unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Fix cve-watch issue creation (422 on string labels) #3

Merged
zach merged 1 commit from fix/cve-watch-label-ids into main 2026-05-29 09:13:50 +00:00
Conversation 0 Commits 1 Files changed 1 +15 -2
zach commented 2026-05-29 09:12:45 +00:00
Owner
Copy link

The last cve-watch bug. With #1 the 403 was cleared (token scope + dropping the server-side q= search) and the API error body is now surfaced — which revealed the real cause of the remaining failure:

422 "[]: json: cannot unmarshal string into Go struct field CreateIssueOption.labels of type int64"

Forgejo's create-issue API expects labels as an array of integer label IDs, not names (a Gitea/Forgejo divergence from GitHub). The payload sent ["cve-watch","upstream"] (names) → 422.

Fix: resolve the desired label names to IDs from the repo's existing labels (GET /labels) and post the matched IDs. Best-effort — a failed lookup or a not-yet-created label files the issue without that label rather than blocking, so issue creation never depends on label state.

Verified: yamllint clean; the resolution + payload jq produce integer IDs when the labels exist and [] when they don't (Forgejo accepts an empty labels array).

Follow-ups (not blocking)

  • Create cve-watch / upstream labels in the repo once (Issues → Labels) if you want them auto-applied; otherwise issues file unlabeled.
  • This run's new=true was a genuine new-upstream detection (the F8 normalization from #1 is working, so it's not the old hourly false-positive). Once this merges, the next hourly run files the real tracking issue — kicking off the normal response flow (verify upstream signature → push matching tag → build).

🤖 Generated with Claude Code

The last cve-watch bug. With #1 the 403 was cleared (token scope + dropping the server-side `q=` search) and the API error body is now surfaced — which revealed the real cause of the remaining failure: ``` 422 "[]: json: cannot unmarshal string into Go struct field CreateIssueOption.labels of type int64" ``` Forgejo's create-issue API expects `labels` as an array of integer label **IDs**, not names (a Gitea/Forgejo divergence from GitHub). The payload sent `["cve-watch","upstream"]` (names) → 422. **Fix:** resolve the desired label names to IDs from the repo's existing labels (`GET /labels`) and post the matched IDs. Best-effort — a failed lookup or a not-yet-created label files the issue **without** that label rather than blocking, so issue creation never depends on label state. Verified: yamllint clean; the resolution + payload jq produce integer IDs when the labels exist and `[]` when they don't (Forgejo accepts an empty `labels` array). ## Follow-ups (not blocking) - Create `cve-watch` / `upstream` labels in the repo once (Issues → Labels) if you want them auto-applied; otherwise issues file unlabeled. - This run's `new=true` was a **genuine** new-upstream detection (the F8 normalization from #1 is working, so it's not the old hourly false-positive). Once this merges, the next hourly run files the real tracking issue — kicking off the normal response flow (verify upstream signature → push matching tag → build). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
ci: fix cve-watch issue creation (422 on string labels)
All checks were successful
validate / shellcheck (pull_request) Successful in 14s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
7cd31b3c64 
With the 403 cleared (token scope + dropped q= search) and the error body
now surfaced, the real cause showed itself: Forgejo's create-issue API
expects `labels` as an array of integer label IDs, not names (a
Gitea/Forgejo divergence from GitHub). Posting names returned:

  422 "cannot unmarshal string into Go struct field
       CreateIssueOption.labels of type int64"

Resolve the desired names to IDs from the repo's existing labels
(GET /labels) and post the matched IDs; best-effort, so a failed lookup
or a not-yet-created label files the issue WITHOUT that label rather than
blocking. (Create the `cve-watch` / `upstream` labels in the repo once for
them to be auto-applied.)

Note: this run's new=true was a genuine new-upstream detection, not the
old hourly false-positive — the F8 normalization from #1 is working.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zach merged commit 46ebdff9b8 into main 2026-05-29 09:13:50 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!3
No description provided.