scopes to the minimal
read-only permission required for reading release metadata.
- Around line 47-48: The workflow currently sets RELEASE_URL (and RELEASE_BODY)
and always includes the embed url field as `url: $url`, which sends `url: ""` to
Discord when no release URL exists; change the payload construction to only
include the embed `url` field when RELEASE_URL is non-empty (e.g., wrap the
`url: $url` line in a conditional using RELEASE_URL or build the embed JSON with
jq/printf and include the "url" property only if [ -n "$RELEASE_URL" ]), keeping
the existing RELEASE_URL/RELEASE_BODY variables unchanged but ensuring the embed
omits url when RELEASE_URL is empty.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 30382b82-caa3-4f17-8348-0d075f8aca63

📥 Commits

Reviewing files that changed from the base of the PR and between 4ef82ac and fce1541.

📒 Files selected for processing (1)

• .github/workflows/discord.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-and-test
• GitHub Check: Analyze (javascript-typescript)

🧰 Additional context used

🪛 zizmor (1.25.2)

.github/workflows/discord.yml

[warning] 1-109: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

---

[warning] 25-109: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

---

[warning] 40-40: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🔇 Additional comments (3)

.github/workflows/discord.yml (3)

33-38: LGTM!

---

53-75: LGTM!

Also applies to: 77-102

---

104-109: LGTM!