Skip to content

fix: manage report issue lifecycle based on violations#12

Merged
botantler[bot] merged 1 commit intomainfrom
devantler/fix-report-issue-lifecycle
Apr 12, 2026
Merged

fix: manage report issue lifecycle based on violations#12
botantler[bot] merged 1 commit intomainfrom
devantler/fix-report-issue-lifecycle

Conversation

@devantler
Copy link
Copy Markdown
Contributor

@devantler devantler commented Apr 12, 2026

Summary

Fixes the issue where all report workflows unconditionally create/update a GitHub issue — even when no violations are found — and create duplicate issues when violations recur after a previous issue was closed.

Changes

  • New composite action (.github/actions/manage-report-issue/action.yml) — uses gh CLI to manage the full issue lifecycle:
    • Violations found → create new issue, or update + reopen existing
    • No violations → close existing open issue with a resolution comment, or do nothing
  • Updated all 3 report workflows to use the composite action instead of step-security/create-issue-from-file

Behavior matrix

Scenario Before After
Violations, no existing issue Creates issue ✅ Creates issue ✅
Violations, open issue exists Updates body ✅ Updates body ✅
Violations, closed issue exists Creates duplicate Reopens + updates ✅
No violations, no existing issue Creates noisy issue ❌ Does nothing ✅
No violations, open issue exists Updates with "all good" ❌ Closes with comment ✅
No violations, closed issue exists Creates duplicate Does nothing ✅

No TypeScript changes — the has-violations and report-path outputs already existed in writeReportOutput.

@devantler
fix: manage report issue lifecycle based on violations
a0a7814 
Replace the step-security/create-issue-from-file action with a shared
composite action that uses the gh CLI to manage the full issue lifecycle:

- Violations found: create new issue, or update + reopen existing
- No violations: close existing open issue, or do nothing

This prevents noisy issues when no violations exist and avoids duplicate
issues when violations recur after an issue was closed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 12, 2026 19:20
@botantler botantler Bot enabled auto-merge (squash) April 12, 2026 19:20
@botantler botantler Bot merged commit 02d2ece into main Apr 12, 2026
15 checks passed
Copilot AI reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves GitHub organization maintenance report workflows by managing the lifecycle of the corresponding GitHub issue based on whether violations are present, avoiding noisy “all good” issues and preventing duplicates when violations recur.

Changes:

  • Added a new composite action to create/update/reopen/close report issues using the gh CLI based on a has-violations flag.
  • Updated all report workflows to use the new composite action instead of step-security/create-issue-from-file.
  • Wired existing report outputs (report-path, has-violations) into the workflows’ issue-management step.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/report-repos-with-no-team.yml Switches issue publishing to the new lifecycle-based composite action.
.github/workflows/report-repos-with-no-admin-team.yml Switches issue publishing to the new lifecycle-based composite action.
.github/workflows/report-repos-with-multi-admin-teams.yml Switches issue publishing to the new lifecycle-based composite action.
.github/actions/manage-report-issue/action.yml Implements issue create/update/reopen/close logic driven by has-violations.

Comment thread .github/actions/manage-report-issue/action.yml
--state all \
--search "in:title \"${TITLE}\"" \
--json number,title \
--jq ".[] | select(.title == \"${TITLE}\") | .number" \
Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The jq filter interpolates TITLE directly into a quoted jq string (select(.title == "${TITLE}")). If the title ever contains a double-quote or backslash, this will produce invalid jq and fail the action. Use jq's --arg to pass TITLE safely and compare against $title instead of string interpolation.

Suggested change
--jq ".[] | select(.title == \"${TITLE}\") | .number" \
| jq -r --arg title "$TITLE" '.[] | select(.title == $title) | .number' \

Copilot uses AI. Check for mistakes.
Comment thread .github/actions/manage-report-issue/action.yml
Comment on lines +31 to +41
# Find existing issue by exact title (any state)
ISSUE_NUMBER=$(
gh issue list \
--repo "$GITHUB_REPOSITORY" \
--state all \
--search "in:title \"${TITLE}\"" \
--json number,title \
--jq ".[] | select(.title == \"${TITLE}\") | .number" \
| head -1
)

Copy link

Copilot AI Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gh issue list is called without an explicit --limit, so it will only consider the CLI's default number of results. If there are many historical issues with the same title, the correct match (especially an older open one) may not be returned, which can reintroduce duplicate-issue behavior. Set an explicit limit (and/or prefer open issues first) to make selection deterministic.

Suggested change
# Find existing issue by exact title (any state)
ISSUE_NUMBER=$(
gh issue list \
--repo "$GITHUB_REPOSITORY" \
--state all \
--search "in:title \"${TITLE}\"" \
--json number,title \
--jq ".[] | select(.title == \"${TITLE}\") | .number" \
| head -1
)
# Find existing issue by exact title, preferring an open issue over a closed one.
ISSUE_NUMBER=$(
gh issue list \
--repo "$GITHUB_REPOSITORY" \
--state open \
--limit 1000 \
--search "in:title \"${TITLE}\"" \
--json number,title \
--jq ".[] | select(.title == \"${TITLE}\") | .number" \
| head -1
)
if [ -z "$ISSUE_NUMBER" ]; then
ISSUE_NUMBER=$(
gh issue list \
--repo "$GITHUB_REPOSITORY" \
--state closed \
--limit 1000 \
--search "in:title \"${TITLE}\"" \
--json number,title \
--jq ".[] | select(.title == \"${TITLE}\") | .number" \
| head -1
)
fi

Copilot uses AI. Check for mistakes.
@devantler devantler mentioned this pull request Apr 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devantler