Add BLT-Action to auto-add $5 bounty for sponsor-opened issues

[vidipsingh]

User description

• Implemented a GitHub Action that automatically adds a $5 label if an issue is created by a user listed in the SPONSORS environment variable.
• Fixes the issue where manual intervention was required to add the $5 label, ensuring automation as outlined in #3859.

Fixes: #3859

---

PR Type

Enhancement, Configuration changes

---

Description

• Added automation to label issues with $5 if opened by sponsors.

• Changed GitHub Action trigger from issue_comment to issues event.

• Implemented sponsor check using SPONSORS environment variable.

• Integrated API call to add $5 label for eligible issues.

---

Changes walkthrough 📝

	Relevant files
Enhancement	assign-issues.yml Automate $5 label addition for sponsor issues                        .github/workflows/assign-issues.yml Changed trigger from issue_comment to issues event. Added steps to check if issue author is a sponsor. Implemented API call to add $5 bounty label for sponsor-created issues. Enhanced workflow with environment variable and condition handling. +31/-2

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

Summary by CodeRabbit

• New Features
  • Enhanced issue handling now automatically triggers on new issue submissions.
  • Sponsors receive a reward label, recognizing their support when they open an issue.

[github-actions[bot]]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 3859 - Partially compliant Compliant requirements: Automate the addition of a $5 label to issues created by users listed in the SPONSORS environment variable. Change the GitHub Action trigger from issue_comment to issues event. Ensure the automation eliminates the need for manual intervention. Non-compliant requirements: [] Requires further human verification: []

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Potential issue with unsanitized use of the SPONSORS environment variable in the bash script. This could lead to unexpected behavior if the variable contains malicious or malformed input.

⚡ Recommended focus areas for review Possible Issue The curl command in the "Add $5 bounty label for sponsors" step does not handle errors robustly. If the API call fails, the script continues without retrying or logging detailed error information. echo "Adding $5 bounty label for sponsor ${ISSUE_AUTHOR}" curl -X POST \ -H "Authorization: token ${GITHUB_TOKEN}" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/${REPO}/issues/${ISSUE_NUMBER}/labels \ -d '{"labels":["bounty: $5"]}' || echo "Failed to add label, but continuing..." Security Concern The SPONSORS environment variable is directly used in a bash script without sanitization, which could lead to potential issues if the variable contains unexpected characters or formatting. env: SPONSORS: ${{ secrets.SPONSORS }} ISSUE_AUTHOR: ${{ github.event.issue.user.login }} run: | if [[ ",${SPONSORS}," =~ ",${ISSUE_AUTHOR}," ]]; then echo "is_sponsor=true" >> $GITHUB_OUTPUT else echo "is_sponsor=false" >> $GITHUB_OUTPUT shell: bash

[github-actions[bot]]

PR Code Suggestions ✨

[DonnieBLT]

@coderabbitai please review this

[coderabbitai[bot]]

Walkthrough

This pull request updates the GitHub Actions workflow defined in .github/workflows/assign-issues.yml to trigger on issue creation. It adds new steps to the auto-assign job: checking out the repository, verifying if the issue author is a sponsor using a predefined SPONSORS environment variable, and conditionally adding a $5 bounty label via a GitHub API call when the author is confirmed as a sponsor.

Changes

File(s)	Change Summary
.github/workflows/assign-issues.yml	Added a new trigger for issues: [opened] events and inserted steps in the auto-assign job: repository checkout, sponsor verification, and conditional bounty labeling.

Sequence Diagram(s)

sequenceDiagram
    participant IssueEvent as Issue Opened
    participant Workflow as GitHub Actions Workflow
    participant API as GitHub API

    IssueEvent->>Workflow: Trigger on issue creation
    Workflow->>Workflow: Checkout repository
    Workflow->>Workflow: Check if user is a sponsor (using SPONSORS env)
    alt User is sponsor
        Workflow->>API: POST request to add $5 bounty label
    else
        Workflow->>Workflow: End workflow without labeling
    end

Assessment against linked issues

Objective	Addressed	Explanation
#3859: Make the BLT-Action auto add $5 if posted by a user in the SPONSORS env	✅

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai[bot]]

[!TIP] For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's look at the actual code changes in the PR
gh pr view 3901 --repo OWASP-BLT/BLT

# Let's also get the detailed diff to see the actual code changes
gh pr diff 3901 --repo OWASP-BLT/BLT

# Get the issue details to understand the requirements better
gh issue view 3859 --repo OWASP-BLT/BLT

Length of output: 4313

---

@DonnieBLT I've reviewed PR #3901 which adds automation to label issues with $5 bounty for sponsors. Here's my assessment:

What's Done Well ✅

• Successfully implements the requirements from issue #3859
• Properly triggers on new issue creation
• Correctly identifies sponsors using the environment variable
• Applies the "$5" label using GitHub API

Areas for Improvement 🔧

1. Security Concern: Unsanitized Environment Variable

   if [[ ",${SPONSORS}," =~ ",${ISSUE_AUTHOR}," ]]; then
   

   This direct use of SPONSORS without validation could cause issues if it contains unexpected characters. Consider adding sanitization.

2. Limited Error Handling

   curl -X POST \
     [...] \
     -d '{"labels":["bounty: $5"]}' || echo "Failed to add label, but continuing..."
   

   The error handling only prints a message without details or retry logic. Consider adding proper error logging and possibly retry logic.

3. Alternative Approach: Instead of using raw curl, consider using GitHub's established actions for API interactions, like actions/github-script which provides better error handling.

Overall, the PR meets the requirements but would benefit from addressing these concerns to improve security and reliability.

[vidipsingh]

@DonnieBLT Could you please review these changes? Thanks!

[DonnieBLT]

we decided to not have this, but please reopen this with a comment change so you can have credit