feat(ci): add automated Epic documentation audit workflow by jdcmsd · Pull Request #36294 · dotCMS/core

jdcmsd · 2026-06-23T20:42:08Z

This resolves #36293 by adding an automation that hopefully works. Testing on core-workflow-repo seemed entirely promising, so hopefully the change of environment won't add any complications!

All secrets (AUTODOC_*) have already been provisioned by moi.

This PR fixes: #36293

github-actions · 2026-06-23T20:46:48Z

🤖 Bedrock Review — `us.deepseek.r1-v1:0`

New Issues

🔴 Critical: .github/workflows/issue_autodoc.yml:119 — Finalize step commits changes but never pushes them (local commit will be lost after job ends)
🟠 High: .github/workflows/issue_autodoc.yml:44 — jq query fails when issue has no parent (parent is null), breaking preflight check for non-Epic issues
🟠 High: .github/workflows/issue_autodoc.yml:70 — Missing contents: write permission (needed to push doc changes in finalize step)
🟡 Medium: .github/workflows/issue_autodoc.yml:103 — Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates)

_{Run: #28055682450 · tokens: in: 2428 · out: 1767 · total: 4195}

claude · 2026-06-23T20:47:37Z

Claude finished @jdcmsd's task in 1m 25s —— View job

Rollback Safety Analysis

Result: ✅ Safe to Roll Back

This PR adds a single GitHub Actions workflow file (.github/workflows/issue_autodoc.yml) with no changes to Java code, database schema, Elasticsearch mappings, content models, REST/GraphQL contracts, or any OSGi interfaces.

Checked against all 13 rollback-unsafe categories (C-1 through M-4): none apply. Rolling back this change simply removes the workflow — no application state, database state, or index state is affected.

Label AI: Safe To Rollback has been applied.

Replace uv/Python-script-based eval and finalize steps with: - Python3 stdlib context assembly using gh CLI and grep - Shell finalize using gh issue comment, curl for dotCMS API, and git commit/push - prompts/burlap.txt read directly via cat (no YAML parsing) - Fix jq null parent bug in preflight guard Eliminates dependency on dotcms-aios PR merge order.

github-actions · 2026-06-23T21:21:34Z

🤖 Bedrock Review — `us.deepseek.r1-v1:0`

null

_{Run: #28057893300 · tokens: in: 4830 · out: 2044 · total: 6874}

github-actions · 2026-06-23T21:26:34Z

🤖 Bedrock Review — `us.deepseek.r1-v1:0`

null

_{Run: #28058153839 · tokens: in: 4830 · out: 2048 · total: 6878}

- Fix -f → -F on gh api PATCH so the file is read, not sent literally - Prepend  marker in finalize before posting so idempotent edit lookup works (marker was not in the report itself) - Add --paginate to comment lookup to search beyond the first page - Use jq first // empty instead of | head -1 to avoid SIGPIPE - Fix urlTitle awk to use sub() consistent with title/tags/seoDescription - Remove -k (TLS bypass); add --fail-with-body to dotCMS curl calls - Add comment clarifying AUTODOC_DOTCMS_API_TOKEN_AISEARCH is used by the Claude subprocess via burlap.txt, not directly by a workflow step

github-actions · 2026-06-24T12:27:38Z

🤖 Bedrock Review — `qwen.qwen3-next-80b-a3b`

#### New Issues
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:278` — `git commit` uses `|| true` to suppress failure, but `git push` follows unconditionally — if commit fails (e.g., no changes, network, permission), push still runs and may fail or push stale state; this breaks replay safety and causes inconsistent repo state
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:249` — `curl` to dotCMS API uses `$URL_TITLE` directly in JSON query string without escaping — SQL injection risk via malicious URL title (e.g., `" OR 1=1 --`) — `DotConnect.addParam()` required, not string interpolation
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:266` — `curl` to dotCMS API uses `$IDENTIFIER` directly in URL path — unvalidated input in HTTP endpoint — potential path traversal or injection if identifier contains malicious characters
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:278` — `git push` runs without any auth or network timeout — if network fails mid-push, workflow continues silently; no retry, no rollback, no error handling — high blast radius for repo corruption
- 🟠 High: `.github/workflows/issue_autodoc.yml:198` — `awk` extracts `urlTitle` from report without validating format or length — if malformed, dotCMS API may reject or create invalid content, but failure is silent
- 🟠 High: `.github/workflows/issue_autodoc.yml:218` — `awk` extracts `title`, `tags`, `seoDescription` without validation — empty or malformed values may cause dotCMS API to reject request, but no fallback or error logging
- 🟠 High: `.github/workflows/issue_autodoc.yml:278` — `git push` without branch specification — assumes default branch, but workflow runs on detached HEAD after checkout — may push to wrong branch or fail silently
- 🟡 Medium: `.github/workflows/issue_autodoc.yml:119` — Installs global npm package `@anthropic-ai/claude-code` without version pinning (security risk from untrusted package updates) — still present from prior finding

#### Existing
- 🟡 Medium: `.github/workflows/issue_autodoc.yml:103` — Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates) — still present from prior finding

#### Resolved
- ✅ `.github/workflows/issue_autodoc.yml:119` — Prior finding about missing push was addressed by adding `git push`, but introduced new critical flaws — now resolved as original issue is superseded
- ✅ `.github/workflows/issue_autodoc.yml:44` — Prior finding about `parent` being null is irrelevant — this PR introduces a new workflow, not modifying the prior one
- ✅ `.github/workflows/issue_autodoc.yml:70` — Prior finding about missing write permission is resolved — this PR correctly sets `contents: read` and `issues: write` as needed

<!-- dotcms-review-findings:[{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:278","desc":"git commit uses || true and git push runs unconditionally — breaks replay safety and may push stale or corrupted state"},{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:249","desc":"Unescaped $URL_TITLE used in curl JSON query — SQL injection risk via malicious title"},{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:266","desc":"Unvalidated $IDENTIFIER used in dotCMS API URL — potential injection or path traversal"},{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:278","desc":"git push runs without timeout, retry, or error handling — high blast radius for repo corruption"},{"sev":"🟠 High","loc":".github/workflows/issue_autodoc.yml:198","desc":"urlTitle extracted via awk without validation — silent failure on malformed input"},{"sev":"🟠 High","loc":".github/workflows/issue_autodoc.yml:218","desc":"title, tags, seoDescription extracted via awk without validation — silent API rejection risk"},{"sev":"🟠 High","loc":".github/workflows/issue_autodoc.yml:278","desc":"git push runs without branch specification — may push to wrong branch on detached HEAD"},{"sev":"🟡 Medium","loc":".github/workflows/issue_autodoc.yml:119","desc":"Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates)"}] -->

_{Run: #28098358004 · tokens: in: 4664 · out: 1063 · total: 5727}

- Make git push conditional on commit succeeding (|| true was causing unconditional push even when there was nothing new to commit) - Add git push origin HEAD for explicit branch targeting - Validate urlTitle is a URL slug before interpolating into JSON query (non-slug chars would break the shell-built -d payload) - Validate IDENTIFIER matches UUID format before placing in URL - Add comment on unpinned npm install explaining the tradeoff

github-actions · 2026-06-24T12:34:35Z

🤖 Bedrock Review — `qwen.qwen3-next-80b-a3b`

#### New Issues
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:218` — Unescaped `$URL_TITLE` used in curl JSON query — SQL injection risk via malicious title
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:225` — Unvalidated `$IDENTIFIER` used in dotCMS API URL — potential injection or path traversal
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:278` — git push runs without timeout, retry, or error handling — high blast radius for repo corruption
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:278` — git push runs without branch specification — may push to wrong branch on detached HEAD
- 🟠 High: `.github/workflows/issue_autodoc.yml:198` — urlTitle extracted via awk without validation — silent failure on malformed input
- 🟠 High: `.github/workflows/issue_autodoc.yml:218` — title, tags, seoDescription extracted via awk without validation — silent API rejection risk
- 🟡 Medium: `.github/workflows/issue_autodoc.yml:119` — Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates)

#### Existing
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:278` — git commit uses || true and git push runs unconditionally — breaks replay safety and may push stale or corrupted state
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:249` — Unescaped $URL_TITLE used in curl JSON query — SQL injection risk via malicious title
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:266` — Unvalidated $IDENTIFIER used in dotCMS API URL — potential injection or path traversal
- 🔴 Critical: `.github/workflows/issue_autodoc.yml:278` — git push runs without timeout, retry, or error handling — high blast radius for repo corruption
- 🟠 High: `.github/workflows/issue_autodoc.yml:198` — urlTitle extracted via awk without validation — silent failure on malformed input
- 🟠 High: `.github/workflows/issue_autodoc.yml:218` — title, tags, seoDescription extracted via awk without validation — silent API rejection risk
- 🟠 High: `.github/workflows/issue_autodoc.yml:278` — git push runs without branch specification — may push to wrong branch on detached HEAD
- 🟡 Medium: `.github/workflows/issue_autodoc.yml:119` — Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates)

#### Resolved
- ✅ `.github/workflows/issue_autodoc.yml:249` — URL_TITLE now validated with grep regex before use
- ✅ `.github/workflows/issue_autodoc.yml:266` — IDENTIFIER now validated with UUID regex before use

<!-- dotcms-review-findings:[{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:218","desc":"Unescaped $URL_TITLE used in curl JSON query — SQL injection risk via malicious title"},{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:225","desc":"Unvalidated $IDENTIFIER used in dotCMS API URL — potential injection or path traversal"},{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:278","desc":"git push runs without timeout, retry, or error handling — high blast radius for repo corruption"},{"sev":"🔴 Critical","loc":".github/workflows/issue_autodoc.yml:278","desc":"git push runs without branch specification — may push to wrong branch on detached HEAD"},{"sev":"🟠 High","loc":".github/workflows/issue_autodoc.yml:198","desc":"urlTitle extracted via awk without validation — silent failure on malformed input"},{"sev":"🟠 High","loc":".github/workflows/issue_autodoc.yml:218","desc":"title, tags, seoDescription extracted via awk without validation — silent API rejection risk"},{"sev":"🟡 Medium","loc":".github/workflows/issue_autodoc.yml:119","desc":"Installs global npm package @anthropic-ai/claude-code without version pinning (security risk from untrusted package updates)"}] -->

_{Run: #28098738596 · tokens: in: 5077 · out: 995 · total: 6072}

jdcmsd · 2026-06-24T12:39:10Z

Claude's roasting this bedrock review:

This one is the reviewer losing track of its own state, not new problems.

Look at the "Resolved" section — it correctly acknowledges that URL_TITLE and IDENTIFIER validation were fixed. Then in "New Issues" it flags the exact same concerns at lines 218 and 225, which are just the shifted line numbers of the same curl command and the same UUID check — both of which now sit after the validation guards we added. The reviewer saw the guards fix the old line numbers (249/266 → resolved) but then re-flagged the code they guard as if it were fresh unprotected code.

Same story for git push: we changed || true + unconditional push to a conditional if git commit; then git push origin HEAD; fi. The reviewer marks both the || true and the branch-spec concerns as "existing" — i.e. it doesn't recognize the fix — while simultaneously flagging them as new. It's reading the file inconsistently across the two passes.

The "git push without timeout/retry → repo corruption" finding has always been noise. A failed git push fails the step. Nothing corrupts.

Nothing in this report requires a code change. The only open item across all the reviews is npm version pinning, which we consciously chose to address with a comment rather than pinning to a stale version. If the team has a formal policy requiring pinned versions in workflow files, that's the one thing worth revisiting — but it's a policy call, not a bug.

Rewrites the `issue_autodoc.yml` workflow to eliminate the `uv` / Python-script dependency, making it self-contained. **What changed:** - Removed: `Set up uv`, `Install autodoc dependencies`, `uv run python finalize.py` steps - Build eval context: Python3 stdlib + `gh` CLI in a heredoc (no pip, no venv) - Run Claude: unchanged — `claude --print --allowedTools Bash,Write < /tmp/eval_context.md` - Finalize: pure shell + inline Python3 heredocs for JSON payloads; `gh issue comment` for posting; `curl` for dotCMS EDIT/NEW; `git push` for committing - Fixed jq null-parent bug in preflight guard - Reads `prompts/burlap.txt` directly (no YAML parsing) This mirrors the change in `dotCMS/core` PR dotCMS#36294 and resolves the ordering dependency on the dotcms-aios PR.

github-actions · 2026-06-24T16:33:24Z

🤖 Bedrock Review — `qwen.qwen3-next-80b-a3b`

New Issues

🔴 Critical: .github/workflows/issue_autodoc.yml:187 — Unescaped $URL_TITLE interpolated directly into Elasticsearch JSON query string — risk of query injection via malicious URL title (e.g., \" OR 1=1 --)
🔴 Critical: .github/workflows/issue_autodoc.yml:227 — Unescaped $URL_TITLE, $TITLE, $TAGS, $SEO injected into JSON payload without escaping — JSON injection risk if values contain quotes or control characters
🔴 Critical: .github/workflows/issue_autodoc.yml:248 — curl to /api/v1/workflow/actions/default/fire/EDIT with $IDENTIFIER in URL path — no validation that identifier is a valid UUID before use; potential path traversal or enumeration if malformed
🔴 Critical: .github/workflows/issue_autodoc.yml:264 — curl to /api/v1/workflow/actions/default/fire/NEW with unvalidated $URL_TITLE in payload — allows arbitrary contentlet creation with attacker-controlled URL title
🟠 High: .github/workflows/issue_autodoc.yml:160 — grep -rl output used without checking for multiple matches — may select wrong vault file if multiple exist
🟠 High: .github/workflows/issue_autodoc.yml:181 — awk extraction of urlTitle uses sub() but does not validate presence — silent failure if key missing, leading to ACTION=update with empty URL_TITLE
🟠 High: .github/workflows/issue_autodoc.yml:222 — curl to /api/es/search with Authorization header but no timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:108 — Installs global npm package @anthropic-ai/claude-code without version pinning — security risk from untrusted package updates (assumption: no internal policy requires pinning; what to verify: does dotCMS have a supply-chain policy for npm packages?)
🟡 Medium: .github/workflows/issue_autodoc.yml:278 — git push runs without branch specification — may push to wrong branch on detached HEAD (assumption: workflow runs on default branch; what to verify: is actions/checkout using ref or default branch?)
🟡 Medium: .github/workflows/issue_autodoc.yml:248 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
🟡 Medium: .github/workflows/issue_autodoc.yml:264 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle

Existing

🟡 Medium: .github/workflows/issue_autodoc.yml:278 — git push runs without timeout, retry, or error handling — high blast radius for repo corruption (still present; unchanged)

Resolved

✅ .github/workflows/issue_autodoc.yml:218 — Previously flagged for unescaped $URL_TITLE in curl JSON; now has validation check — but still vulnerable to injection in the actual query (see 🔴 Critical above)
✅ .github/workflows/issue_autodoc.yml:225 — Previously flagged for unvalidated $IDENTIFIER in URL; now has UUID regex check — but still lacks validation of identifier existence or ownership (see 🔴 Critical above)

_{Run: #28113813582 · tokens: in: 5072 · out: 1401 · total: 6473}

Report lives as an issue comment — the repo copy is redundant. Removing the push also drops the write-scope requirement on AUTODOC_AIOS_CI.

github-actions · 2026-06-24T16:38:52Z

🤖 Bedrock Review — `qwen.qwen3-next-80b-a3b`

New Issues

🔴 Critical: .github/workflows/issue_autodoc.yml:187 — Unescaped $URL_TITLE interpolated directly into Elasticsearch JSON query string — risk of query injection via malicious URL title
🔴 Critical: .github/workflows/issue_autodoc.yml:227 — Unescaped $URL_TITLE, $TITLE, $TAGS, $SEO injected into JSON payload without escaping — JSON injection risk if values contain quotes or control characters
🔴 Critical: .github/workflows/issue_autodoc.yml:248 — curl to /api/v1/workflow/actions/default/fire/EDIT with $IDENTIFIER in URL path — no validation that identifier is a valid UUID before use
🔴 Critical: .github/workflows/issue_autodoc.yml:264 — curl to /api/v1/workflow/actions/default/fire/NEW with unvalidated $URL_TITLE in payload — allows arbitrary contentlet creation with attacker-controlled URL title
🟠 High: .github/workflows/issue_autodoc.yml:160 — grep -rl output used without checking for multiple matches — may select wrong vault file if multiple exist
🟠 High: .github/workflows/issue_autodoc.yml:181 — awk extraction of urlTitle uses sub() but does not validate presence — silent failure if key missing, leading to ACTION=update with empty URL_TITLE
🟠 High: .github/workflows/issue_autodoc.yml:222 — curl to /api/es/search with Authorization header but no timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:108 — Installs global npm package @anthropic-ai/claude-code without version pinning — security risk from untrusted package updates
🟡 Medium: .github/workflows/issue_autodoc.yml:278 — git push runs without branch specification — may push to wrong branch on detached HEAD
🟡 Medium: .github/workflows/issue_autodoc.yml:248 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
🟡 Medium: .github/workflows/issue_autodoc.yml:264 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle
🟡 Medium: .github/workflows/issue_autodoc.yml:278 — git push runs without timeout, retry, or error handling — high blast radius for repo corruption

Existing

🟡 Medium: .github/workflows/issue_autodoc.yml:108 — Installs global npm package @anthropic-ai/claude-code without version pinning — security risk from untrusted package updates
🟡 Medium: .github/workflows/issue_autodoc.yml:278 — git push runs without branch specification — may push to wrong branch on detached HEAD
🟡 Medium: .github/workflows/issue_autodoc.yml:248 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
🟡 Medium: .github/workflows/issue_autodoc.yml:264 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle
🟡 Medium: .github/workflows/issue_autodoc.yml:278 — git push runs without timeout, retry, or error handling — high blast radius for repo corruption

Resolved

✅ .github/workflows/issue_autodoc.yml:187 — Previously flagged as unescaped $URL_TITLE in Elasticsearch query; now explicitly escaped with \"$URL_TITLE\" — but still vulnerable to injection via malformed input (see 🔴 Critical above)
✅ .github/workflows/issue_autodoc.yml:227 — Previously flagged as unescaped $URL_TITLE, $TITLE, $TAGS, $SEO; now escaped with \"$VAR\" in JSON — but still vulnerable to injection via malformed input (see 🔴 Critical above)
✅ .github/workflows/issue_autodoc.yml:248 — Previously flagged as unvalidated $IDENTIFIER in URL path; now validated with grep UUID regex — but validation occurs after curl call, so race condition remains (see 🔴 Critical above)
✅ .github/workflows/issue_autodoc.yml:264 — Previously flagged as unvalidated $URL_TITLE in NEW payload; now validated with slug regex — but validation occurs after Python payload generation and curl (see 🔴 Critical above)

_{Run: #28114127858 · tokens: in: 5223 · out: 1648 · total: 6871}

Embed burlap.txt content directly in the workflow as a heredoc step. Update report path to /tmp — report is ephemeral, lives as issue comment. dotcms-aios checkout now solely serves vault epic context lookup.

github-actions · 2026-06-24T16:59:41Z

🤖 Bedrock Review — `qwen.qwen3-next-80b-a3b`

New Issues

🔴 Critical: .github/workflows/issue_autodoc.yml:264 — Unescaped $URL_TITLE interpolated directly into Elasticsearch JSON query string — risk of query injection via malicious URL title
🔴 Critical: .github/workflows/issue_autodoc.yml:278 — Unescaped $URL_TITLE, $TITLE, $TAGS, $SEO injected into JSON payload without escaping — JSON injection risk if values contain quotes or control characters
🔴 Critical: .github/workflows/issue_autodoc.yml:292 — curl to /api/v1/workflow/actions/default/fire/EDIT with $IDENTIFIER in URL path — no validation that identifier is a valid UUID before use
🔴 Critical: .github/workflows/issue_autodoc.yml:315 — curl to /api/v1/workflow/actions/default/fire/NEW with unvalidated $URL_TITLE in payload — allows arbitrary contentlet creation with attacker-controlled URL title
🟠 High: .github/workflows/issue_autodoc.yml:248 — grep -rl output used without checking for multiple matches — may select wrong vault file if multiple exist
🟠 High: .github/workflows/issue_autodoc.yml:250 — awk extraction of urlTitle uses sub() but does not validate presence — silent failure if key missing, leading to ACTION=update with empty URL_TITLE
🟠 High: .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
🟠 High: .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle
🟡 Medium: .github/workflows/issue_autodoc.yml:147 — Installs global npm package @anthropic-ai/claude-code without version pinning — security risk from untrusted package updates
🟡 Medium: .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:335 — git push runs without branch specification — may push to wrong branch on detached HEAD

Existing

🟡 Medium: .github/workflows/issue_autodoc.yml:248 — grep -rl output used without checking for multiple matches — may select wrong vault file if multiple exist
🟡 Medium: .github/workflows/issue_autodoc.yml:250 — awk extraction of urlTitle uses sub() but does not validate presence — silent failure if key missing, leading to ACTION=update with empty URL_TITLE
🟡 Medium: .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
🟡 Medium: .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle

Resolved

✅ .github/workflows/issue_autodoc.yml:264 — Added slug validation before use in JSON query (but still vulnerable to injection via unescaped interpolation)
✅ .github/workflows/issue_autodoc.yml:292 — Added UUID regex check before using identifier in URL (but still vulnerable to injection via unescaped interpolation)

_{Run: #28115102655 · tokens: in: 6330 · out: 1433 · total: 7763}

- Add conservatism clause to prompt: if Epic lacks technical detail, set action none rather than hallucinating a draft - Restore <details> wrapping of doc draft in issue comment (was lost when post_report.py was replaced with inline shell)

github-actions · 2026-06-24T17:14:29Z

🤖 Bedrock Review — `qwen.qwen3-next-80b-a3b`

New Issues

🔴 Critical: .github/workflows/issue_autodoc.yml:292 — Unescaped $URL_TITLE interpolated directly into Elasticsearch JSON query string — risk of query injection via malicious URL title
🔴 Critical: .github/workflows/issue_autodoc.yml:315 — Unescaped $URL_TITLE, $TITLE, $TAGS, $SEO injected into JSON payload without escaping — JSON injection risk if values contain quotes or control characters
🔴 Critical: .github/workflows/issue_autodoc.yml:292 — curl to /api/v1/workflow/actions/default/fire/EDIT with $IDENTIFIER in URL path — no validation that identifier is a valid UUID before use
🔴 Critical: .github/workflows/issue_autodoc.yml:315 — curl to /api/v1/workflow/actions/default/fire/NEW with unvalidated $URL_TITLE in payload — allows arbitrary contentlet creation with attacker-controlled URL title
🟠 High: .github/workflows/issue_autodoc.yml:248 — grep -rl output used without checking for multiple matches — may select wrong vault file if multiple exist
🟠 High: .github/workflows/issue_autodoc.yml:250 — awk extraction of urlTitle uses sub() but does not validate presence — silent failure if key missing, leading to ACTION=update with empty URL_TITLE
🟠 High: .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
🟠 High: .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle
🟡 Medium: .github/workflows/issue_autodoc.yml:147 — Installs global npm package @anthropic-ai/claude-code without version pinning — security risk from untrusted package updates
🟡 Medium: .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:335 — git push runs without branch specification — may push to wrong branch on detached HEAD

Existing

🟡 Medium: .github/workflows/issue_autodoc.yml:147 — Installs global npm package @anthropic-ai/claude-code without version pinning — security risk from untrusted package updates
🟡 Medium: .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without timeout — request may hang indefinitely, blocking workflow
🟡 Medium: .github/workflows/issue_autodoc.yml:335 — git push runs without branch specification — may push to wrong branch on detached HEAD

Resolved

✅ .github/workflows/issue_autodoc.yml:264 — Unescaped $URL_TITLE interpolated directly into Elasticsearch JSON query string — risk of query injection via malicious URL title
✅ .github/workflows/issue_autodoc.yml:278 — Unescaped $URL_TITLE, $TITLE, $TAGS, $SEO injected into JSON payload without escaping — JSON injection risk if values contain quotes or control characters
✅ .github/workflows/issue_autodoc.yml:292 — curl to /api/v1/workflow/actions/default/fire/EDIT with $IDENTIFIER in URL path — no validation that identifier is a valid UUID before use
✅ .github/workflows/issue_autodoc.yml:315 — curl to /api/v1/workflow/actions/default/fire/NEW with unvalidated $URL_TITLE in payload — allows arbitrary contentlet creation with attacker-controlled URL title
✅ .github/workflows/issue_autodoc.yml:248 — grep -rl output used without checking for multiple matches — may select wrong vault file if multiple exist
✅ .github/workflows/issue_autodoc.yml:250 — awk extraction of urlTitle uses sub() but does not validate presence — silent failure if key missing, leading to ACTION=update with empty URL_TITLE
✅ .github/workflows/issue_autodoc.yml:292 — curl PUT to EDIT endpoint without idempotency guard — retry or double-click may trigger duplicate content updates
✅ .github/workflows/issue_autodoc.yml:315 — curl PUT to NEW endpoint without idempotency guard — duplicate runs may create multiple contentlets with same urlTitle

_{Run: #28116230443 · tokens: in: 6597 · out: 1703 · total: 8300}

fmontes · 2026-06-25T15:07:06Z

+  preflight:
+    name: Determine whether to run
+    if: |
+      contains(github.event.issue.labels.*.name, 'Epic') ||


We don't use the label "epic" we use "type"

Good call, I only noticed the Epic in the labels, not that it's in both.

fmontes · 2026-06-25T15:07:39Z

+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+          HAS_EPIC: ${{ contains(github.event.issue.labels.*.name, 'Epic') }}


Same here... we use type.

fmontes · 2026-06-25T15:08:15Z

+          REPO: ${{ github.repository }}
+          HAS_EPIC: ${{ contains(github.event.issue.labels.*.name, 'Epic') }}
+        run: |
+          if [ "$HAS_EPIC" = "true" ]; then


Also I am not sure that only EPICs needs this to run... what happen when we just fixed a but or did a task that requires doc update?

That's where this comes in:

The gist is:

If it's Epic, then it's non-negotiable, it's getting the full review.

If it has one of the Needs Doc labels, then it will receive the doc review if it is NOT the sub-task of an Epic, since then it'll be covered when the Epic finishes anyway.

So, yes, any other tasks that require doc updates just need to have the Doc : Needs Doc or the Changelog: Needs Doc label when they're closed. Or, if the label is added after closing, then it just needs to be reopened and reclosed.

fmontes · 2026-06-25T15:14:50Z

+      - name: Install Claude Code CLI
+        # Version is unpinned intentionally — claude-code updates frequently and
+        # the package is published by Anthropic. Pin if supply-chain policy requires it.
+        run: npm install -g @anthropic-ai/claude-code


We need to use what @sfreudenthaler put together in Amazon Bedrock to be able to swap models... we can copy the approach from here:

core/.github/workflows/ai_claude-orchestrator.yml

Line 85 in 0e20062

uses: dotCMS/ai-workflows/.github/workflows/claude-orchestrator.yml@v3

Thanks, I'll have Claude refer to it.

fmontes · 2026-06-25T15:16:40Z

+      - name: Run Claude
+        run: claude --print --allowedTools Bash,Write < /tmp/eval_context.md
+
+      - name: Post comment, apply to dotCMS, commit report


we should split this into 3 steps for easier auditing.

adding automation to automate documentation drafting

8826d41

jdcmsd requested a review from a team as a code owner June 23, 2026 20:42

github-project-automation Bot added this to dotCMS - Product Planning Jun 23, 2026

github-actions Bot added the Area : CI/CD PR changes GitHub Actions/workflows label Jun 23, 2026

claude Bot added the AI: Safe To Rollback label Jun 23, 2026

github-actions Bot mentioned this pull request Jun 23, 2026

Add autodoc CI automation #36293

Open

1 task

github-actions Bot removed the AI: Safe To Rollback label Jun 23, 2026

claude Bot added the AI: Safe To Rollback label Jun 23, 2026

Merge branch 'main' into autodoc-action-addition

3d19583

github-actions Bot removed the AI: Safe To Rollback label Jun 23, 2026

claude Bot added the AI: Safe To Rollback label Jun 23, 2026

jdcmsd mentioned this pull request Jun 24, 2026

autodoc: rewrite workflow to be self-contained (no uv) dotCMS/core-workflow-test#495

Merged

github-actions Bot removed the AI: Safe To Rollback label Jun 24, 2026