open-source-friday/.github/workflows/notify-approved-guests.yml at main · githubevents/open-source-friday · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
name: Notify Approved Guests

on:
  issues:
    types: [labeled]

jobs:
  notify-approved-guest:
    runs-on: ubuntu-latest
    if: github.event.label.name == 'approved'
    steps:
      - name: Comment on approved issue
        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            // Get the GitHub username directly from the issue author
            const githubHandle = context.payload.issue.user.login;

            console.log('Processing issue #', context.issue.number, 'by author:', githubHandle);

            if (githubHandle) {
              // Security: Enhanced validation function
              const isValidGitHubHandle = (handle) => {
                if (!handle || typeof handle !== 'string') return false;
                if (handle.length < 1 || handle.length > 39) return false;

                // Must start and end with alphanumeric, can contain hyphens in middle
                return /^[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/.test(handle);
              };

              if (isValidGitHubHandle(githubHandle)) {
                console.log('Creating comment for validated handle');

                // Security: Sanitize comment content
                const safeHandle = githubHandle.replace(/[<>'"&]/g, '');
                const commentBody = 'Hey @' + safeHandle + ' thank you for submitting your project! Looks super interesting! ✨\n\nPlease select a date from this calendar: https://gh.io/osf-booking\n\nDo let me know in this issue what date you selected for the stream! 📅';

                const issueComment = {
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: context.issue.number,
                  body: commentBody
                };

                try {
                  const result = await github.rest.issues.createComment(issueComment);
                  console.log('Comment created successfully, ID:', result.data.id);
                } catch (error) {
                  // Security: Don't expose error details in logs
                  console.error('Failed to create comment for issue #', context.issue.number);
                  // Don't re-throw to prevent workflow failure from exposing internals
                }
              } else {
                console.log('Handle validation failed for issue #', context.issue.number);
              }
            } else {
              console.log('No GitHub handle found for issue #', context.issue.number);
            }