feat: Add explicit encode and decode email commands, validate when issue opened

Author: jcfr

.github/actions/encode-decode-string/action.yml

@@ -0,0 +1,50 @@
+name: "Encode or decode string"
+description: "Encode or decode string"
+inputs:
+  input_string:
+    description: "String to encode or decode"
+    required: true
+  encryption_key:
+    description: "Encryption key used for encoding or decoding"
+    required: true
+  operation:
+    description: Operation to perform 'decode' or 'encode'
+    required: true
+  skip:
+    description: Whether to skip the selected operation.
+    default: "false"
+outputs:
+  output_string:
+    description:
+      "Encoded or decoded string. If skip is true, set to input string."
+    value: ${{ steps.encode_decode.outputs.output_string }}
+runs:
+  using: "composite"
+  steps:
+    - name: "Encode or decode string"
+      id: encode_decode
+      shell: bash
+      run: |
+        if [[ ! $SKIP =~ ^(false|true)$  ]]; then
+          echo "::error ::Invalid skip value '$SKIP'. Supported values are 'true' or 'false'"
+          exit 1
+        fi
+        if [[ ! $OPERATION =~ ^(encode|decode)$  ]]; then
+          echo "::error ::Invalid operation value '$OPERATION'. Supported values are 'encode' or 'decode'"
+          exit 1
+        fi
+        if [[ $SKIP == "false" ]]; then
+          if [[ $OPERATION == "encode" ]]; then
+            output_string=$(echo "$INPUT_STRING" | openssl enc -base64 -e -aes-256-cbc -salt -pass pass:$ENCRYPTION_KEY -pbkdf2)
+          else
+            output_string=$(echo "$INPUT_STRING" | openssl enc -base64 -d -aes-256-cbc -salt -pass pass:$ENCRYPTION_KEY -pbkdf2)
+          fi
+        else
+          output_string=$INPUT_STRING
+        fi
+        echo "output_string=$output_string" >> $GITHUB_OUTPUT
+      env:
+        INPUT_STRING: ${{ inputs.input_string }}
+        ENCRYPTION_KEY: ${{ inputs.encryption_key }}
+        OPERATION: ${{ inputs.operation }}
+        SKIP: ${{ fromJSON(inputs.skip) }}

.github/workflows/update-issue.yml

@@ -0,0 +1,172 @@
+name: Update Issue
+
+on:
+  issue_comment:
+    types: [created]
+
+# Permissions needed for reacting to IssueOps commands on issues
+permissions:
+  issues: write
+  checks: read
+
+jobs:
+  update-issue:
+    runs-on: ubuntu-latest
+    if:
+      ${{ !github.event.issue.pull_request && (
+      contains(github.event.comment.body, '/encode_email') ||
+      contains(github.event.comment.body, '/decode_email') ) }}
+    steps:
+      - name: encode_email command
+        id: encode_email_command
+        uses: github/[email protected]
+        with:
+          command: "/encode_email"
+          reaction: "rocket"
+          allowed_contexts: "issue"
+          permissions: "read,triage,write,maintain,admin"
+          allowlist: "jcfr,muratmaga,${{ github.event.issue.user.login }}"
+
+      - name: decode_email command
+        id: decode_email_command
+        uses: github/[email protected]
+        with:
+          command: "/decode_email"
+          reaction: "rocket"
+          allowed_contexts: "issue"
+          permissions: "read,triage,write,maintain,admin"
+          allowlist: "jcfr,muratmaga,${{ github.event.issue.user.login }}"
+
+      - name: Set command metadata
+        id: command
+        if:
+          ${{ steps.encode_email_command.outputs.continue == 'true' ||
+          steps.decode_email_command.outputs.continue == 'true' }}
+        run: |
+          if [[ "$ENCODE_EMAIL_COMMAND_CONTINUE" == "true" ]]; then
+            continue="$ENCODE_EMAIL_COMMAND_CONTINUE"
+            command_name="encode_email"
+            comment_id="${{ steps.encode_email_command.outputs.comment_id }}"
+          elif [[ "$DECODE_EMAIL_COMMAND_CONTINUE" == "true" ]]; then
+            continue="$DECODE_EMAIL_COMMAND_CONTINUE"
+            command_name="decode_email"
+            comment_id="${{ steps.decode_email_command.outputs.comment_id }}"
+          else
+            continue="false"
+            command_name=""
+            comment_id=""
+          fi
+          echo "continue=$continue" >> $GITHUB_OUTPUT
+          echo "command_name=$command_name" >> $GITHUB_OUTPUT
+          echo "comment_id=$comment_id" >> $GITHUB_OUTPUT
+        env:
+          ENCODE_EMAIL_COMMAND_CONTINUE:
+            ${{ steps.encode_email_command.outputs.continue }}
+          DECODE_EMAIL_COMMAND_CONTINUE:
+            ${{ steps.decode_email_command.outputs.continue }}
+
+      - uses: actions/checkout@v4
+
+      - name: Extract fields
+        id: extract
+        uses: ./.github/actions/extract-issue-fields
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          issue_number: ${{ github.event.issue.number }}
+
+      - name: Check if email is encoded
+        id: check_email_encryption
+        run: |
+          if [[ "$EMAIL" != *"@"* ]]; then
+            encoded="true"
+          else
+            encoded="false"
+          fi
+          echo "encoded=$encoded" >> $GITHUB_OUTPUT
+        env:
+          EMAIL: ${{ steps.extract.outputs.email }}
+
+      - name: Encode email
+        id: encode_email
+        if: ${{ steps.encode_email_command.outputs.continue == 'true' }}
+        uses: ./.github/actions/encode-decode-string
+        with:
+          input_string: ${{ steps.extract.outputs.email }}
+          encryption_key: ${{ secrets.STRING_ENCRYPTION_KEY }}
+          operation: "encode"
+          skip: ${{ steps.check_email_encryption.outputs.encoded == 'true' }}
+
+      - name: Decode email
+        id: decode_email
+        if: ${{ steps.decode_email_command.outputs.continue == 'true' }}
+        uses: ./.github/actions/encode-decode-string
+        with:
+          input_string: ${{ steps.extract.outputs.email }}
+          encryption_key: ${{ secrets.STRING_ENCRYPTION_KEY }}
+          operation: "decode"
+          skip: ${{ steps.check_email_encryption.outputs.encoded == 'false' }}
+
+      - name: Set updated email
+        id: set_updated_email
+        if: ${{ steps.command.outputs.continue == 'true' }}
+        run: |
+          updated_email=""
+          if [[ "$ENCODE_EMAIL_COMMAND_CONTINUE" == "true" ]]; then
+            updated_email="$ENCODED_EMAIL"
+          elif [[ "$DECODE_EMAIL_COMMAND_CONTINUE" == "true" ]]; then
+            updated_email="$DECODED_EMAIL"
+          fi
+          echo "updated_email=$updated_email" >> $GITHUB_OUTPUT
+        env:
+          ENCODE_EMAIL_COMMAND_CONTINUE:
+            ${{ steps.encode_email_command.outputs.continue }}
+          ENCODED_EMAIL: ${{ steps.encode_email.outputs.output_string }}
+          DECODE_EMAIL_COMMAND_CONTINUE:
+            ${{ steps.decode_email_command.outputs.continue }}
+          DECODED_EMAIL: ${{ steps.decode_email.outputs.output_string }}
+
+      - name: Update issue body
+        id: update_issue_body
+        if: ${{ steps.command.outputs.continue == 'true' }}
+        shell: bash
+        run: |
+          gh issue view $ISSUE_NUMBER \
+            --repo $GH_REPO \
+            --json body \
+            --jq .body > ./body.md
+
+          # Replace email
+          sed "s#$OLD_EMAIL#$NEW_EMAIL#" ./body.md > ./updated_body.md
+
+          gh issue edit $ISSUE_NUMBER \
+            --repo $GH_REPO \
+            --body-file ./updated_body.md
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          OLD_EMAIL: ${{ steps.extract.outputs.email }}
+          NEW_EMAIL: ${{ steps.set_updated_email.outputs.updated_email }}
+
+      - name: command results comment (success)
+        if: ${{ steps.command.outputs.continue == 'true' && success() }}
+        uses: peter-evans/[email protected]
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          body: |
+            ### Command Results ✅
+
+            `${{ steps.command.outputs.command_name }}` command successfully applied to this issue.
+
+      - name: command results comment (failure)
+        if: ${{ steps.command.outputs.continue == 'true' && failure() }}
+        uses: peter-evans/[email protected]
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          body: |
+            ### Command Results ❌
+
+            `${{ steps.command.outputs.command_name }}` command failed to be applied to this issue.
+
+            See details at https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/validate-request.yml

@@ -1,30 +1,39 @@
 name: Validate Request
 
 on:
-  issue_comment:
-    types: [created]
+  issues:
+    types:
+      - opened
+  workflow_dispatch:
+    inputs:
+      issue_number:
+        description: "Issue number"
+        required: true
 
 # Permissions needed for reacting to IssueOps commands on issues
 permissions:
   issues: write
   checks: read
 
 jobs:
-  control:
+  validate:
     runs-on: ubuntu-latest
-    if:
-      ${{ !github.event.issue.pull_request && (
-      contains(github.event.comment.body, '/validate') ) }}
     steps:
-      - name: validate command
-        id: validate_command
-        uses: github/[email protected]
-        with:
-          command: "/validate"
-          reaction: "rocket"
-          allowed_contexts: "issue"
-          permissions: "read,triage,write,maintain,admin"
-          allowlist: "jcfr,muratmaga,${{ github.event.issue.user.login }}"
+      - name: Collect Inputs
+        id: collect_inputs
+        run: |
+          echo "EVENT_NAME [$EVENT_NAME]"
+          if [[ "$EVENT_NAME" == "issues" ]]; then
+            issue_number=${{ github.event.issue.number }}
+          elif [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
+            issue_number=${{ github.event.inputs.issue_number }}
+          else
+            echo "::error ::Unsupported EVENT_NAME [$EVENT_NAME]"
+            exit 1
+          fi
+          echo "issue_number=$issue_number" >> $GITHUB_OUTPUT
+        env:
+          EVENT_NAME: ${{ github.event_name }}
 
       - uses: actions/checkout@v4
 
@@ -34,7 +43,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}
-          issue_number: ${{ github.event.issue.number }}
+          issue_number: ${{ steps.collect_inputs.outputs.issue_number }}
 
       - name: Check ORCID iD format
         id: check_orcid_format
@@ -51,65 +60,49 @@ jobs:
         env:
           ORCID: ${{ steps.extract.outputs.orcid }}
 
-      - name: Check email format
-        id: check_email_format
+      - name: Check if email is encoded
+        id: check_email_encryption
         run: |
-          input_email=$EMAIL
-          if [[ "$input_email" != *"@"* ]]; then
-            # decrypt
-            email=$(echo "$input_email" | openssl enc -base64 -d -aes-256-cbc -salt -pass pass:$STRING_ENCRYPTION_KEY -pbkdf2)
+          if [[ "$EMAIL" != *"@"* ]]; then
+            encoded="true"
           else
-            email=$input_email
+            encoded="false"
           fi
+          echo "encoded=$encoded" >> $GITHUB_OUTPUT
+        env:
+          EMAIL: ${{ steps.extract.outputs.email }}
+
+      - name: Decode email
+        id: decode_email
+        uses: ./.github/actions/encode-decode-string
+        with:
+          input_string: ${{ steps.extract.outputs.email }}
+          encryption_key: ${{ secrets.STRING_ENCRYPTION_KEY }}
+          operation: "decode"
+          skip: ${{ steps.check_email_encryption.outputs.encoded == 'false' }}
 
+      - name: Check email format
+        id: check_email_format
+        run: |
           # Adapted from https://gist.github.com/guessi/82a73ee7eb2b1216eb9db17bb8d65dd1
           email_regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
-          if [[ "$email" =~ $email_regex ]]; then
+          if [[ "$EMAIL" =~ $email_regex ]]; then
             valid="true"
             emojii="✅"
           else
             valid="false"
             emojii="❌"
           fi
-
-          encrypted_email=$(echo "$email" | openssl enc -base64 -e -aes-256-cbc -salt -pass pass:$STRING_ENCRYPTION_KEY -pbkdf2)
-
           echo "valid=$valid" >> $GITHUB_OUTPUT
           echo "emojii=$emojii" >> $GITHUB_OUTPUT
-          echo "email=$email" >> $GITHUB_OUTPUT
-          echo "encrypted_email=$encrypted_email" >> $GITHUB_OUTPUT
-        env:
-          EMAIL: ${{ steps.extract.outputs.email }}
-          STRING_ENCRYPTION_KEY: ${{ secrets.STRING_ENCRYPTION_KEY }}
-
-      - name: Update issue body
-        id: update_issue_body
-        shell: bash
-        run: |
-          body=$(gh issue view $ISSUE_NUMBER \
-            --repo $GH_REPO \
-            --json body | \
-            jq '.body')
-
-          # Replace email
-          updated_body=$(echo "$body" | sed "s#$EMAIL#$ENCRYPTED_EMAIL#")
-
-          gh issue edit $ISSUE_NUMBER \
-            --repo $GH_REPO \
-            --body "${updated_body}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-          EMAIL: ${{ steps.check_email_format.outputs.email }}
-          ENCRYPTED_EMAIL:
-            ${{ steps.check_email_format.outputs.encrypted_email }}
+          EMAIL: ${{ steps.decode_email.outputs.output_string }}
 
       - name: command results comment (failure)
         if: ${{ failure() }}
         uses: peter-evans/[email protected]
         with:
-          issue-number: ${{ github.event.issue.number }}
+          issue-number: ${{ steps.collect_inputs.outputs.issue_number }}
           body: |
             ### Command Results ❌
 
@@ -120,7 +113,7 @@ jobs:
         if: ${{ success() }}
         uses: peter-evans/[email protected]
         with:
-          issue-number: ${{ github.event.issue.number }}
+          issue-number: ${{ steps.collect_inputs.outputs.issue_number }}
           body: |
             ### Validation Results