Skip to content

Update dedupe workflow to have correct name#5327

Merged
peterzhuamazon merged 16 commits into
opensearch-project:mainfrom
qianheng-aws:refactor/dedupe-reusable-workflow
Apr 9, 2026
Merged

Update dedupe workflow to have correct name#5327
peterzhuamazon merged 16 commits into
opensearch-project:mainfrom
qianheng-aws:refactor/dedupe-reusable-workflow

Conversation

@qianheng-aws

@qianheng-aws qianheng-aws commented Apr 9, 2026
edited by peterzhuamazon
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Rename workflow to Issue Dedupe Main

Test plan

  • Verified workflow YAML syntax
  • Trigger workflow_dispatch to confirm detect job works
  • Verify scheduled auto-close job runs correctly

@qianheng-aws
Refactor issue dedupe workflows to call reusable workflow
47a5496 
Replace inline workflow logic in all three issue dedup files with thin
callers to opensearch-project/opensearch-build/.github/workflows/issue-dedupe.yml@main.
This centralizes the dedupe logic (detect, auto-close, remove-label) into
a single reusable workflow, reducing per-repo maintenance burden.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Temporarily point dedupe workflows to personal fork for testing
1947407 
Point reusable workflow references to qianheng-aws/opensearch-build
branch add-issue-dedupe-workflow until the upstream PR is merged.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Refactor dedupe workflows to use opensearch-build reusable workflows
8b3f4c9 
- Three caller workflows now delegate to opensearch-build reusable workflows
- Remove .claude/commands/dedupe.md (prompt now lives in opensearch-build)
- Remove scripts/comment-on-duplicates.sh (logic inlined in reusable workflow)

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Test: point dedupe detect to test-dedupe-debug branch
96d2bf5 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe detect to PR branch for testing
1997698 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Simplify dedupe callers after reusable workflow input cleanup
9fe7c9a 
Remove redundant parameter passing — reusable workflows now derive
issue context from github.event directly.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Update dedupe caller to match latest reusable workflow changes
5795be0 
- Point to opensearch-project/opensearch-build@main
- Rename secret to BEDROCK_ACCESS_ROLE_ISSUE
- Add schedule trigger and auto-close job
- Remove workflow_dispatch (detect derives issue from github.event)

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Rename dedupe workflow to remove tool-specific naming
42154ce 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Add dispatch for dedupe workflow
6eb4360 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Add workflow_dispatch support for auto-close job
4550154 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe workflows to fork branch for testing
184012e 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Consolidate dedupe workflows and add grace_days to auto-close
0da4d6c 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Pass grace_days to detect workflow via repo variable
e6622df 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe workflows to upstream main and update secret name
975083f 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Rename workflow to Issue Dedupe Main
f401cdf 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@github-actions

github-actions Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit f401cdf.

PathLineSeverityDescription
.github/workflows/issue-dedupe.yml29highReusable workflow referenced at '@main' (opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main) rather than a pinned commit SHA. Any change to the external repo's main branch will immediately affect this workflow, making this a supply chain attack vector.
.github/workflows/issue-dedupe.yml40highReusable workflow referenced at '@main' (opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@main) rather than a pinned commit SHA. Same supply chain risk as above — the external workflow content is not immutable.
.github/workflows/issue-dedupe.yml35highSecret 'BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE' is passed to an external reusable workflow pinned at '@main'. If that external repository is compromised or the workflow is modified, the secret (an AWS IAM role ARN used for OIDC trust) could be exfiltrated or abused to assume cloud credentials.
.github/workflows/issue-dedupe.yml33high'id-token: write' permission is granted and delegated to the external reusable workflow at '@main'. This allows the external workflow to request OIDC tokens from GitHub's identity provider, which can be exchanged for cloud credentials (AWS, GCP, Azure). Combined with the mutable '@main' reference, this creates a serious privilege escalation path.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 4 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@qianheng-aws
Merge remote-tracking branch 'origin/main' into refactor/dedupe-reusa…
161f6a5 
…ble-workflow

Signed-off-by: Heng Qian <qianheng@amazon.com>

# Conflicts:
#	.github/workflows/issue-dedupe.yml
@github-actions

github-actions Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ No major issues detected

@qianheng-aws qianheng-aws added the maintenance Improves code quality, but not the product label Apr 9, 2026
@peterzhuamazon peterzhuamazon changed the title Point issue dedupe workflow to upstream reusable workflows Update dedupe workflow to have correct name Apr 9, 2026
@peterzhuamazon peterzhuamazon merged commit 59cc903 into opensearch-project:main Apr 9, 2026
39 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterzhuamazon peterzhuamazon peterzhuamazon approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

@yuancu yuancu Awaiting requested review from yuancu yuancu is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs is a code owner

@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws is a code owner

Assignees

No one assigned

Labels

maintenance Improves code quality, but not the product

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qianheng-aws @peterzhuamazon