Skip to content

Comments

feat: add OUTPUT_FILENAME to customize markdown output#387

Open
vchrombie wants to merge 8 commits intogithub:mainfrom
vchrombie:feat/output-filename-env-18
Open

feat: add OUTPUT_FILENAME to customize markdown output#387
vchrombie wants to merge 8 commits intogithub:mainfrom
vchrombie:feat/output-filename-env-18

Conversation

@vchrombie
Copy link

@vchrombie vchrombie commented Jan 25, 2026
edited by zkoppert
Loading

Fixes #18

Expose OUTPUT_FILENAME env var with default contributors.md, wire into markdown output, and document/test it.

Pull Request

Proposed Changes

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing
  • If publishing new data to the public (scorecards, security scan results, code quality results, live dashboards, etc.), please request review from @jeffrey-luszcz

Reviewer

  • Label as either bug, documentation, enhancement, infrastructure, maintenance or breaking

Copilot AI review requested due to automatic review settings January 25, 2026 20:15
@vchrombie vchrombie requested a review from a team as a code owner January 25, 2026 20:15
Copilot AI reviewed Jan 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for customizing the generated markdown report filename via a new OUTPUT_FILENAME environment variable (defaulting to contributors.md).

Changes:

  • Added OUTPUT_FILENAME parsing (with default) to env.get_env_vars().
  • Wired the configured output filename into contributors.py when writing the markdown report.
  • Updated tests and README to cover/document the new environment variable.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
env.py Adds OUTPUT_FILENAME env var handling and returns it from get_env_vars().
contributors.py Uses the returned output_filename when calling markdown.write_to_markdown().
test_env.py Extends env parsing tests to assert default and custom OUTPUT_FILENAME behavior.
README.md Documents OUTPUT_FILENAME and updates job summary wording to be filename-agnostic.

@vchrombie vchrombie requested a review from Copilot January 25, 2026 20:39
Copilot AI reviewed Jan 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@vchrombie vchrombie force-pushed the feat/output-filename-env-18 branch from 30cb19a to d4ff051 Compare January 25, 2026 20:46
zkoppert
zkoppert reviewed Feb 3, 2026
View reviewed changes
@zkoppert
Copy link
Member

zkoppert commented Feb 3, 2026

@vchrombie this looks great. I've got one documentation suggestion to help folks understand the default exists. Thanks for your PR!!

@vchrombie
Copy link
Author

vchrombie commented Feb 3, 2026

Thanks @zkoppert for the suggestion.

@vchrombie vchrombie force-pushed the feat/output-filename-env-18 branch from d5a635a to cbb09ac Compare February 4, 2026 03:18
@vchrombie
Copy link
Author

vchrombie commented Feb 4, 2026
edited
Loading

I rebased the branch with the latest changes

@zkoppert, could you please approve it to kick the ci checks?

@vchrombie vchrombie force-pushed the feat/output-filename-env-18 branch from c21a904 to b226a02 Compare February 4, 2026 03:58
@vchrombie
Copy link
Author

vchrombie commented Feb 10, 2026

I can rebase the latest changes

vchrombie and others added 3 commits February 11, 2026 00:52
@vchrombie
feat: add OUTPUT_FILENAME to customize markdown output
2d0e934 
Expose OUTPUT_FILENAME env var with default contributors.md,
wire into markdown output, and document/test it.

Signed-off-by: Venu Vardhan Reddy Tekula <venuvrtekula@gmail.com>
@vchrombie
docs: align workflow examples with OUTPUT_FILENAME
485a4c3 
Use a job-level OUTPUT_FILENAME and reference it in content-filepath
so examples stay in sync.

Signed-off-by: Venu Vardhan Reddy Tekula <venuvrtekula@gmail.com>
@vchrombie @zkoppert
docs: clarify that job summary output file is configurable
ea7eb40 
Co-authored-by: Zack Koppert <zkoppert@github.com>
Signed-off-by: Venu Vardhan Reddy Tekula <venuvrtekula@gmail.com>
@vchrombie vchrombie force-pushed the feat/output-filename-env-18 branch from 644bf5e to ea7eb40 Compare February 11, 2026 05:52
@vchrombie
Copy link
Author

vchrombie commented Feb 11, 2026

I rebased this too, let's take one pr at a time. I can rebase the other ones as needed.
@zkoppert

@zkoppert @Copilot
fix: update test_env.py for OUTPUT_FILENAME return value and .env leak
dd8381d 
- Add missing _output_filename to tuple unpacking in test_get_env_vars_valid_date_range
- Fix test_get_env_vars_missing_org_or_repo to use clear=True and test=True so local .env files don't interfere

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert
Copy link
Member

zkoppert commented Feb 21, 2026

Pushed a fix for the CI failure and an additional test robustness improvement:

  1. test_get_env_vars_valid_date_range (CI failure) — added the missing _output_filename to the tuple unpacking to match the new 13th return value from get_env_vars().
  2. test_get_env_vars_missing_org_or_repo (pre-existing) — added clear=True to @patch.dict and test=True to get_env_vars() so that a local .env file doesn't leak REPOSITORY into the test and suppress the expected ValueError.

Will watch CI for any further failures to help get this moving through. 👀

zkoppert and others added 2 commits February 20, 2026 17:13
@zkoppert
Merge remote-tracking branch 'origin/main' into feat/output-filename-…
13808b5 
…env-18
@zkoppert @Copilot
fix: add output_filename to mock return values in test_contributors.py
e60a905 
Add the 13th return value ('contributors.md') to all mocked get_env_vars
tuples so tests match the updated function signature.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert
Copy link
Member

zkoppert commented Feb 21, 2026

Merged main to pick up the new tests from 0eb49a0, then fixed the 3 newly failing tests in test_contributors.py:

  • test_main_runs_under_main_guard, test_main_sets_new_contributor_flag, test_main_fetches_sponsor_info_when_enabled — all had mocked get_env_vars return tuples with 12 values instead of the expected 13. Added the missing "contributors.md" (output_filename) to each.

All 52 tests pass locally with 100% coverage. Watching CI for this run. 👀

@zkoppert @Copilot
fix: validate OUTPUT_FILENAME to prevent path traversal and unsafe ch…
784fca0 
…aracters

Reject filenames containing path separators, special characters, or absolute
paths. Only alphanumeric characters, hyphens, underscores, and dots are allowed.
Adds four security tests covering path traversal, absolute paths, directory
separators, and shell metacharacters.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@zkoppert
Copy link
Member

zkoppert commented Feb 21, 2026

Added input validation for OUTPUT_FILENAME to address security concerns found during review:

Problem: The filename was accepted as-is after stripping whitespace, which meant path traversal (../../../etc/passwd), absolute paths (/tmp/output.md), directory paths (reports/output.md), and shell metacharacters (file;rm -rf /.md) were all accepted — potentially allowing writes outside the intended directory.

Fix: Added a regex check (^[a-zA-Z0-9_\-\.]+$) and a os.path.basename() guard in env.py. Only simple filenames with alphanumeric characters, hyphens, underscores, and dots are now allowed. Four security tests added to cover path traversal, absolute paths, directory separators, and special characters.

@zkoppert zkoppert enabled auto-merge February 21, 2026 01:32
zkoppert
zkoppert approved these changes Feb 21, 2026
View reviewed changes
Copy link
Member

@zkoppert zkoppert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for coming along the wild ride to get that in @vchrombie ! Appreciate your contributions! 🚀

@zkoppert zkoppert disabled auto-merge February 21, 2026 01:33
@zkoppert zkoppert enabled auto-merge February 21, 2026 01:33
@zkoppert zkoppert disabled auto-merge February 21, 2026 01:33
@zkoppert
Copy link
Member

zkoppert commented Feb 21, 2026

This is ready to go now. I just need to figure out why codeql hasn't reported like it should. Hang in there... I'll investigate

@zkoppert @Copilot
chore: retrigger CI checks
06203fe 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zkoppert zkoppert zkoppert approved these changes

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feature: Add env variable to allow for setting custom output filename

2 participants

@vchrombie @zkoppert