[Bug] extractIssueNumbers bare #N alternative matches any issue reference, awarding XP for PRs that mention but do not fix an issue

[anshul23102]

Summary

The regex used in extractIssueNumbers (inside src/inngest/functions/process-pr-event.ts) contains a second alternative that matches any bare #N token. As a result, a PR body such as "Related to #42" or "See discussion in #7" triggers the same XP award path as "Fixes #42", even though no issue is actually being closed.

Affected File

src/inngest/functions/process-pr-event.ts

Root Cause

const ISSUE_REF = /(?:close[sd]?|fixe[sd]?|resolve[sd]?)\s+#(\d+)|#(\d+)/gi;

The regex has two alternatives separated by |:

1. (?:close[sd]?|fixe[sd]?|resolve[sd]?)\s+#(\d+) - closing keywords followed by an issue number (correct intent)
2. #(\d+) - any bare #N reference anywhere in the PR body (unintended)

Wherever extractIssueNumbers passes results to tryLinkByIssueRef, the second alternative causes every issue mentioned in passing to enter the XP award pipeline alongside genuinely resolved issues.

Impact

• Any PR body that references an issue number for context (code review discussion, related-work links, changelog notes) will incorrectly trigger XP awards for that issue.
• On a busy repository with many cross-references, this inflates XP balances for all participants systematically and silently.
• Because the idempotency key is (user_id, source, ref_id), the erroneous award is committed on first merge and cannot be cleanly corrected by re-running the event.

Steps to Reproduce

1. Open a PR with body: Refactors the auth flow. See #10 for background.
2. Merge the PR (no closing keyword present).
3. Observe XP awarded for issue fix(webhook): surface insert error details #10 as if the PR had resolved it.

Expected Behaviour

Only closing-keyword matches should produce issue links. The second bare-reference alternative should be removed:

const ISSUE_REF = /(?:close[sd]?|fixe[sd]?|resolve[sd]?)\s+#(\d+)/gi;

If cross-repository closing syntax (owner/repo#N) is needed in future, it should be added explicitly with the same keyword guard rather than by broadening the bare-ref alternative.

Severity

High - Silent, systematic XP inflation on every merged PR that mentions an issue number in passing. The impact compounds over time as the repository grows.

[anshul23102]

@Sujini-kudupudi I would like to work on this as part of NSoC 2026. The fix is a one-line regex change with a unit test covering the bare-reference vs. closing-keyword distinction. Could you please assign this to me?

/assign

[github-actions]

Hey @anshul23102

You currently have 3 open issues assigned to you. The limit is 3 at a time.

Please close or get your existing work merged before picking up a new issue:

• [Security] Webhook INSERT failure leaks raw Supabase error fields (code, details, hint) in the HTTP 500 response body #218 - [Security] Webhook INSERT failure leaks raw Supabase error fields (code, details, hint) in the HTTP 500 response body
• Bug: TOCTOU race condition in claimRecommendation allows bypassing the 3-active-claim limit #205 - Bug: TOCTOU race condition in claimRecommendation allows bypassing the 3-active-claim limit
• Security: GitHub OAuth access token transmitted to Inngest and persisted in third-party event storage #204 - Security: GitHub OAuth access token transmitted to Inngest and persisted in third-party event storage

Once those are resolved, feel free to re-assign yourself here. Questions? Drop them in GitHub Discussions.

[Sujini-kudupudi]

Hi @Soumya-codr

I’d like to work on this issue as part of NSoC 2026. I understood the root cause — the current regex is incorrectly matching bare #N references and triggering unintended XP awards.

I can fix this by restricting matches to only valid closing keywords (fixes, closes, resolves, etc.) and add proper unit tests to prevent regressions between contextual references and actual issue-closing references.

Could you please assign this issue to me?
Thank you!
and add the tags ass well

/assign

[aaniya22]

pls assign this to me under gssoc'26

[Soumya-codr]

@aaniya22 ok assigning but i have already saved some issues for u that u are earlier want to work but yeah i am assigining

[aaniya22]

@aaniya22 ok assigning but i have already saved some issues for u that u are earlier want to work but yeah i am assigining

you can assign me those ill do those too

[Soumya-codr]

@aaniya22 ok assigning but i have already saved some issues for u that u are earlier want to work but yeah i am assigining

you can assign me those ill do those too

#194 here is the issue please visit this and since i am assigning that since its a very large group of issues so i am de assigning u and assiging @Sujini-kudupudi for this issue

@aaniya22 u can solve that issues #194