fix: use cursor pagination for Dependabot alerts + dry-run dispatch (formbricks#8183)

mattinannt · claude · web-flow · commit d3d971db5196 · 2026-05-29T13:21:42.000Z
Co-authored-by: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/dependabot-to-linear.yml b/.github/workflows/dependabot-to-linear.yml
@@ -3,7 +3,12 @@ name: Dependabot Alerts to Linear
 on:
   schedule:
     - cron: "0 11 * * *" # 11:00 UTC = 12:00 CET (noon); +1h during CEST
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Log what would be created without writing to Linear"
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -40,4 +45,4 @@ jobs:
           # Fallback used by the script if LINEAR_API_KEY is not set; must be
           # listed here because the job only sees secrets exposed via env.
           LINEAR_ACCESS_KEY: ${{ secrets.LINEAR_ACCESS_KEY }}
-        run: node scripts/dependabot-to-linear.mjs
+        run: node scripts/dependabot-to-linear.mjs ${{ inputs.dry_run && '--dry-run' || '' }}
diff --git a/scripts/dependabot-to-linear.mjs b/scripts/dependabot-to-linear.mjs
@@ -12,7 +12,10 @@
 //   GITHUB_REPOSITORY      "owner/repo" (provided automatically in Actions)
 //   DEPENDABOT_ALERTS_TOKEN  token with "Dependabot alerts: read" (the default
 //                            GITHUB_TOKEN cannot read this API)
-//   LINEAR_API_KEY | LINEAR_ACCESS_KEY  Linear key with issue-create access
+//   LINEAR_API_KEY | LINEAR_ACCESS_KEY  Linear personal API key with BOTH
+//                            `read` (to dedupe against existing issues) and
+//                            `write` / `issues:create` (to create new ones).
+//                            Generated at Settings → API → Personal API keys.
 // Flags:
 //   --dry-run  log what would be created without writing to Linear
 
@@ -47,12 +50,22 @@ function requireEnv(name, ...fallbacks) {
   throw new Error(`Missing required env var: ${[name, ...fallbacks].join(" or ")}`);
 }
 
+// The Dependabot alerts endpoint uses cursor pagination (`before`/`after`),
+// not `?page=`. The next-page cursor is returned in the response `Link` header
+// as `<url>; rel="next"`. Walk that until there's no next link.
+function parseNextLink(linkHeader) {
+  if (!linkHeader) return null;
+  for (const part of linkHeader.split(",")) {
+    const match = part.match(/<([^>]+)>\s*;\s*rel="next"/);
+    if (match) return match[1];
+  }
+  return null;
+}
+
 async function fetchOpenAlerts(repo, token) {
   const alerts = [];
-  let page = 1;
-  const perPage = 100;
-  for (;;) {
-    const url = `https://api.github.com/repos/${repo}/dependabot/alerts?state=open&per_page=${perPage}&page=${page}`;
+  let url = `https://api.github.com/repos/${repo}/dependabot/alerts?state=open&per_page=100`;
+  while (url) {
     const res = await fetch(url, {
       signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
       headers: {
@@ -68,8 +81,7 @@ async function fetchOpenAlerts(repo, token) {
     }
     const batch = await res.json();
     alerts.push(...batch);
-    if (batch.length < perPage) break;
-    page += 1;
+    url = parseNextLink(res.headers.get("link"));
   }
   return alerts;
 }
