Add Telegram Notifier to Nightly CI pipeline

[UnschooledGamer]

No description provided.

[greptile-apps]

Greptile Summary

This PR adds Telegram notification support to the community release notifier. The implementation correctly handles most concerns raised in previous review rounds:

✅ Addressed in this revision:

• Shell injection vulnerability eliminated via env: variable isolation (lines 42-45)
• Multi-line release notes properly handled with heredoc format (lines 72-84)
• Separate output paths for Discord (plain markdown) and Telegram (MarkdownV2) prevent escaped characters from appearing visually in Discord (lines 77-84)
• Telegram MarkdownV2 escaping applied correctly to tag, body, and announcement (lines 55-68)
• Hard-coded special characters properly escaped in announcement string (line 68)

⚠️ Remaining structural constraint:
All three Telegram secrets (lines 25-33) remain marked required: true. While this enforces that callers must provide Telegram credentials when using the reusable workflow, it creates a hard dependency where any future caller that doesn't intend to use Telegram will fail the entire notification pipeline. The continue-on-error: true on the Telegram step (line 125) cannot mitigate this because secret validation occurs before steps execute.

For maximum flexibility in a reusable workflow, consider:

• Marking Telegram secrets as required: false
• Adding an if: gate to skip the step when credentials are unavailable

The current implementation works correctly for callers that always provide Telegram credentials.

Confidence Score: 4/5

• Safe to merge: all prior security and technical issues have been resolved; the Telegram notification implementation is sound and properly escapes MarkdownV2 content separately from Discord messages.
• The PR substantially improves the notifier by eliminating shell injection risks, correctly handling multi-line content, and producing format-appropriate output for each notification channel. Technical implementation is solid. The score is not higher (5) because the design choice to mark all Telegram secrets as required: true creates a structural constraint: any future caller of this reusable workflow that doesn't intend to use Telegram will fail before any step executes, even with continue-on-error in place. This is not a bug in the current usage but a consideration for extensibility.
• No files require special attention. Both workflows are sound for their current usage pattern.

Sequence Diagram

sequenceDiagram
    participant NB as nightly-build.yml
    participant CRN as community-release-notifier.yml
    participant Bash as Runner (bash)
    participant Discord
    participant Telegram

    NB->>CRN: workflow_call (tag, url, body, secrets)
    CRN->>Bash: Prepare release variables (env: isolated)
    Bash->>Bash: Escape body/tag for MarkdownV2 → body_safe, tag_safe
    Bash->>Bash: Build ANNOUNCE_SAFE (Telegram MarkdownV2)
    Bash->>Bash: Build ANNOUNCE_PLAIN (Discord plain MD)
    Bash-->>CRN: outputs: announce, body_safe, announce_plain, body_plain

    CRN->>CRN: Truncate message for Discord (≤2000 chars)
    CRN->>Discord: POST webhook (announce_plain + body_plain)

    alt TELEGRAM_BOT_TOKEN ≠ "" AND CHAT_ID ≠ "" AND THREAD_ID ≠ ""
        CRN->>Telegram: Send MarkdownV2 message (announce + body_safe, thread_id)
    else any Telegram secret is empty
        CRN-->>CRN: Skip Telegram step (continue-on-error)
    end

Loading

_{Last reviewed commit: 5d852f2}

[greptile-apps]

MarkdownV2-escaped content sent to Discord

steps.vars.outputs.announce and steps.vars.outputs.body_safe are both escaped for Telegram's MarkdownV2 format (backslash-prefixing ., -, !, #, (, ), etc.). This same escaped content is fed directly into the Discord notification.

Discord uses a different markdown dialect: it only strips a leading \ before its own special characters (*, _, `, ~, |). For every other character, a \ is displayed literally. This means:

• A release note with "Added version 1.2.3" will appear as "Added version 1\.2\.3" in Discord.
• A tag like v1.0.0-nightly in the announce line will appear as v1\.0\.0\-nightly inside the Discord link text.
• Any ! escaped as \!, or # escaped as \#, etc. will all show visible backslashes in Discord.

The fix is to produce two separate outputs from the vars step — one for Telegram (MarkdownV2-escaped) and one for Discord (raw/unescaped) — and feed each to the appropriate notification step:

# In the vars step:
echo "announce_plain=📢 Acode $TAG ($URL) was just Released 🎉${SUFFIX_PLAIN}!" >> $GITHUB_OUTPUT
{
  echo "body_plain<<$DELIMITER"
  printf '%s\n' "$INPUT_BODY"
  echo "$DELIMITER"
} >> $GITHUB_OUTPUT

# In the Discord truncate step:
stringToTruncate: |
  ${{ steps.vars.outputs.announce_plain }}

  ${{ steps.vars.outputs.body_plain }}

[UnschooledGamer]

@greptileai