slack-github-action icon indicating copy to clipboard operation
slack-github-action copied to clipboard
verified publisher icon slackapi

Slack does not display attached image URLs correctly due to long JWT token in Markdown

Open comfuture opened this issue 3 months ago • 3 comments

When an image is attached to an issue or comment in GitHub, the generated URL now includes a long JWT token. For example:

[Image](https://private-user-images.githubusercontent.com/151300/487659672-835e89e5-d1a0-452f-a924-XXXXXXXX.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTc0O.....

When this URL is sent in a Slack message, the middle of the token is truncated, resulting in an incomplete Markdown image syntax and the image not being displayed correctly. Instead, a very long URL with a JWT token is exposed, making it difficult to view.

It appears this issue arose because GitHub changed the format of attached file URLs to include a token. Please investigate how to improve the Slack GitHub Action so that image URLs are shown correctly in Slack messages, or are transformed to display images properly without exposing the long JWT token in the message.

🙏🏼

comfuture avatar Sep 10 '25 07:09 comfuture

Thank you for reporting the issue @comfuture , @zimeg , would you mind giving a look at this?

cchensh avatar Sep 10 '25 13:09 cchensh

@comfuture Thanks for sharing this finding 📸

I'm unsure when these links might've changed but will test with the following image and notes:

octocat
  • src: https://github.com/user-attachments/assets/668c92cf-7cb1-4d37-bbae-970a2eeb50b3
  • preview: https://private-user-images.githubusercontent.com/18134219/487936369-668c92cf-7cb1-4d37-bbae-970a2eeb50b3.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTc1MjY0NDEsIm5iZiI6MTc1NzUyNjE0MSwicGF0aCI6Ii8xODEzNDIxOS80ODc5MzYzNjktNjY4YzkyY2YtN2NiMS00ZDM3LWJiYWUtOTcwYTJlZWI1MGIzLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA5MTAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwOTEwVDE3NDIyMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWIyYjM0YTk4MzY2NzE3ZGVhM2Q0NDdmN2U4NzcwZTMyZWNiMmE0MTBlYjZlNzk4MzJhZjE3OTA2YzYxZWU5ZTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.w45x6EWkgecIUfCquBqZk9RRqjO0zCtCdKsSo9Ve4og

Without the jwt an empty file is downloaded so this does seem like a requirement for posted images. The src before is shown after dragging an image into the message composer but I don't know if we can get that after a comment is posted?

It's also not so clear to me where the truncation is happening, but will report back soon 🫡

zimeg avatar Sep 10 '25 17:09 zimeg

🗣️ The jwt found in a link expires after 5 minutes which then causes empty downloads or images to not appear.

I am however finding that the initial src link can be used in message attachments as expected! At the moment I don't know if we can gather this from a comment using workflow events.

@comfuture Would it be possible to share an example workflow or setup that uses image links from a comment?

zimeg avatar Sep 10 '25 18:09 zimeg