…sed refs (dotCMS#35761)
Fixes dotCMS#35794
## Summary
Hardens the PR-to-issue linking gate
(`.github/workflows/issue_open-pr.yml` →
`issue_comp_link-issue-to-pr.yml`) and adds a second gate on the linked
issue's metadata.
### Linking-gate fixes (the original three)
- **Shell injection / template interpolation.** `inputs.pr_body`,
`pr_title`, `pr_author`, `pr_url`, `pr_branch`, `pr_merged` were
template-substituted by GitHub Actions directly into the bash `run:`
scripts. PRs whose body contained backticks, `$var(...)`, or unbalanced
parens (e.g. dotCMS#35728's `$markdownTool.blockToMarkdown(json)`) caused a
bash syntax error on the first `Debug workflow inputs` step → entire job
exited code 2 → `Add failure comment to PR` was skipped (its condition
needs `failure_detected=true`, never set) → PR appeared unchecked.
Hoisted all inputs into a job-level `env:` block and reference them as
`$ENV_VAR` in shell, so user-supplied values are treated as data, not
code.
- **Missed markdown-link refs.** The regex
`(close[ds]?|fix(e[ds])?|resolve[ds]?)(:)?\s+#([0-9]+)` requires a
literal `#` immediately after the keyword and misses GitHub's other
valid form `fixes [dotCMS#123](url)` (as in dotCMS#35242). Added a GraphQL
`closingIssuesReferences` lookup as the 4th and final fallback in
`Determine final issue number`.
- **Stale-on-open.** The workflow only triggered on `pull_request:
[opened]`, so editing the body or pushing new commits never re-evaluated
the gate. A once-broken PR stayed broken even after the author fixed the
link. Broadened triggers to `[opened, edited, synchronize, reopened]`.
Existing idempotency (`grep -q "#$issue_number"` before body patch,
`sort -u` on PR-list comments, `Remove failure comment` step) handles
the extra runs; the failure-comment step is now dedup-guarded.
### New second gate — linked issue must have a team label
After the link is resolved, the workflow validates that the linked issue
carries a `Team : *` label and fails with a distinct `❌ Linked Issue
Needs Team Label` PR comment if it doesn't. The validation step runs
**before** the side-effect steps (PR-list comment on the issue, PR body
PATCH), so a PR whose linked issue is missing a team label does not
mutate any remote state before failing.
### Review-driven follow-ups (commit `312ced3e`)
- Step order moved so gates run before side effects (`Link PR to issue`
and the issue's PR-list comment no longer run when validation fails).
- `gh issue view` errors in the team-label step are surfaced distinctly
instead of being collapsed into "no team label."
- `$GITHUB_OUTPUT` heredocs use a random `ghadelimiter_<random>` instead
of literal `EOF` to prevent delimiter collision with user-controlled
content.
- Markdown link characters (`\`, `[`, `]`) in `PR_TITLE` are escaped
before being embedded in the bot's linked-issue comment.
- URL-presence check on the existing PR list switched from `grep -q` to
`grep -qF`.
### Operational notes
- Fork PRs are skipped via `if:
github.event.pull_request.head.repo.full_name == github.repository`
because the `pull_request` `GITHUB_TOKEN` is read-only on forks. If this
gate ever becomes a required check, fork contributors will be unchecked
by design — flag for follow-up at that point.
- Explicit `permissions: { pull-requests: write, issues: write }`
declared on the reusable workflow.
- The check remains advisory (not in branch-protection required checks
on `main`).
## Test plan
- [x] Confirm no shell error in `Debug workflow inputs` when the PR body
contains backticks / `$var(...)` (this PR's own description is the test
case).
- [x] GraphQL fallback runs only when neither body regex nor branch-name
extraction succeeds.
- [x] `synchronize` re-fires the check on a new push (empty commit
`2e6b0ed0` validated this).
- [x] Linked-issue gate fails with `❌ Linked Issue Needs Team Label`
when the linked issue has no `Team : *` label.
- [x] Linked-issue gate passes when `Team : *` is restored on the issue.
- [ ] Side-effect steps (`Create new comment`, `Link PR to issue`) are
skipped on a run where team-label validation fails.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary
Adds AWS Bedrock as a supported provider. Bedrock is a managed platform that
proxies multiple model families (Anthropic, Amazon Titan, Cohere, Meta, etc.)
via a unified Converse API — a single integration covers all of them.
langchain4j-bedrockdependencybedrockcase toLangChain4jModelFactoryswitchbuildBedrockChatModelusingBedrockRuntimeClientwith explicit or IAM role credentialsbuildBedrockEmbeddingModelwith automatic Titan/Cohere dispatch by model ID prefixembeddingInputTypefield toProviderConfig(Cohere-specific; default:search_document)buildBedrockImageModelthrowsUnsupportedOperationException(no LangChain4J support)LangChain4jModelFactoryTestConfiguration
{ "chat": { "provider": "bedrock", "region": "us-east-1", "accessKeyId": "...", "secretAccessKey": "...", "model": "anthropic.claude-3-5-sonnet-20241022-v2:0", "maxTokens": 16384, "temperature": 1.0 }, "embeddings": { "provider": "bedrock", "region": "us-east-1", "accessKeyId": "...", "secretAccessKey": "...", "model": "amazon.titan-embed-text-v2:0" } }Notes
accessKeyId/secretAccessKeyare omitted, credentials resolve viaDefaultCredentialsProvider(IAM role, environment, ~/.aws/credentials).cohere. →BedrockCohereEmbeddingModel; all others →BedrockTitanEmbeddingModel.embeddingInputTypeis Cohere-only. Usesearch_documentwhen indexing content,search_querywhen embedding a search query. Titan silently ignores this field.UnsupportedOperationException.Related Issue
This PR fixes #35334
EPIC: dotAI Multi-Provider Support #33970