Skip to content

Refactor the dedupe workflow by extracting a reusable workflow to opensearch-build#5319

Merged
peterzhuamazon merged 14 commits intoopensearch-project:mainfrom
qianheng-aws:refactor/dedupe-reusable-workflow
Apr 9, 2026
Merged

Refactor the dedupe workflow by extracting a reusable workflow to opensearch-build#5319
peterzhuamazon merged 14 commits intoopensearch-project:mainfrom
qianheng-aws:refactor/dedupe-reusable-workflow

Conversation

@qianheng-aws
Copy link
Copy Markdown
Collaborator

@qianheng-aws qianheng-aws commented Apr 7, 2026
edited
Loading

Description

Refactor the dedupe workflow by extracting a reusable workflow to opensearch-build.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@qianheng-aws
Refactor issue dedupe workflows to call reusable workflow
47a5496 
Replace inline workflow logic in all three issue dedup files with thin
callers to opensearch-project/opensearch-build/.github/workflows/issue-dedupe.yml@main.
This centralizes the dedupe logic (detect, auto-close, remove-label) into
a single reusable workflow, reducing per-repo maintenance burden.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Temporarily point dedupe workflows to personal fork for testing
1947407 
Point reusable workflow references to qianheng-aws/opensearch-build
branch add-issue-dedupe-workflow until the upstream PR is merged.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Refactor dedupe workflows to use opensearch-build reusable workflows
8b3f4c9 
- Three caller workflows now delegate to opensearch-build reusable workflows
- Remove .claude/commands/dedupe.md (prompt now lives in opensearch-build)
- Remove scripts/comment-on-duplicates.sh (logic inlined in reusable workflow)

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Test: point dedupe detect to test-dedupe-debug branch
96d2bf5 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe detect to PR branch for testing
1997698 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Simplify dedupe callers after reusable workflow input cleanup
9fe7c9a 
Remove redundant parameter passing — reusable workflows now derive
issue context from github.event directly.

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Update dedupe caller to match latest reusable workflow changes
5795be0 
- Point to opensearch-project/opensearch-build@main
- Rename secret to BEDROCK_ACCESS_ROLE_ISSUE
- Add schedule trigger and auto-close job
- Remove workflow_dispatch (detect derives issue from github.event)

Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Rename dedupe workflow to remove tool-specific naming
42154ce 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Add dispatch for dedupe workflow
6eb4360 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Add workflow_dispatch support for auto-close job
4550154 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe workflows to fork branch for testing
184012e 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 975083f.

PathLineSeverityDescription
.github/workflows/issue-dedupe.yml30highReusable workflow from external org 'opensearch-project/opensearch-build' is pinned to '@main' — a mutable reference. Any push to that branch can silently alter the code executed in this repo's CI, enabling supply chain compromise.
.github/workflows/issue-dedupe.yml35highAWS IAM role secret 'BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE' is forwarded to an externally-controlled reusable workflow ('opensearch-project/opensearch-build'). If that repo is compromised or the @main ref is replaced, the secret could be exfiltrated and used to access AWS resources.
.github/workflows/issue-dedupe.yml41highSecond external reusable workflow 'opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@main' also uses a mutable '@main' reference with 'issues: write' permissions, allowing an attacker who controls that repo to arbitrarily open, close, or modify issues in this repository.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 3 | Medium: 0 | Low: 0

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

@qianheng-aws qianheng-aws added the maintenance Improves code quality, but not the product label Apr 7, 2026
@qianheng-aws
Consolidate dedupe workflows and add grace_days to auto-close
0da4d6c 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Pass grace_days to detect workflow via repo variable
e6622df 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@qianheng-aws
Point dedupe workflows to upstream main and update secret name
975083f 
Signed-off-by: Heng Qian <qianheng@amazon.com>
@peterzhuamazon peterzhuamazon marked this pull request as ready for review April 9, 2026 12:33
@peterzhuamazon peterzhuamazon added the skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis. label Apr 9, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests
🔒 No security concerns identified
✅ No TODO sections
🔀 No multiple PR themes
⚡ Recommended focus areas for review

Unmerged Dependency

The PR description explicitly states this workflow depends on an unmerged upstream PR (opensearch-project/opensearch-build#6092). The reusable workflows referenced at opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main and issue-dedupe-autoclose.yml@main may not yet exist on the main branch, which would cause this workflow to fail immediately upon merge.

 
  uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-detect.yml@main
  permissions:
    contents: read
    issues: write
    id-token: write
  secrets:
    BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE: ${{ secrets.BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE }}
  with:
    issue_number: ${{ inputs.issue_number || '' }}
    grace_days: ${{ vars.DUPLICATE_GRACE_DAYS || '7' }}

auto-close:
  if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.job == 'auto-close')
  uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@main
  permissions:
    issues: write
  with:
    grace_days: ${{ vars.DUPLICATE_GRACE_DAYS || '7' }}
Missing Permission

The auto-close job only declares issues: write permission, but closing/labeling issues as duplicates may also require contents: read depending on the reusable workflow's needs. Verify the reusable workflow issue-dedupe-autoclose.yml does not require additional permissions that are not passed here.

 
auto-close:
  if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.job == 'auto-close')
  uses: opensearch-project/opensearch-build/.github/workflows/issue-dedupe-autoclose.yml@main
  permissions:
    issues: write
  with:
    grace_days: ${{ vars.DUPLICATE_GRACE_DAYS || '7' }}

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Pass correct issue number on issue open event

When the workflow is triggered by an issues event (a new issue opened),
inputs.issue_number will be empty and the expression inputs.issue_number || '' will
pass an empty string to the reusable workflow. The actual issue number from the
event (github.event.issue.number) should be used as the fallback so the detect job
processes the newly opened issue correctly.

.github/workflows/issue-dedupe.yml [34-35]

 with:
-  issue_number: ${{ inputs.issue_number || '' }}
+  issue_number: ${{ inputs.issue_number || github.event.issue.number || '' }}
   grace_days: ${{ vars.DUPLICATE_GRACE_DAYS || '7' }}
Suggestion importance[1-10]: 7

__

Why: When triggered by an issues event, inputs.issue_number is empty, so the detect job would receive an empty string instead of the actual issue number. Adding github.event.issue.number as a fallback ensures the newly opened issue is correctly processed.

Medium
General
Verify secret name consistency across workflows

The secret name has changed from BEDROCK_ACCESS_ROLE (used in the old workflow) to
BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE. If the reusable workflow in opensearch-build
expects a specific secret name, or if the repository secret is still named
BEDROCK_ACCESS_ROLE, this mismatch will cause the detect job to fail silently or
error. Verify that the secret name in the repository settings and the reusable
workflow's secrets declaration both match BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE.

.github/workflows/issue-dedupe.yml [32-33]

+secrets:
+  BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE: ${{ secrets.BEDROCK_ACCESS_ROLE_ISSUE_DEDUPE }}
 
-
Suggestion importance[1-10]: 2

__

Why: The existing_code and improved_code are identical, making this a verification suggestion rather than an actual code change. It only asks the user to confirm the secret name matches, which is a valid concern but not an actionable code fix.

Low

@peterzhuamazon peterzhuamazon merged commit f7f431d into opensearch-project:main Apr 9, 2026
39 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterzhuamazon peterzhuamazon peterzhuamazon approved these changes

@ps48 ps48 Awaiting requested review from ps48 ps48 is a code owner

@joshuali925 joshuali925 Awaiting requested review from joshuali925 joshuali925 is a code owner

@dai-chen dai-chen Awaiting requested review from dai-chen dai-chen is a code owner

@mengweieric mengweieric Awaiting requested review from mengweieric mengweieric is a code owner

@vamsimanohar vamsimanohar Awaiting requested review from vamsimanohar vamsimanohar is a code owner

@Swiddis Swiddis Awaiting requested review from Swiddis Swiddis is a code owner

@penghuo penghuo Awaiting requested review from penghuo penghuo is a code owner

@anirudha anirudha Awaiting requested review from anirudha anirudha is a code owner

@acarbonetto acarbonetto Awaiting requested review from acarbonetto acarbonetto is a code owner

@ykmr1224 ykmr1224 Awaiting requested review from ykmr1224 ykmr1224 is a code owner

@LantaoJin LantaoJin Awaiting requested review from LantaoJin LantaoJin is a code owner

@noCharger noCharger Awaiting requested review from noCharger noCharger is a code owner

@yuancu yuancu Awaiting requested review from yuancu yuancu is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@ahkcs ahkcs Awaiting requested review from ahkcs ahkcs is a code owner

@songkant-aws songkant-aws Awaiting requested review from songkant-aws songkant-aws is a code owner

Assignees

No one assigned

Labels

maintenance Improves code quality, but not the product skip-diff-analyzer Maintainer to skip code-diff-analyzer check, after reviewing issues in AI analysis.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@qianheng-aws @peterzhuamazon