Github-Discussions on Yarang's Tech Lairhttps://blog.fcoinfup.com/tags/github-discussions/Recent content in Github-Discussions on Yarang's Tech LairHugo -- gohugo.ioenSun, 03 May 2026 01:00:00 +0900Building a Blog AI Auto-Comment System (1/3) — Architecture and Implementationhttps://blog.fcoinfup.com/post/ai-auto-comment-system-part1-architecture/Sun, 03 May 2026 01:00:00 +0900https://blog.fcoinfup.com/post/ai-auto-comment-system-part1-architecture/<h2 id="overview">Overview </h2><p>I built a system where AI automatically responds to blog comments. When a reader leaves a comment on a blog post, the AI assistant analyzes the post context and automatically generates a technically accurate yet friendly reply.</p> <p>This series consists of three parts:</p> <ul> <li><strong>Part 1 (This post)</strong>: Overall architecture design and core code implementation</li> <li><strong>Part 2</strong>: File-based authentication, permission management, security hardening</li> <li><strong>Part 3</strong>: systemd deployment, nginx proxy, troubleshooting</li> </ul> <hr> <h2 id="system-architecture">System Architecture </h2><h3 id="overall-data-flow">Overall Data Flow </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>Reader writes a comment </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[giscus] → Creates a comment on GitHub Discussions </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[GitHub Webhook] → Sends HTTP POST </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[nginx reverse proxy] → Header forwarding </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[Flask Worker] → Signature verification → Comment analysis </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[Claude Code CLI] → Generates AI response </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[GitHub GraphQL API] → Posts reply to Discussion </span></span><span style="display:flex;"><span> ↓ </span></span><span style="display:flex;"><span>[giscus] → Displays reply on blog </span></span></code></pre></div><p>The key point in this architecture is that <strong>giscus uses GitHub Discussions as a comment storage</strong>. Therefore, we can receive new comment events via GitHub Webhook and post responses using the same GitHub API.</p> <h3 id="components">Components </h3><table> <thead> <tr> <th>Component</th> <th>Role</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>giscus</td> <td>Blog comment widget</td> <td>Based on GitHub Discussions</td> </tr> <tr> <td>GitHub Webhook</td> <td>Event delivery</td> <td><code>discussion_comment</code> event</td> </tr> <tr> <td>nginx</td> <td>Reverse proxy</td> <td>Header forwarding, SSL termination</td> </tr> <tr> <td>Flask Worker</td> <td>Webhook receiving and processing</td> <td>Python, Flask, Flask-Limiter</td> </tr> <tr> <td>Claude Code</td> <td>AI response generation</td> <td><code>--print</code> mode CLI call</td> </tr> <tr> <td>GitHub GraphQL</td> <td>Response posting</td> <td>Mutation API</td> </tr> </tbody> </table> <hr> <h2 id="giscus-configuration">giscus Configuration </h2><p>To integrate giscus into a Hugo blog, the following configuration is required in <code>hugo.toml</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span>[<span style="color:#a6e22e">params</span>] </span></span><span style="display:flex;"><span> [<span style="color:#a6e22e">params</span>.<span style="color:#a6e22e">comments</span>] </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">enabled</span> = <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">provider</span> = <span style="color:#e6db74">&#34;giscus&#34;</span> </span></span><span style="display:flex;"><span> [<span style="color:#a6e22e">params</span>.<span style="color:#a6e22e">comments</span>.<span style="color:#a6e22e">giscus</span>] </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">repo</span> = <span style="color:#e6db74">&#34;yarang/blogs&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">repoId</span> = <span style="color:#e6db74">&#34;YOUR_REPO_ID&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">category</span> = <span style="color:#e6db74">&#34;General&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">categoryId</span> = <span style="color:#e6db74">&#34;YOUR_CATEGORY_ID&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mapping</span> = <span style="color:#e6db74">&#34;pathname&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">strict</span> = <span style="color:#e6db74">&#34;0&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">reactionsEnabled</span> = <span style="color:#e6db74">&#34;1&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">emitMetadata</span> = <span style="color:#e6db74">&#34;0&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">inputPosition</span> = <span style="color:#e6db74">&#34;bottom&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">lang</span> = <span style="color:#e6db74">&#34;ko&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">theme</span> = <span style="color:#e6db74">&#34;noborder_gray&#34;</span> </span></span></code></pre></div><p><code>mapping = &quot;pathname&quot;</code> maps Discussions based on the post URL path. This creates an independent Discussion for each blog post.</p> <hr> <h2 id="github-webhook-configuration">GitHub Webhook Configuration </h2><p>In the GitHub repository Settings &gt; Webhooks:</p> <ul> <li><strong>Payload URL</strong>: <code>https://your-domain/webhook</code></li> <li><strong>Content type</strong>: <code>application/json</code></li> <li><strong>Secret</strong>: Secret for HMAC-SHA256 signature (covered in detail in the security post)</li> <li><strong>Events</strong>: Select <code>Discussion comments</code></li> </ul> <p>The Webhook sends a <code>discussion_comment</code> event to the Flask worker whenever a comment is created.</p> <hr> <h2 id="flask-worker-implementation">Flask Worker Implementation </h2><h3 id="project-structure">Project Structure </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>auto-comment-worker/ </span></span><span style="display:flex;"><span>├── scripts/ </span></span><span style="display:flex;"><span>│ └── auto-comment-worker.py # Main worker </span></span><span style="display:flex;"><span>├── deploy/ </span></span><span style="display:flex;"><span>│ └── auto-comment-worker.service # systemd service </span></span><span style="display:flex;"><span>├── venv/ # Python virtual environment </span></span><span style="display:flex;"><span>└── logs/ </span></span><span style="display:flex;"><span> └── audit.log # Audit log </span></span></code></pre></div><h3 id="core-dependencies">Core Dependencies </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">from</span> flask <span style="color:#f92672">import</span> Flask, request, jsonify </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> flask_limiter <span style="color:#f92672">import</span> Limiter </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> flask_limiter.util <span style="color:#f92672">import</span> get_remote_address </span></span><span style="display:flex;"><span><span style="color:#f92672">from</span> marshmallow <span style="color:#f92672">import</span> Schema, fields, validate, ValidationError </span></span></code></pre></div><ul> <li><strong>Flask</strong>: Provides Webhook endpoints as a lightweight web framework</li> <li><strong>Flask-Limiter</strong>: Prevents abuse with rate limiting (10 times per minute)</li> <li><strong>marshmallow</strong>: Safe data parsing via request schema validation</li> </ul> <h3 id="webhook-endpoint">Webhook Endpoint </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#a6e22e">@app.route</span>(<span style="color:#e6db74">&#39;/webhook&#39;</span>, methods<span style="color:#f92672">=</span>[<span style="color:#e6db74">&#39;POST&#39;</span>]) </span></span><span style="display:flex;"><span><span style="color:#a6e22e">@limiter.limit</span>(<span style="color:#e6db74">&#34;10 per minute&#34;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">github_webhook</span>(): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Receives GitHub Webhook&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 1. Signature verification</span> </span></span><span style="display:flex;"><span> signature <span style="color:#f92672">=</span> request<span style="color:#f92672">.</span>headers<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;X-Hub-Signature-256&#39;</span>) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> verify_webhook_signature(request<span style="color:#f92672">.</span>data, signature): </span></span><span style="display:flex;"><span> log_audit(<span style="color:#e6db74">&#39;SIGNATURE_INVALID&#39;</span>, {<span style="color:#e6db74">&#39;ip&#39;</span>: request<span style="color:#f92672">.</span>remote_addr}) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jsonify({<span style="color:#e6db74">&#39;status&#39;</span>: <span style="color:#e6db74">&#39;unauthorized&#39;</span>}), <span style="color:#ae81ff">401</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 2. Request schema validation</span> </span></span><span style="display:flex;"><span> schema <span style="color:#f92672">=</span> WebhookSchema() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">try</span>: </span></span><span style="display:flex;"><span> payload <span style="color:#f92672">=</span> schema<span style="color:#f92672">.</span>load(request<span style="color:#f92672">.</span>json) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">except</span> ValidationError <span style="color:#66d9ef">as</span> err: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jsonify({<span style="color:#e6db74">&#39;status&#39;</span>: <span style="color:#e6db74">&#39;invalid&#39;</span>}), <span style="color:#ae81ff">400</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 3. Extract and filter comment information</span> </span></span><span style="display:flex;"><span> comment <span style="color:#f92672">=</span> payload<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;comment&#39;</span>, {}) </span></span><span style="display:flex;"><span> discussion <span style="color:#f92672">=</span> payload<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;discussion&#39;</span>, {}) </span></span><span style="display:flex;"><span> original_author <span style="color:#f92672">=</span> comment<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;user&#39;</span>, {})<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;login&#39;</span>, <span style="color:#e6db74">&#39;User&#39;</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Ignore if it&#39;s the blog owner&#39;s comment</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> _is_blog_owner(original_author): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jsonify({<span style="color:#e6db74">&#39;status&#39;</span>: <span style="color:#e6db74">&#39;owner_comment_ignored&#39;</span>}), <span style="color:#ae81ff">200</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Ignore if AI generated comment (prevent infinite loop)</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> _is_ai_generated_comment(comment<span style="color:#f92672">.</span>get(<span style="color:#e6db74">&#39;body&#39;</span>, <span style="color:#e6db74">&#39;&#39;</span>)): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jsonify({<span style="color:#e6db74">&#39;status&#39;</span>: <span style="color:#e6db74">&#39;ai_comment_ignored&#39;</span>}), <span style="color:#ae81ff">200</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># 4. Generate and post AI response</span> </span></span><span style="display:flex;"><span> discussion_graphql_id <span style="color:#f92672">=</span> get_discussion_graphql_id( </span></span><span style="display:flex;"><span> repo_owner, repo_name, discussion_number </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> context <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Title: </span><span style="color:#e6db74">{</span>discussion_title<span style="color:#e6db74">}</span><span style="color:#ae81ff">\n\n</span><span style="color:#e6db74">Content: </span><span style="color:#e6db74">{</span>discussion_body<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> reply <span style="color:#f92672">=</span> analyze_comment(context, comment_body) </span></span><span style="display:flex;"><span> post_reply_graphql(discussion_graphql_id, comment_body, original_author, reply) </span></span></code></pre></div><p>The core flow consists of 4 steps:</p> <ol> <li><strong>Signature verification</strong>: Verifies if the request came from GitHub using HMAC-SHA256</li> <li><strong>Schema validation</strong>: Validates payload structure with marshmallow</li> <li><strong>Filtering</strong>: Ignores comments from the blog owner and the AI itself (prevents infinite loops)</li> <li><strong>Response</strong>: Generates AI response with Claude Code and posts via GraphQL API</li> </ol> <h3 id="preventing-infinite-loops">Preventing Infinite Loops </h3><p>If AI responds to a comment created by AI, it will fall into an infinite loop. To prevent this, we use marker-based detection:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">_is_ai_generated_comment</span>(body: str) <span style="color:#f92672">-&gt;</span> bool: </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Identifies if the comment was generated by AI&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> ai_markers <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;🤖 AI Assistant&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;AI Assistant&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;AgentForge&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;Automatically generated by Claude Code&#39;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;was automatically generated&#39;</span> </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> body_lower <span style="color:#f92672">=</span> body<span style="color:#f92672">.</span>lower() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> any(marker<span style="color:#f92672">.</span>lower() <span style="color:#f92672">in</span> body_lower <span style="color:#66d9ef">for</span> marker <span style="color:#f92672">in</span> ai_markers) </span></span></code></pre></div><p>When posting the AI response, you must include one of these markers in the body:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>body <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34;--- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">**🤖 AI Assistant** </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">{</span>safe_reply<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">*This comment was automatically generated by AgentForge + Claude Code.* </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">--- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;&#34;&#34;</span> </span></span></code></pre></div><h3 id="calling-claude-code-cli">Calling Claude Code CLI </h3><p>Use Claude Code&rsquo;s <code>--print</code> mode to generate an AI response non-interactively:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">analyze_comment</span>(context: str, comment: str) <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Run Claude Code with AgentForge settings&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> prompt <span style="color:#f92672">=</span> <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;&#34;&#34;## Blog Post Context </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">{</span>context[:<span style="color:#ae81ff">2000</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">## Reader Comment </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">{</span>comment<span style="color:#e6db74">}</span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">Please write a response to this comment. </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">- As a technical blog assistant, be professional yet friendly </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">- Concise within 200 characters </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">- Provide additional info or links if needed </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> cmd <span style="color:#f92672">=</span> [ </span></span><span style="display:flex;"><span> CLAUDE_CODE_PATH, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--settings&#39;</span>, AGENTFORGE_CONFIG, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;--print&#39;</span>, prompt </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> result <span style="color:#f92672">=</span> run(cmd, capture_output<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, text<span style="color:#f92672">=</span><span style="color:#66d9ef">True</span>, timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">60</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> result<span style="color:#f92672">.</span>returncode <span style="color:#f92672">==</span> <span style="color:#ae81ff">0</span> <span style="color:#f92672">and</span> result<span style="color:#f92672">.</span>stdout<span style="color:#f92672">.</span>strip(): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> result<span style="color:#f92672">.</span>stdout<span style="color:#f92672">.</span>strip() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#e6db74">&#34;Thanks for your opinion! I think it would be great to discuss the technical aspects further. 🙏&#34;</span> </span></span></code></pre></div><p>Specify the AgentForge dedicated configuration file with the <code>--settings</code> flag. You can manage the model, token limits, etc. in this configuration file.</p> <p>The <code>--print</code> flag runs Claude Code in non-interactive mode and outputs the result to stdout. Unlike interactive mode, it terminates after a single prompt-response.</p> <h3 id="github-graphql-api-integration">GitHub GraphQL API Integration </h3><p>Since giscus uses GitHub Discussions, the response must also be posted via the GitHub GraphQL API.</p> <p><strong>Retrieve Discussion GraphQL ID:</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">get_discussion_graphql_id</span>(repo_owner, repo_name, discussion_number): </span></span><span style="display:flex;"><span> query <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> query($owner: String!, $name: String!, $number: Int!) { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> repository(owner: $owner, name: $name) { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> discussion(number: $number) { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> id </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> variables <span style="color:#f92672">=</span> { </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;owner&#34;</span>: repo_owner, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;name&#34;</span>: repo_name, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;number&#34;</span>: discussion_number </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> response <span style="color:#f92672">=</span> requests<span style="color:#f92672">.</span>post( </span></span><span style="display:flex;"><span> GITHUB_API_URL, </span></span><span style="display:flex;"><span> json<span style="color:#f92672">=</span>{<span style="color:#e6db74">&#34;query&#34;</span>: query, <span style="color:#e6db74">&#34;variables&#34;</span>: variables}, </span></span><span style="display:flex;"><span> headers<span style="color:#f92672">=</span>{ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Authorization&#34;</span>: <span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;Bearer </span><span style="color:#e6db74">{</span>GITHUB_TOKEN<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;Content-Type&#34;</span>: <span style="color:#e6db74">&#34;application/json&#34;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> timeout<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span> </span></span><span style="display:flex;"><span> ) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> response<span style="color:#f92672">.</span>status_code <span style="color:#f92672">==</span> <span style="color:#ae81ff">200</span>: </span></span><span style="display:flex;"><span> data <span style="color:#f92672">=</span> response<span style="color:#f92672">.</span>json() </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> data[<span style="color:#e6db74">&#34;data&#34;</span>][<span style="color:#e6db74">&#34;repository&#34;</span>][<span style="color:#e6db74">&#34;discussion&#34;</span>][<span style="color:#e6db74">&#34;id&#34;</span>] </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#66d9ef">None</span> </span></span></code></pre></div><p>The Webhook payload only includes the Discussion&rsquo;s REST API ID. However, to post a comment, the GraphQL Node ID is required. Therefore, we first retrieve the Discussion&rsquo;s Node ID via a GraphQL query, then use it to post the comment.</p> <p><strong>Post Response (Mutation):</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">post_reply_graphql</span>(discussion_graphql_id, original_comment, original_author, reply): </span></span><span style="display:flex;"><span> query <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> mutation($discussionId: ID!, $body: String!) { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> addDiscussionComment(input: { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> discussionId: $discussionId, body: $body </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> }) { </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> comment { id, databaseId } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> } </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> &#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ... (Send request)</span> </span></span></code></pre></div><p>The <code>addDiscussionComment</code> mutation adds a new comment to the entire Discussion. It is a Discussion-level comment, not a reply to a specific comment.</p> <h3 id="input-sanitization">Input Sanitization </h3><p>Since user comments are external input, they must be sanitized:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">sanitize_comment</span>(body: str) <span style="color:#f92672">-&gt;</span> str: </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;User input sanitization&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> <span style="color:#f92672">not</span> body: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> body </span></span><span style="display:flex;"><span> body <span style="color:#f92672">=</span> re<span style="color:#f92672">.</span>sub(<span style="color:#e6db74">r</span><span style="color:#e6db74">&#39;&lt;[^&gt;]+&gt;&#39;</span>, <span style="color:#e6db74">&#39;&#39;</span>, body) <span style="color:#75715e"># Remove HTML tags</span> </span></span><span style="display:flex;"><span> body <span style="color:#f92672">=</span> html<span style="color:#f92672">.</span>escape(body) <span style="color:#75715e"># Escape HTML entities</span> </span></span><span style="display:flex;"><span> body <span style="color:#f92672">=</span> body[:<span style="color:#ae81ff">1000</span>] <span style="color:#75715e"># Length limit</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> body </span></span></code></pre></div><p>To prevent XSS attacks, HTML tags are removed, remaining special characters are escaped, and the length is limited to 1000 characters.</p> <h3 id="audit-logging">Audit Logging </h3><p>We keep audit logs to track security events:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">log_audit</span>(event_type: str, details: dict): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Record security event audit log&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">with</span> open(AUDIT_LOG, <span style="color:#e6db74">&#39;a&#39;</span>) <span style="color:#66d9ef">as</span> f: </span></span><span style="display:flex;"><span> f<span style="color:#f92672">.</span>write(json<span style="color:#f92672">.</span>dumps({ </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;timestamp&#39;</span>: datetime<span style="color:#f92672">.</span>utcnow()<span style="color:#f92672">.</span>isoformat(), </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;event&#39;</span>: event_type, </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;details&#39;</span>: details </span></span><span style="display:flex;"><span> }) <span style="color:#f92672">+</span> <span style="color:#e6db74">&#39;</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#39;</span>) </span></span></code></pre></div><p>Event types recorded:</p> <ul> <li><code>SIGNATURE_INVALID</code>: Webhook signature verification failed</li> <li><code>INVALID_PAYLOAD</code>: Invalid request payload</li> <li><code>WEBHOOK_RECEIVED</code>: Webhook received successfully</li> <li><code>AI_RESPONSE_SENT</code>: AI response posted successfully</li> </ul> <hr> <h2 id="conclusion">Conclusion </h2><p>In this Part 1, we covered the overall architecture and core implementation code connecting giscus, GitHub Webhook, Flask worker, Claude Code CLI, and GitHub GraphQL API.</p> <p>In the upcoming Part 2, we will cover <strong>security hardening</strong> for this system — file-based authentication management, file permission verification, HMAC-SHA256 signature verification, and more in detail.</p> <hr> <p><em>This post is Part 1 of the AgentForge blog automatic comment system series.</em></p>