Skip to content

fix: sanitize @OpenHands only in GitHub comments (backend) #1020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 19, 2025
Merged

fix: sanitize @OpenHands only in GitHub comments (backend) #1020

merged 6 commits into from
Nov 19, 2025

Conversation

@YakshithK
Copy link
Contributor

@YakshithK YakshithK commented Nov 4, 2025

Summary

This PR implements backend sanitization of @OpenHands mentions in GitHub comments to prevent self-mention loops. Instead of mentioning the OpenHands agent, the sanitization inserts a zero-width joiner after the @ symbol, making the mention non-clickable while maintaining readability.

Changes

  • Added sanitize_openhands_mentions() function in openhands/sdk/utils/github.py that uses a zero-width joiner (U+200D) to prevent @OpenHands mentions from being parsed as clickable references
  • Updated GitHub workflow files to sanitize @OpenHands mentions before posting comments
  • Updated example agent script to sanitize review comments before posting
  • Exported the new function from the utils module

Technical Details

  • The sanitization is performed in the backend (when outputting to GitHub comments) rather than at the agent/frontend level
  • Uses regex pattern matching to identify @OpenHands mentions (case-insensitive)
  • Inserts zero-width joiner after @ to break the mention linkage
  • Maintains text readability since the zero-width joiner is invisible

Related PR

See OpenHands/OpenHands#11550 for the corresponding changes in the main repository.

@YakshithK
feat(github): implement sanitization for @OpenHands mentions to preve…
a186b1d 
…nt self-mention loops in comments and reports
@blacksmith-sh
Copy link
Contributor

blacksmith-sh bot commented Nov 10, 2025

[Automatic Post]: It has been a while since there was any activity on this PR. @YakshithK, are you still working on it? If so, please go ahead, if not then please request review, close it, or request that someone else follow up.

simonrosenberg
simonrosenberg reviewed Nov 10, 2025
View reviewed changes
@simonrosenberg
Copy link
Collaborator

simonrosenberg commented Nov 10, 2025

@OpenHands

Make sure that sanitize_openhands_mentions is applied to all agents outputs that is then posted as a comment to github.
.github/workflows/run-examples.yml should use sanitize_openhands_mentions instead of redefining a method.

@openhands-ai
Copy link

openhands-ai bot commented Nov 10, 2025

I'm on it! simonrosenberg can track my progress at all-hands.dev

simonrosenberg and others added 2 commits November 10, 2025 16:37
@simonrosenberg
Merge branch 'main' into fix/prevent-self-mentioning-loops
e3a487b
@openhands-agent
refactor: use sanitize_openhands_mentions from SDK utils in run-examp…
99263a1 
…les.yml

- Replace inline sanitize_comment function with import from openhands.sdk.utils.github
- Add sanitization to read_report step for scheduled/workflow_dispatch events
- Ensures all GitHub comments from agent outputs are properly sanitized

Co-authored-by: openhands <[email protected]>
@openhands-ai
Copy link

openhands-ai bot commented Nov 10, 2025

Summary of Changes

I've successfully addressed your request to ensure sanitize_openhands_mentions is properly applied to all agent outputs posted as GitHub comments, and updated .github/workflows/run-examples.yml to use the function instead of redefining it.

Changes Made:

1. Refactored .github/workflows/run-examples.yml:

  • Replaced inline function definition (lines 109-122): Removed the bash function that redefined the sanitization logic and replaced it with a call to openhands.sdk.utils.github.sanitize_openhands_mentions
  • Added missing sanitization to the read_report step (line 316): The scheduled/workflow_dispatch runs now properly sanitize the examples report before posting to the tracker issue

Verification:

All GitHub comment locations now use sanitization:

  • .github/workflows/integration-runner.yml: Lines 229 and 241 (already using SDK function)
  • .github/workflows/run-examples.yml:
    • update_comment function: Line 112 (now using SDK function)
    • read_report step: Line 316 (newly added)
  • examples/03_github_workflows/02_pr_review/agent_script.py: Line 56 (already using SDK function)

No more duplicate definitions: The inline sanitization logic has been removed in favor of importing from the SDK utils module

Pre-commit checks passed: All formatting and linting checks passed

Changes Pushed:

The commit has been pushed to the fix/prevent-self-mentioning-loops branch and is now part of PR #1020.

View PR: #1020

View full conversation

@simonrosenberg simonrosenberg requested a review from enyst November 10, 2025 17:22
enyst
enyst reviewed Nov 10, 2025
View reviewed changes
.github/workflows/integration-runner.yml Outdated
echo "$COMMENT_BODY" | gh pr comment ${{ github.event.pull_request.number }} --body-file -
env:
GH_TOKEN: ${{ github.token }}
PYTHONPATH: ${{ github.workspace }}
Copy link
Collaborator

@enyst enyst Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary to define PYTHONPATH?

Copy link
Collaborator

@simonrosenberg simonrosenberg Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to OpenHands


The workflow runs uv sync --dev which properly installs all workspace packages including openhands-sdk
Once installed via uv sync, the package is available in the Python environment without needing PYTHONPATH
The uv run python command already uses the correct virtual environment with the installed packages
Let me remove the unnecessary PYTHONPATH settings:```

@enyst
Copy link
Collaborator

enyst commented Nov 10, 2025

@OpenHands Do a /codereview-roasted on this PR.

@openhands-ai
Copy link

openhands-ai bot commented Nov 10, 2025

I'm on it! enyst can track my progress at all-hands.dev

@openhands-ai
Copy link

openhands-ai bot commented Nov 10, 2025

Summary of work: I performed a “/codereview-roasted” review of the PR on branch fix/prevent-self-mentioning-loops. I reviewed the diff vs. origin/main and examined these files:

  • openhands-sdk/openhands/sdk/utils/github.py
  • openhands-sdk/openhands/sdk/utils/init.py
  • .github/workflows/integration-runner.yml
  • .github/workflows/run-examples.yml
  • examples/03_github_workflows/02_pr_review/agent_script.py

Key findings and recommendations:

  • Critical fix: The mention regex in utils/github.py will falsely trigger on email addresses like [email protected]. Use a safer pattern that avoids email-localpart contexts, for example:
    • pattern = r"(?<![\w.+-])@OpenHands\b(?!\.)" with re.IGNORECASE
  • Simplify regex: Drop [Oo]/[Hh] since re.IGNORECASE already handles case.
  • Consider ZWSP (U+200B) or document tradeoffs of ZWJ (U+200D) for broader renderer compatibility.
  • Add a small unit test suite for sanitize_openhands_mentions (mentions, punctuation, no-op, and email cases).
  • Workflow polish:
    • Prefer printf "%s" over echo for piping multi-line content to Python.
    • Standardize on a single method (gh CLI or curl) for posting comments to reduce maintenance friction.
    • Optional: centralize the sanitize invocation to avoid repeating inline python -c fragments.
  • Future-proofing: If needed, extend sanitization to other bot handles beyond @OpenHands.

No code changes were made or pushed.

View full conversation

@openhands-ai
Copy link

openhands-ai bot commented Nov 10, 2025

@openhands-ai[bot] please re-login into OpenHands Cloud before starting a job.

@neubig neubig removed their request for review November 10, 2025 23:50
@blacksmith-sh
Copy link
Contributor

blacksmith-sh bot commented Nov 17, 2025

[Automatic Post]: It has been a while since there was any activity on this PR. @YakshithK, are you still working on it? If so, please go ahead, if not then please request review, close it, or request that someone else follow up.

@simonrosenberg
Copy link
Collaborator

simonrosenberg commented Nov 19, 2025

@OpenHands please resolve conflicts

@openhands-ai
Copy link

openhands-ai bot commented Nov 19, 2025

I'm on it! simonrosenberg can track my progress at all-hands.dev

@openhands-agent
Merge origin/main into fix/prevent-self-mentioning-loops
1c8ca72 
Resolved conflicts in openhands-sdk/openhands/sdk/utils/__init__.py by keeping both:
- sanitize_openhands_mentions from the current branch
- deprecation utilities from main

Co-authored-by: openhands <[email protected]>
@openhands-ai
Copy link

openhands-ai bot commented Nov 19, 2025

Summary

I have successfully resolved the merge conflicts in PR #1020 (fix/prevent-self-mentioning-loops) by merging the latest changes from origin/main into the feature branch.

What was done:

  1. Identified the conflict: The conflict was in openhands-sdk/openhands/sdk/utils/__init__.py where:

    • The feature branch added sanitize_openhands_mentions from .github module
    • The main branch added deprecation utilities (deprecated, warn_deprecated) from .deprecation module

  2. Resolved the conflict: I merged both changes by:

    • Keeping all imports from both branches
    • Including both sets of exports in the __all__ list
    • Maintaining proper alphabetical ordering

  3. Validated the changes:

    • Ran pre-commit hooks to ensure code quality (all passed)
    • Verified the resolved file meets all coding standards

  4. Committed and pushed:

    • Created a merge commit with a clear description of the conflict resolution
    • Pushed the changes to origin/fix/prevent-self-mentioning-loops

The PR is now up-to-date with the main branch and ready for review. The merge brought in 140 changed files from main (including new features like deprecation utilities, critic implementations, and various improvements) while preserving the sanitization functionality from the feature branch.

View full conversation

@simonrosenberg simonrosenberg force-pushed the fix/prevent-self-mentioning-loops branch from c525b7e to 1c8ca72 Compare November 19, 2025 11:01
@openhands-agent
refactor: improve sanitize_openhands_mentions implementation and add …
ffc5e15 
…comprehensive tests

- Simplify regex pattern to use re.IGNORECASE with capture group for case preservation
- Add detailed documentation about ZWJ choice and usage
- Normalize ZWJ to lowercase hex escape (\u200d)
- Add comprehensive unit test suite covering:
  - Basic mention sanitization
  - Case-insensitive matching with case preservation
  - Multiple mentions
  - Punctuation handling
  - Partial word rejection
  - No-op cases
  - Line boundaries
  - Multiline text
  - URL handling
  - Whitespace preservation
- Improve workflow polish: use printf instead of echo for piping multi-line content

Addresses code review feedback on PR OpenHands#1020

Co-authored-by: openhands <[email protected]>
@openhands-agent
chore: remove unnecessary PYTHONPATH from integration-runner workflow
8c55c21 
The PYTHONPATH setting is not needed because 'uv sync --dev' properly
installs all workspace packages (including openhands-sdk) into the
virtual environment. The packages are then accessible via 'uv run python'
without requiring PYTHONPATH manipulation.

Co-authored-by: openhands <[email protected]>
@simonrosenberg simonrosenberg merged commit aebb9db into OpenHands:main Nov 19, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@enyst enyst enyst left review comments

@simonrosenberg simonrosenberg simonrosenberg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@YakshithK @simonrosenberg @enyst @openhands-agent