[generate_manifest] let issue creation trigger the workflow

[GabrielDrapor]

PR Type

Enhancement

---

Description

• Add GitHub issue trigger to generate-manifest workflow

• Extract repository URL from issue body automatically

• Support 'server submission' labeled issues for manifest generation

• Update all workflow steps to handle issue-based repository URLs

---

Diagram Walkthrough

flowchart LR
  A["GitHub Issue"] -- "labeled 'server submission'" --> B["Extract Repo URL"]
  B --> C["Generate Manifest"]
  C --> D["Create Pull Request"]
  E["Manual Dispatch"] --> C
  F["Repository Dispatch"] --> C

Loading

File Walkthrough

	Relevant files
Enhancement	generate-manifest.yml Add issue-based workflow trigger and URL extraction            .github/workflows/generate-manifest.yml Add issues trigger with opened and labeled event types Add conditional job execution for 'server submission' labeled issues Create new step to extract repository URL from issue body using regex Update all repository URL references to include extracted URL from issues +22/-4

---

Summary by CodeRabbit

• New Features

  • Workflow now triggers on issue events (opened, labeled) with conditional guards.
  • Automatically extracts a GitHub repository URL from the issue body; provides a clear error if none found.
  • Adds fallback logic to use the extracted URL for manifest generation, repository/name derivation, and branch naming.
  • Pull request commit and body now reference the extracted URL when applicable.

• Chores

  • Improved workflow robustness by unifying URL sourcing from issues, inputs, or client payload.

[coderabbitai]

Walkthrough

The generate-manifest GitHub Actions workflow now also triggers on issues (opened, labeled) with a guard to run only for “server submission” issues. It adds an issue-body URL extraction step and propagates that repo_url to subsequent steps and PR messages via fallback logic when inputs or client payload lack a URL.

Changes

Cohort / File(s)	Summary
Workflow triggers and URL sourcing .github/workflows/generate-manifest.yml	- Added issues: opened, labeled triggers with conditional guard for “server submission” label - New step to extract repo_url from issue body (GitHub URL parsing, error on missing) - Introduced repo_url/repo_name fallbacks to extracted URL across manifest generation, branch naming, and PR messages

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as Issue Author
  participant GH as GitHub Issues
  participant WF as generate-manifest Workflow
  participant EX as Extract URL Step
  participant GM as Generate Manifest
  participant PR as Create Pull Request

  User->>GH: Open/label issue
  GH-->>WF: Trigger workflow (issues event)
  WF->>WF: Check label == "server submission"
  alt Labeled as server submission
    WF->>EX: Parse issue body for https://github.com/... URL
    EX-->>WF: repo_url (or fail if missing)
    WF->>GM: Run with repo_url (fallback to EX output)
    GM-->>WF: Manifest + branch name (uses repo_url fallback)
    WF->>PR: Create PR with commit/PR body referencing repo_url
    PR-->>User: PR opened
  else Not labeled
    WF-->>GH: Exit without actions
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add script and workflow for contributing registry #233 — Introduces the generate-manifest workflow; this PR extends it with issue triggers and URL extraction fallbacks.
• [generate-manifest] add repository_dispatch Trigger #234 — Adjusts how repo_url is sourced within the same workflow; closely aligned with the new fallback logic.
• [generate_manifest] use GitHub app instead of token #237 — Modifies the Create Pull Request step in the same workflow; intersects with this PR’s updated PR messages using repo_url fallback.

Poem

A nibble of issues, a hop through YAML lanes,
I sniff out repo trails in texty plains.
With fallback whiskers, I won’t lose the thread—
Branches sprout neatly where URLs led.
Manifest made, I thump with glee:
“PR delivered!” — signed, a busy bunny. 🐇📜✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch Jiarui/smart-registry-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The step "Extract repository URL from issue" echoes the entire issue body on failure, which could inadvertently log sensitive or private information included in the issue. Avoid printing the full body; log a concise error and possibly the issue URL or ID instead.

⚡ Recommended focus areas for review Possible Issue REPO_URL is used in subsequent steps assuming it is set in the shell, but the Generate manifest step only sets it via expression interpolation; verify that the variable is correctly available to the shell in all trigger paths (especially when the issues trigger is used and the extract-url step did not run or output is empty). - name: Generate manifest env: ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }} run: | REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}" python scripts/get_manifest.py "$REPO_URL" - name: Extract repo name for branch id: repo-info run: | REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}" REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-') echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT Robustness The regex for extracting the repository URL from the issue body is permissive and may capture non-repo GitHub URLs; consider constraining to owner/repo or owner/repo(.git)? patterns and trimming surrounding markdown. - name: Extract repository URL from issue id: extract-url if: github.event_name == 'issues' run: | # Extract the repository URL from the GitHub issue form # The form renders the repository field as a URL line after the label REPO_URL=$(echo '${{ github.event.issue.body }}' | grep -oP 'https://github\.com/[^\s]+' | head -1) if [ -z "$REPO_URL" ]; then echo "No GitHub repository URL found in issue body" echo "Issue body: ${{ github.event.issue.body }}" exit 1 fi echo "Found repository URL: $REPO_URL" echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT Logging Noise Printing the full issue body on extraction failure can create noisy logs and expose unintended data; consider omitting or redacting the body, and guiding users with a clearer error message instead. if [ -z "$REPO_URL" ]; then echo "No GitHub repository URL found in issue body" echo "Issue body: ${{ github.event.issue.body }}" exit 1

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	✅ Sanitize URL extraction and logs Suggestion Impact: The commit reduced exposure of the issue body by moving it to an environment variable and using that variable; it stopped directly echoing the GitHub context inline. However, it did not implement URL normalization or remove the error-case echo of the full body. code diff: + env: + ISSUE_BODY: ${{ github.event.issue.body }} run: | # Extract the repository URL from the GitHub issue form # The form renders the repository field as a URL line after the label - REPO_URL=$(echo '${{ github.event.issue.body }}' | grep -oP 'https://github\.com/[^\s]+' | head -1) + REPO_URL=$(echo "$ISSUE_BODY" | grep -oP 'https://github\.com/[^\s]+' | head -1) if [ -z "$REPO_URL" ]; then echo "No GitHub repository URL found in issue body" - echo "Issue body: ${{ github.event.issue.body }}" + echo "Issue body: $ISSUE_BODY" Avoid echoing the full issue body to logs, which may contain sensitive data. Also normalize GitHub URLs to strip trailing punctuation or .git suffix that forms often include. .github/workflows/generate-manifest.yml [46-59] - name: Extract repository URL from issue id: extract-url if: github.event_name == 'issues' run: | - # Extract the repository URL from the GitHub issue form - # The form renders the repository field as a URL line after the label - REPO_URL=$(echo '${{ github.event.issue.body }}' | grep -oP 'https://github\.com/[^\s]+' | head -1) + # Extract and normalize the repository URL from the issue body + RAW_URL=$(printf '%s' "${{ github.event.issue.body }}" | grep -oE 'https://github\.com/[^[:space:]]+' | head -1) + # Strip trailing punctuation and .git suffix if present + REPO_URL=$(printf '%s' "$RAW_URL" | sed 's/[),.;:]*$//' | sed 's/\.git$//') if [ -z "$REPO_URL" ]; then echo "No GitHub repository URL found in issue body" - echo "Issue body: ${{ github.event.issue.body }}" exit 1 fi echo "Found repository URL: $REPO_URL" - echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT + echo "repo_url=$REPO_URL" >> "$GITHUB_OUTPUT" [Suggestion processed] Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies and fixes a security risk by removing the logging of the full issue body, and also improves robustness by normalizing the extracted URL.	Medium
Organization best practice	Send logs to stderr Direct status messages to stderr to clearly separate diagnostics from step outputs. Replace echo with printf to >&2 for logs while keeping only the output assignment for GITHUB_OUTPUT on stdout. .github/workflows/generate-manifest.yml [46-59] - name: Extract repository URL from issue id: extract-url if: github.event_name == 'issues' run: | # Extract the repository URL from the GitHub issue form - # The form renders the repository field as a URL line after the label - REPO_URL=$(echo '${{ github.event.issue.body }}' | grep -oP 'https://github\.com/[^\s]+' | head -1) + REPO_URL=$(printf '%s' '${{ github.event.issue.body }}' | grep -oP 'https://github\.com/[^\s]+' | head -1) if [ -z "$REPO_URL" ]; then - echo "No GitHub repository URL found in issue body" - echo "Issue body: ${{ github.event.issue.body }}" + printf '%s\n' "No GitHub repository URL found in issue body" >&2 + printf '%s\n' "Issue body: ${{ github.event.issue.body }}" >&2 exit 1 fi - echo "Found repository URL: $REPO_URL" - echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT + printf '%s\n' "Found repository URL: $REPO_URL" >&2 + echo "repo_url=$REPO_URL" >> "$GITHUB_OUTPUT" Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Prefer reading logs and status from stderr when handling subprocess-like outputs to avoid mixing data with diagnostics.	Low
Update

To fix this code injection vulnerability, we should avoid interpolating untrusted input directly into the shell command using ${{ ... }}. Instead, we should assign the untrusted value to an environment variable using the env: key, and then reference it in the shell command using native shell variable syntax ($REPO_URL). This prevents shell injection because the shell will treat the value as a single argument, not as code. Specifically, in the "Generate manifest" and "Extract repo name for branch" steps, move the expression for the repository URL into the env: block, and reference it as $REPO_URL in the run: block. No additional dependencies are required.

---

To fix the code injection vulnerability, we should avoid using ${{ ... }} interpolation of untrusted input directly in the shell command. Instead, we should assign the untrusted input to an environment variable using the env: block, and then reference it using native shell syntax ("$REPO_URL") in the run: block. Specifically, in the steps "Generate manifest" and "Extract repo name for branch", move the assignment of REPO_URL to the env: block, and update the shell commands to use $REPO_URL directly. This change should be made in lines 64-68 and 72-74. No new methods or imports are needed, just a change in how the input is passed to the shell.

---

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

.github/workflows/generate-manifest.yml (2)

67-69: Fix CodeQL “code injection” finding: don’t inline expressions into shell scripts

Inlining the expression into the run script can allow command substitution at parse time if the value contains $() or backticks. Move the interpolation to the step’s env and use the variable in the script.

Apply this diff:

       - name: Generate manifest
         env:
           ANYON_API_KEY: ${{ secrets.ANYON_API_KEY }}
+          REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
         run: |
-          REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
           python scripts/get_manifest.py "$REPO_URL"

Optional: Add a preceding “Validate repository URL” step to enforce the same strict regex before use. I can provide that if you want it wired in.

---

71-76: Fix CodeQL “code injection” finding and quote GITHUB_OUTPUT

Same issue here. Also, quote $GITHUB_OUTPUT and enable strict bash flags.

Apply this diff:

       - name: Extract repo name for branch
         id: repo-info
+        env:
+          REPO_URL: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
         run: |
-          REPO_URL="${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}"
+          set -Eeuo pipefail
           REPO_NAME=$(echo "$REPO_URL" | sed 's/.*github\.com[:/]//' | sed 's/\.git$//' | tr '/' '-')
-          echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
-          echo "branch_name=add-manifest-$REPO_NAME" >> $GITHUB_OUTPUT
+          echo "repo_name=$REPO_NAME" >> "$GITHUB_OUTPUT"
+          echo "branch_name=add-manifest-$REPO_NAME" >> "$GITHUB_OUTPUT"

🧹 Nitpick comments (2)

.github/workflows/generate-manifest.yml (2)

46-62: Harden URL extraction from issue body and avoid logging the entire body

Tighten the regex to avoid capturing trailing punctuation, enable strict bash mode, quote GITHUB_OUTPUT, and avoid echoing the full issue body to logs.

Apply this diff:

       - name: Extract repository URL from issue
         id: extract-url
         if: github.event_name == 'issues'
+        shell: bash
         env:
           ISSUE_BODY: ${{ github.event.issue.body }}
         run: |
+          set -Eeuo pipefail
           # Extract the repository URL from the GitHub issue form
           # The form renders the repository field as a URL line after the label
-          REPO_URL=$(echo "$ISSUE_BODY" | grep -oP 'https://github\.com/[^\s]+' | head -1)
+          REPO_URL=$(printf '%s' "$ISSUE_BODY" | grep -oE 'https://github\.com/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(\.git)?' | head -1)
           if [ -z "$REPO_URL" ]; then
             echo "No GitHub repository URL found in issue body"
-            echo "Issue body: $ISSUE_BODY"
             exit 1
           fi
+          if ! printf '%s' "$REPO_URL" | grep -Eq '^https://github\.com/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(\.git)?/?$'; then
+            echo "Invalid GitHub repository URL: $REPO_URL"
+            exit 1
+          fi
           echo "Found repository URL: $REPO_URL"
-          echo "repo_url=$REPO_URL" >> $GITHUB_OUTPUT
+          echo "repo_url=$REPO_URL" >> "$GITHUB_OUTPUT"

---

85-86: Trim trailing spaces to satisfy YAMLlint

Remove trailing spaces on these lines to make YAMLlint happy.

Apply this diff:

-            Generated manifest JSON for repository: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
-            
+            Generated manifest JSON for repository: ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}
+
@@
-            
+

Also applies to: 91-91

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cabec4c and 65462f4.

📒 Files selected for processing (1)

• .github/workflows/generate-manifest.yml (3 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/generate-manifest.yml

[failure] 67-67: Code injection
Potential code injection in ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}, which may be controlled by an external user (issues).

---

[failure] 73-73: Code injection
Potential code injection in ${{ github.event.inputs.repo_url || github.event.client_payload.repo_url || steps.extract-url.outputs.repo_url }}, which may be controlled by an external user (issues).

🪛 YAMLlint (1.37.1)

.github/workflows/generate-manifest.yml

[error] 86-86: trailing spaces

(trailing-spaces)

---

[error] 91-91: trailing spaces

(trailing-spaces)

🔇 Additional comments (2)

.github/workflows/generate-manifest.yml (2)

12-13: Issues trigger added — looks correct

The new issues trigger (opened, labeled) is wired correctly and complements the existing dispatch triggers.

---

18-18: Guard condition correctly restricts to labeled “server submission” issues

The job-level if prevents execution except for issues that have the “server submission” label. Good balance vs. trigger scope.

[mcpm-semantic-release]

🎉 This PR is included in version 2.7.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀