Skip to content

Harden GitHub handle extraction and verify account exists before inviting#9

Merged
ewels merged 1 commit into
mainfrom
fix/github-handle-validation
Jun 2, 2026
Merged

Harden GitHub handle extraction and verify account exists before inviting#9
ewels merged 1 commit into
mainfrom
fix/github-handle-validation

Conversation

@ewels
Copy link
Copy Markdown
Member

@ewels ewels commented Jun 2, 2026

Problem

A GitHub invitation request came in where the applicant answered the handle question with a sentence:

Which is your GitHub handle?
My GitHub username is @Harshita-sriv.

The "Add to GitHub org" message shortcut parsed the answer by grabbing the first whitespace-delimited token after the prompt — My — which is a valid-looking handle, so the bot invited the real GitHub user my instead of @Harshita-sriv.

Changes

1. Smarter handle extraction (add_member_shortcut.py)

_handle_from_answer now scans the whole answer line for an unambiguous signal rather than blindly taking the first token:

  • An @mention token → @Harshita-sriv
  • A github.com/<user> URL token
  • A lone token, when the answer is a single word

Multi-word prose with no @ or URL is ambiguous, so it refuses to guess and returns None (the caller then asks the core-team member to use /nf-core github add <username>). All stripping and validation is delegated to the existing normalise_github_username.

2. Account-existence guard (invite_flow.py)

invite_and_greet now verifies the account exists (GET /users/{username}) before any invite, so typo'd or non-existent handles are rejected up front with a clear message — belt-and-braces on top of the extraction fix.

Tests

  • Added extraction cases including the verbatim incident input, prose-with-URL, bare-word rejection, and @mention-only.
  • Added "user does not exist → not invited" cases for both the slash command and the shortcut.
  • Shared _user_exists autouse fixture lives in conftest.py.

Full suite: 425 passed. ruff check, ruff format, and mypy clean (no new errors).

🤖 Generated with Claude Code

@ewels @claude
Harden GitHub handle extraction and verify account exists before invi…
a34644b 
…ting

The "Add to GitHub org" shortcut parsed workflow request text by grabbing
the first whitespace-delimited token after the handle prompt. When an
applicant answered with a sentence ("My GitHub username is @Harshita-sriv.")
the bot extracted "My" — a valid-looking handle — and invited the real
GitHub user `my`.

Extraction now scans the whole answer line for an unambiguous signal (an
@mention or github.com URL token, or a lone token) and delegates stripping
and validation to normalise_github_username, refusing to guess on
multi-word prose. As a second safeguard, invite_and_greet now verifies the
account exists (GET /users/{username}) before any invite, so typo'd or
non-existent handles are rejected with a clear message.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ewels
Copy link
Copy Markdown
Member Author

ewels commented Jun 2, 2026

For you @jfy133 ❤️

@ewels ewels merged commit caa8f15 into main Jun 2, 2026
3 checks passed
@ewels ewels deleted the fix/github-handle-validation branch June 2, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ewels