fix(ci): match existing Linear issues so triage stops creating duplicates

brendan-kellam · claude · brendan-kellam · commit 03f9893a62e9 · 2026-06-17T16:35:23.000-07:00
The Linear search bound the team UUID as a `String!` GraphQL variable into
`team.id.eq`, which expects `ID`. That variable-type mismatch made every
search return null data, so no finding ever matched an existing issue and the
job re-filed every CVE on each run. Drop the team filter (repo-prefix title
scoping is the authoritative filter anyway) and warn when a search errors.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/vulnerability-triage.yml b/.github/workflows/vulnerability-triage.yml
@@ -568,22 +568,31 @@ jobs:
           } >> "$GITHUB_OUTPUT"
 
           # For each finding, search Linear for an existing issue whose title contains the
-          # finding id AND is scoped to this repo (title starts with "[<repository>]").
-          # Prefer an open issue over a closed one.
-          SEARCH_QUERY='query($teamId: String!, $text: String!) { issues(filter: { team: { id: { eq: $teamId } }, title: { contains: $text } }) { nodes { id identifier url title state { type } } } }'
+          # finding id, then scope to this repo via the "[<repository>]" title prefix and
+          # prefer an open issue over a closed one. The team is intentionally NOT part of
+          # the GraphQL filter: its `id.eq` expects an `ID`, and binding our `String`
+          # team-UUID variable there is a type error that makes every search return null.
+          # Repo-prefix scoping below is the authoritative filter anyway.
+          SEARCH_QUERY='query($text: String!) { issues(filter: { title: { contains: $text } }) { nodes { id identifier url title state { type } } } }'
 
           echo '[]' > /tmp/matched.json
           jq -c '.cves[]' findings-base.json > /tmp/findings.jsonl
 
           while IFS= read -r finding; do
             CVE_ID=$(echo "$finding" | jq -r '.cveId')
-            VARS=$(jq -n --arg teamId "$TEAM_UUID" --arg text "$CVE_ID" '{teamId: $teamId, text: $text}')
+            VARS=$(jq -n --arg text "$CVE_ID" '{text: $text}')
             PAYLOAD=$(jq -n --arg query "$SEARCH_QUERY" --argjson vars "$VARS" '{query: $query, variables: $vars}')
             RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
               -H "Content-Type: application/json" \
               -H "Authorization: $LINEAR_API_KEY" \
               -d "$PAYLOAD")
 
+            # Surface query failures instead of silently treating them as "no match"
+            # (which would create a duplicate issue).
+            if [ "$(echo "$RESPONSE" | jq 'has("errors") or (.data.issues == null)')" = "true" ]; then
+              echo "::warning::Linear search for $CVE_ID failed: $(echo "$RESPONSE" | jq -c '.errors // .')"
+            fi
+
             SELECTED=$(echo "$RESPONSE" | jq --arg prefix "[$REPOSITORY]" '
               [.data.issues.nodes[]? | select(.title | startswith($prefix))] as $matches |
               ($matches | map(select(.state.type != "completed" and .state.type != "canceled")) | .[0]) as $open |
