Skip to content

Refactor the dedupe workflow by extracting a reusable workflow to opensearch-build#5319

Draft
qianheng-aws wants to merge 13 commits intoopensearch-project:mainfrom
qianheng-aws:refactor/dedupe-reusable-workflow
Draft

Refactor the dedupe workflow by extracting a reusable workflow to opensearch-build#5319
qianheng-aws wants to merge 13 commits intoopensearch-project:mainfrom
qianheng-aws:refactor/dedupe-reusable-workflow

Conversation

@qianheng-aws
Copy link
Copy Markdown
Collaborator

@qianheng-aws qianheng-aws commented Apr 7, 2026
edited
Loading

Description

Refactor the dedupe workflow by extracting a reusable workflow to opensearch-build.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@qianheng-aws
Refactor issue dedupe workflows to call reusable workflow
47a5496 
Replace inline workflow logic in all three issue dedup files with thin
callers to opensearch-project/opensearch-build/.github/workflows/issue-dedupe.yml@main.
This centralizes the dedupe logic (detect, auto-close, remove-label) into
a single reusable workflow, reducing per-repo maintenance burden.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Temporarily point dedupe workflows to personal fork for testing
1947407 
Point reusable workflow references to qianheng-aws/opensearch-build
branch add-issue-dedupe-workflow until the upstream PR is merged.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Refactor dedupe workflows to use opensearch-build reusable workflows
8b3f4c9 
- Three caller workflows now delegate to opensearch-build reusable workflows
- Remove .claude/commands/dedupe.md (prompt now lives in opensearch-build)
- Remove scripts/comment-on-duplicates.sh (logic inlined in reusable workflow)

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Test: point dedupe detect to test-dedupe-debug branch
96d2bf5 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe detect to PR branch for testing
1997698 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Simplify dedupe callers after reusable workflow input cleanup
9fe7c9a 
Remove redundant parameter passing — reusable workflows now derive
issue context from github.event directly.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Update dedupe caller to match latest reusable workflow changes
5795be0 
- Point to opensearch-project/opensearch-build@main
- Rename secret to BEDROCK_ACCESS_ROLE_ISSUE
- Add schedule trigger and auto-close job
- Remove workflow_dispatch (detect derives issue from github.event)

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Rename dedupe workflow to remove tool-specific naming
42154ce 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Add dispatch for dedupe workflow
6eb4360 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Add workflow_dispatch support for auto-close job
4550154 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe workflows to fork branch for testing
184012e 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit e6622df.

PathLineSeverityDescription
.github/workflows/issue-dedupe.yml29criticalReusable workflow sourced from 'qianheng-aws/opensearch-build' — a personal/unofficial fork account — rather than the official 'opensearch-project/opensearch-build'. The detect job grants 'id-token: write' (OIDC) and passes 'secrets.BEDROCK_ACCESS_ROLE_ISSUE' into this external workflow, allowing the external repo owner to steal AWS credentials and impersonate the OIDC role on every new issue opened.
.github/workflows/issue-dedupe.yml29highExternal reusable workflow is pinned to a mutable branch reference '@add-issue-dedupe-workflow' rather than a specific commit SHA. The branch contents can be silently changed at any time by the 'qianheng-aws' account, enabling a persistent supply-chain attack vector.
.github/workflows/issue-dedupe.yml38highThe auto-close job also delegates to 'qianheng-aws/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@add-issue-dedupe-workflow' with 'issues: write' permission. This grants the external workflow the ability to close, label, and comment on any issue in the repository.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 1 | High: 2 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@qianheng-aws qianheng-aws added the maintenance Improves code quality, but not the product label Apr 7, 2026
@qianheng-aws
Consolidate dedupe workflows and add grace_days to auto-close
0da4d6c 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Pass grace_days to detect workflow via repo variable
e6622df 
Signed-off-by: Heng Qian <qianheng@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ps48 ps48 Awaiting requested review from ps48 ps48 will be requested when the pull request is marked ready for review ps48 is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 will be requested when the pull request is marked ready for review joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen will be requested when the pull request is marked ready for review dai-chen is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric will be requested when the pull request is marked ready for review mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar will be requested when the pull request is marked ready for review vamsimanohar is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis will be requested when the pull request is marked ready for review Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo will be requested when the pull request is marked ready for review penghuo is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha will be requested when the pull request is marked ready for review anirudha is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto will be requested when the pull request is marked ready for review acarbonetto is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 will be requested when the pull request is marked ready for review ykmr1224 is a code owner

@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin will be requested when the pull request is marked ready for review LantaoJin is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger will be requested when the pull request is marked ready for review noCharger is a code owner

@yuancu yuancu Awaiting requested review from yuancu yuancu will be requested when the pull request is marked ready for review yuancu is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 will be requested when the pull request is marked ready for review RyanL1997 is a code owner

@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs will be requested when the pull request is marked ready for review ahkcs is a code owner

@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws will be requested when the pull request is marked ready for review songkant-aws is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

maintenance Improves code quality, but not the product

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@qianheng-aws