mirror of
https://github.com/different-ai/openwork
synced 2026-04-26 01:25:10 +02:00
86dc0feeb4
The triage-issue job interpolated $ISSUE_TITLE and $ISSUE_BODY unquoted inside a double-quoted shell string, allowing any GitHub user to execute arbitrary commands by opening an issue with shell metacharacters. The duplicate-prs job similarly interpolated $COMMENT unquoted into a gh pr comment --body argument. Fix both by using printf with %s (prevents shell interpretation) and --body-file (avoids inline interpolation entirely). Co-authored-by: xj <gh-xj@users.noreply.github.com>
83 lines
2.5 KiB
YAML
83 lines
2.5 KiB
YAML
name: Opencode Agents
|
|
|
|
on:
|
|
issues:
|
|
types: [opened]
|
|
pull_request_target:
|
|
types: [opened]
|
|
|
|
jobs:
|
|
triage-issue:
|
|
if: github.event_name == 'issues'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Install opencode
|
|
run: curl -fsSL https://opencode.ai/install | bash
|
|
|
|
- name: Triage issue
|
|
env:
|
|
OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
ISSUE_TITLE: ${{ github.event.issue.title }}
|
|
ISSUE_BODY: ${{ github.event.issue.body }}
|
|
run: |
|
|
cat > /tmp/issue_prompt.txt <<'PROMPT_EOF'
|
|
The following issue was just opened, triage it:
|
|
PROMPT_EOF
|
|
printf '\nTitle: %s\n\n%s\n' "$ISSUE_TITLE" "$ISSUE_BODY" >> /tmp/issue_prompt.txt
|
|
opencode run --agent triage "$(cat /tmp/issue_prompt.txt)"
|
|
|
|
duplicate-prs:
|
|
if: github.event_name == 'pull_request_target' && github.event.pull_request.user.login != 'opencode-agent[bot]'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
|
|
- name: Install opencode
|
|
run: curl -fsSL https://opencode.ai/install | bash
|
|
|
|
- name: Build prompt
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
run: |
|
|
{
|
|
echo "Check for duplicate PRs related to this new PR:"
|
|
echo ""
|
|
echo "CURRENT_PR_NUMBER: $PR_NUMBER"
|
|
echo ""
|
|
echo "Title: $(gh pr view \"$PR_NUMBER\" --json title --jq .title)"
|
|
echo ""
|
|
echo "Description:"
|
|
gh pr view "$PR_NUMBER" --json body --jq .body
|
|
} > pr_info.txt
|
|
|
|
- name: Check for duplicate PRs
|
|
env:
|
|
OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }}
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
run: |
|
|
opencode run --agent duplicate-pr "$(cat pr_info.txt)" > /tmp/comment_output.txt
|
|
|
|
{
|
|
echo "_The following comment was made by an LLM, it may be inaccurate:_"
|
|
echo ""
|
|
cat /tmp/comment_output.txt
|
|
} > /tmp/comment_body.txt
|
|
gh pr comment "$PR_NUMBER" --body-file /tmp/comment_body.txt
|