Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Onboard issue dedupe workflow (OpenSearch-Dashboards)#11873

Open
peterzhuamazon wants to merge 1 commit into
opensearch-project:mainfrom
peterzhuamazon:analyzer-reviewer-dedupe
Open

Onboard issue dedupe workflow (OpenSearch-Dashboards)#11873
peterzhuamazon wants to merge 1 commit into
opensearch-project:mainfrom
peterzhuamazon:analyzer-reviewer-dedupe

Conversation

@peterzhuamazon
Copy link
Copy Markdown
Member

@peterzhuamazon peterzhuamazon commented Apr 29, 2026

Description

Onboard issue dedupe workflow (OpenSearch-Dashboards)

Issues Resolved

opensearch-project/opensearch-build#5912

Screenshot

Testing the changes

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

@peterzhuamazon peterzhuamazon self-assigned this Apr 29, 2026
@peterzhuamazon peterzhuamazon added enhancement New feature or request Skip-Changelog PRs that are too trivial to warrant a changelog or release notes entry labels Apr 29, 2026
@peterzhuamazon peterzhuamazon moved this from Backlog to In review in OpenSearch Engineering Effectiveness Apr 29, 2026
@peterzhuamazon peterzhuamazon mentioned this pull request Apr 29, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 29, 2026
edited
Loading

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit e14b329.

PathLineSeverityDescription
.github/workflows/issue-dedupe.yml23highExternal reusable workflow 'opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml' is pinned to the mutable '@main' ref rather than an immutable commit SHA. A compromise or malicious push to that branch would silently execute arbitrary code in this repository's CI context, including with the granted id-token and secret access.
.github/workflows/issue-dedupe.yml38highExternal reusable workflow 'opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml' is also pinned to mutable '@main'. Any future change to that branch automatically affects this workflow with 'issues: write' permission, enabling an attacker to auto-close or manipulate issues in the repository.
.github/workflows/issue-dedupe.yml26high'id-token: write' permission is granted to the job that calls the external '@main'-pinned workflow. This allows the external workflow to request GitHub OIDC tokens, which can be used to assume cloud IAM roles (e.g., the Bedrock role referenced in the secret). If the upstream repo is compromised, the OIDC token could be used to escalate privileges in AWS.
.github/workflows/issue-dedupe.yml29highThe secret 'BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE' (an AWS IAM role ARN) is forwarded directly to an external workflow pinned at '@main'. Secrets passed to externally-hosted reusable workflows are accessible to all steps within that workflow. A supply chain compromise of the upstream repo would immediately expose this credential.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 4 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@peterzhuamazon
Copy link
Copy Markdown
Member Author

peterzhuamazon commented Apr 29, 2026

Expect to add new the new workflows.

@peterzhuamazon peterzhuamazon added the skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. label Apr 30, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 30, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ Recommended focus areas for review

Missing Schedule Condition

The auto-close-issue job runs on schedule for any repository matching the condition, but the detect-issue job does not handle the schedule event at all. If the workflow is triggered by a scheduled run, neither job will execute the detect logic, which may be intentional but should be validated.

 
  if: >-
    (github.event_name == 'workflow_dispatch' &&
     github.repository == 'opensearch-project/OpenSearch-Dashboards') ||
    (github.event_name == 'issues' &&
     github.event.issue.user.type != 'Bot' &&
     github.repository == 'opensearch-project/OpenSearch-Dashboards')
  uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main
  permissions:
    contents: read
    issues: write
    id-token: write
  secrets:
    BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE: ${{ secrets.BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE }}
  with:
    issue_number: ${{ inputs.issue_number || '' }}
    grace_days: ${{ vars.DUPLICATE_GRACE_DAYS || '7' }}

auto-close-issue:
  if: github.event_name == 'schedule' && github.repository == 'opensearch-project/OpenSearch-Dashboards'
Pinned to Main

Both reusable workflow references use @main as the ref (e.g., issue-dedupe-detect.yml@main and issue-dedupe-autoclose.yml@main). Pinning to @main means any breaking changes in the upstream workflows will immediately affect this workflow without a review cycle. Consider pinning to a specific commit SHA or tag for stability.

 
  uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main
  permissions:
    contents: read
    issues: write
    id-token: write
  secrets:
    BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE: ${{ secrets.BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE }}
  with:
    issue_number: ${{ inputs.issue_number || '' }}
    grace_days: ${{ vars.DUPLICATE_GRACE_DAYS || '7' }}

auto-close-issue:
  if: github.event_name == 'schedule' && github.repository == 'opensearch-project/OpenSearch-Dashboards'
  uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@main

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 30, 2026

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Pass event issue number as fallback

When the workflow is triggered by the issues event (not workflow_dispatch),
inputs.issue_number will be empty and the fallback is an empty string ''. The called
workflow (issue-dedupe-detect.yml) should handle this case, but passing an empty
string may cause unexpected behavior if the reusable workflow expects a valid issue
number or uses the event context instead. Verify that the reusable workflow
correctly falls back to github.event.issue.number when this value is empty, or
explicitly pass the event issue number for the issues trigger.

.github/workflows/issue-dedupe.yml [31]

-issue_number: ${{ inputs.issue_number || '' }}
+issue_number: ${{ inputs.issue_number || (github.event_name == 'issues' && github.event.issue.number) || '' }}
Suggestion importance[1-10]: 5

__

Why: When triggered by the issues event, inputs.issue_number will be empty, and the reusable workflow may need the actual issue number. Explicitly passing github.event.issue.number as a fallback ensures the called workflow receives the correct issue number without relying on the reusable workflow to infer it from context.

Low
General
Clarify schedule event handling intent

The detect-issue job does not handle the schedule event, but the schedule trigger is
defined in the workflow. If the workflow is triggered by a schedule event, neither
job's condition will match for detect-issue, which may be intentional, but it could
also mean scheduled runs silently do nothing for detection. Consider explicitly
excluding the schedule event or documenting this intent to avoid confusion.

.github/workflows/issue-dedupe.yml [17-22]

 if: >-
   (github.event_name == 'workflow_dispatch' &&
    github.repository == 'opensearch-project/OpenSearch-Dashboards') ||
   (github.event_name == 'issues' &&
    github.event.issue.user.type != 'Bot' &&
    github.repository == 'opensearch-project/OpenSearch-Dashboards')
+# Note: 'schedule' event is intentionally handled only by auto-close-issue job
Suggestion importance[1-10]: 2

__

Why: The behavior is intentional by design - the schedule event is meant only for auto-close-issue while detect-issue handles workflow_dispatch and issues events. The suggestion only asks to add a comment, which is a minor documentation improvement with minimal impact.

Low

@peterzhuamazon peterzhuamazon mentioned this pull request May 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruanyl ruanyl ruanyl approved these changes

@SuZhou-Joe SuZhou-Joe SuZhou-Joe approved these changes

@ananzh ananzh Awaiting requested review from ananzh ananzh is a code owner

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub is a code owner

@bandinib-amzn bandinib-amzn Awaiting requested review from bandinib-amzn bandinib-amzn is a code owner

@xinruiba xinruiba Awaiting requested review from xinruiba xinruiba is a code owner

@zhyuanqi zhyuanqi Awaiting requested review from zhyuanqi zhyuanqi is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@LDrago27 LDrago27 Awaiting requested review from LDrago27 LDrago27 is a code owner

@virajsanghvi virajsanghvi Awaiting requested review from virajsanghvi virajsanghvi is a code owner

@sejli sejli Awaiting requested review from sejli sejli is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@huyaboo huyaboo Awaiting requested review from huyaboo huyaboo is a code owner

@angle943 angle943 Awaiting requested review from angle943 angle943 is a code owner

@Maosaic Maosaic Awaiting requested review from Maosaic Maosaic is a code owner

@wanglam wanglam Awaiting requested review from wanglam wanglam is a code owner

@d-buckner d-buckner Awaiting requested review from d-buckner d-buckner is a code owner

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@TackAdam TackAdam Awaiting requested review from TackAdam TackAdam is a code owner

@ruchidh ruchidh Awaiting requested review from ruchidh ruchidh is a code owner

@sumukhswamy sumukhswamy Awaiting requested review from sumukhswamy sumukhswamy is a code owner

@paulstn paulstn Awaiting requested review from paulstn paulstn is a code owner

@Qxisylolo Qxisylolo Awaiting requested review from Qxisylolo Qxisylolo is a code owner

@yubonluo yubonluo Awaiting requested review from yubonluo yubonluo is a code owner

+1 more reviewer

@seraphjiang seraphjiang seraphjiang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@peterzhuamazon peterzhuamazon

Labels

enhancement New feature or request Skip-Changelog PRs that are too trivial to warrant a changelog or release notes entry skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. valued-contributor

Projects

Engineering Effectiveness Board
Status: 👀 In Review
OpenSearch Engineering Effectiveness
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@peterzhuamazon @ruanyl @seraphjiang @SuZhou-Joe