danielrbradley
commented
4 weeks ago Done a bit of a rework since your comments @iwahbe to simplify and keep it closer to the current logic of comparing on the whole title every time.
I'd like to avoid situations where external users can effect our tooling. Instead of messing around with base64 encoded magic strings (which can be arbitrarily added to issues), can we simply make the
--authorcustomizable?
We're deliberately wanting to remove the user restrictions here on this only being runnable in CI and therefore not limiting on which user creates the issue. This only affects the deduplication logic for the issue creation, not the logic for triggering updates. The related change in this area is also to stop triggering the upgrade process off issue creations:
Pulumi could specify
--authoras pulumi-bot, others could set app/github-bot, or whatever is appropriate for their org.
When using github-actions built-in user, we can't filter on --author, we would have to use the --app option instead, which complicates things. This also still doesn't fix the issue of someone running this on their local machine and creating issues as their own user.
Filtering via @me assumes that the user is always the same when creating issues. This might not be true if a user runs this tool locally. This also breaks when the author is an app such as github-actions as this must be specified via the
--appoption instead of--author.As an alternative approach, GitHub will index for search any word within the issue body, even hidden within an HTML comment. We'll include the word "pulumiupgradeproviderissue" in the HTML comment to allow listing all upgrade issues easily via search. Once we've listed candidate issues, we'll check client-side for an exact matching title.
Here's an example issue where I've manually added this hidden comment to test searching:
We'll leave the existing "@me" based search in as a fallback until we can be confident that these tokens will be present in relevant issues.
Resolves #280