From 12f5e9ffcc2f5e21bbd60eeea687b99cef252451 Mon Sep 17 00:00:00 2001
From: Ryan Kuo <ryank@cockroachlabs.com>
Date: Wed, 13 May 2026 13:11:46 -0400
Subject: [PATCH 1/2] add Slack notification for docs-prs review requests

Sends a notification to #doc_review channel when docs-prs team
is requested as a reviewer on a PR. The notification includes:
- PR title and number
- Author
- Total lines changed
- Direct link to the PR

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
---
 .github/workflows/slack-notify-doc-review.yml | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/slack-notify-doc-review.yml

diff --git a/.github/workflows/slack-notify-doc-review.yml b/.github/workflows/slack-notify-doc-review.yml
new file mode 100644
index 00000000000..92f1bcf2c4d
--- /dev/null
+++ b/.github/workflows/slack-notify-doc-review.yml
@@ -0,0 +1,44 @@
+name: Notify Slack on Doc Review Request
+
+on:
+  pull_request:
+    types: [review_requested]
+
+jobs:
+  notify-slack:
+    # Only run if docs-prs team was requested as reviewer
+    if: github.event.requested_team.slug == 'docs-prs'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get PR details
+        id: pr_details
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Get additions and deletions from the PR
+          PR_DATA=$(gh api /repos/${{ github.repository }}/pulls/$PR_NUMBER)
+          ADDITIONS=$(echo "$PR_DATA" | jq -r '.additions')
+          DELETIONS=$(echo "$PR_DATA" | jq -r '.deletions')
+          TOTAL_LINES=$((ADDITIONS + DELETIONS))
+          echo "lines_changed=$TOTAL_LINES" >> $GITHUB_OUTPUT
+
+      - name: Send Slack notification
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          LINES_CHANGED: ${{ steps.pr_details.outputs.lines_changed }}
+        run: |
+          curl -X POST "https://hooks.slack.com/triggers/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" \
+            -H 'Content-Type: application/json' \
+            -d @- <<EOF
+          {
+            "pr_title": "$PR_TITLE",
+            "pr_url": "$PR_URL",
+            "pr_author": "$PR_AUTHOR",
+            "pr_number": "$PR_NUMBER",
+            "lines_changed": "$LINES_CHANGED"
+          }
+          EOF

From 032eec163905f22000c415b9554a7dc731be35bf Mon Sep 17 00:00:00 2001
From: Ryan Kuo <ryank@cockroachlabs.com>
Date: Thu, 14 May 2026 13:34:21 -0400
Subject: [PATCH 2/2] fix security and efficiency issues in Slack notification
 workflow

- Use jq to safely construct JSON payload, preventing injection attacks
- Move webhook URL to GitHub secret instead of hardcoding
- Remove unnecessary gh api call, use github.event.pull_request directly
- Add --fail-with-body to curl for proper error handling

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
---
 .github/workflows/slack-notify-doc-review.yml | 36 +++++++------------
 1 file changed, 12 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/slack-notify-doc-review.yml b/.github/workflows/slack-notify-doc-review.yml
index 92f1bcf2c4d..cc20586ee5c 100644
--- a/.github/workflows/slack-notify-doc-review.yml
+++ b/.github/workflows/slack-notify-doc-review.yml
@@ -10,35 +10,23 @@ jobs:
     if: github.event.requested_team.slug == 'docs-prs'
     runs-on: ubuntu-latest
     steps:
-      - name: Get PR details
-        id: pr_details
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          # Get additions and deletions from the PR
-          PR_DATA=$(gh api /repos/${{ github.repository }}/pulls/$PR_NUMBER)
-          ADDITIONS=$(echo "$PR_DATA" | jq -r '.additions')
-          DELETIONS=$(echo "$PR_DATA" | jq -r '.deletions')
-          TOTAL_LINES=$((ADDITIONS + DELETIONS))
-          echo "lines_changed=$TOTAL_LINES" >> $GITHUB_OUTPUT
-
       - name: Send Slack notification
         env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_DOC_REVIEW_WEBHOOK_URL }}
           PR_TITLE: ${{ github.event.pull_request.title }}
           PR_URL: ${{ github.event.pull_request.html_url }}
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
-          LINES_CHANGED: ${{ steps.pr_details.outputs.lines_changed }}
+          LINES_CHANGED: ${{ github.event.pull_request.additions + github.event.pull_request.deletions }}
         run: |
-          curl -X POST "https://hooks.slack.com/triggers/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" \
+          jq -n \
+            --arg title "$PR_TITLE" \
+            --arg url "$PR_URL" \
+            --arg author "$PR_AUTHOR" \
+            --arg number "$PR_NUMBER" \
+            --arg lines "$LINES_CHANGED" \
+            '{pr_title: $title, pr_url: $url, pr_author: $author, pr_number: $number, lines_changed: $lines}' \
+          | curl -X POST "$SLACK_WEBHOOK_URL" \
             -H 'Content-Type: application/json' \
-            -d @- <<EOF
-          {
-            "pr_title": "$PR_TITLE",
-            "pr_url": "$PR_URL",
-            "pr_author": "$PR_AUTHOR",
-            "pr_number": "$PR_NUMBER",
-            "lines_changed": "$LINES_CHANGED"
-          }
-          EOF
+            --fail-with-body \
+            -d @-