Skip to content

fix(ghb-108): verify PR references correct bounty issue before accepting submission#131

Open
aagear wants to merge 4 commits into
Ghbounty:mainfrom
aagear:fix/ghb-108-pr-auto-detection
Open

fix(ghb-108): verify PR references correct bounty issue before accepting submission#131
aagear wants to merge 4 commits into
Ghbounty:mainfrom
aagear:fix/ghb-108-pr-auto-detection

Conversation

@aagear

@aagear aagear commented Jun 22, 2026

Copy link
Copy Markdown

Description

Fixes #108

This PR fixes the PR auto-detection bug where a PR could be submitted for a bounty without verifying that the PR actually references the correct bounty issue.

Changes

  1. New verifyPrRelevance function (packages/shared/src/github/verify-pr-relevance.ts):

    • Fetches the PR body from GitHub REST API
    • Parses it for "Fixes #N", "Closes #N", "Resolves #N" patterns
    • Verifies the referenced issue number matches the bounty issue
    • Returns a clear result with one of: body_reference, no_issue_reference, or issue_number_mismatch
    • Handles edge cases: PR not found, rate limited, upstream errors, malformed URLs
  2. Integrated into submissions.create (apps/mcp/lib/tools/submissions/create.ts):

    • Added PR relevance check after PR ownership check (GHB-182)
    • Rejects submissions where the PR body references a different issue number
    • Rejects submissions with no issue reference at all (must include "Fixes #N" in PR body)
    • Transient errors (rate limited, upstream) return ServiceUnavailable so the agent retries
  3. Exported from shared package (packages/shared/src/index.ts)

  4. Tests (packages/shared/tests/github/verify-pr-relevance.test.ts):

    • Covers all result types: body_reference match, title match, issue_number_mismatch, no reference, invalid URL, PR not found, rate limited, upstream error

Why this fixes the bug

Previously, the platform would accept any PR submitted for a bounty as long as the author matched (GHB-182 ownership check). This meant PR #99, which was about diff-filter (issue #67), could be submitted to bounty #70 ("FUCKING TEST") and be accepted. Now the platform verifies that the PR body explicitly references the correct issue number before allowing the submission.

Verification

  • verifyPrRelevance is a pure function with no side effects
  • Follows the same pattern as verifyPrOwnership (same directory, same result shape, same GitHub API call pattern)
  • All tests mock the GitHub API so they run offline

@aagear aagear requested a review from tomazzi14 as a code owner June 22, 2026 18:56
@vercel

vercel Bot commented Jun 22, 2026

Copy link
Copy Markdown

@aagear is attempting to deploy a commit to the weareghbounty-6269's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: PR auto-detection matches wrong GHB bounty

1 participant