[Schema Inaccuracy] code_scanning_alert reopened webhook: dismissed_by typed as empty object {} instead of simple-user #6107
Description
Expected
In the code_scanning_alert webhook event with action: "reopened", the alert.dismissed_by property should reference the simple-user schema (or be null), consistent with every other action variant that includes a dismissed_by field:
appeared_in_branch—dismissed_byissimple-user | nullclosed_by_user—dismissed_byissimple-user | nullfixed—dismissed_byissimple-user | nullupdated_assignment—dismissed_byissimple-user | null
The dismissed_by field on the reopened action's alert object should match this pattern:
dismissed_by:
oneOf:
- $ref: '#/components/schemas/simple-user'
- type: 'null'Actual
The webhook schema for code_scanning_alert (action reopened) defines dismissed_by as an empty object {} with no properties. When GitHub delivers this webhook for an alert that was previously dismissed before being reopened, the dismissed_by field contains a full user object (with login, id, etc.), but the schema describes it as an empty object.
Generated clients (e.g. githubkit) produce a model with zero fields — the Pydantic extra="ignore" default silently drops all incoming properties, leaving an empty model instance. Any access to .login then raises AttributeError.
Reproduction Steps
- Configure a repository webhook (or GitHub App) to receive
code_scanning_alertevents. - Dismiss a code scanning alert via the GitHub UI (this populates
dismissed_bywith the dismissing user). - Reopen the same alert (e.g., via the GitHub UI or API), triggering a
code_scanning_alertwebhook withaction: "reopened". - Inspect the webhook payload. The
alert.dismissed_byfield contains a full user object, e.g.{"login": "octocat", "id": 1, ...}. - Attempt to validate this payload against a client generated from the OpenAPI spec. The
dismissed_bymodel is empty — all fields are silently dropped and.loginis inaccessible.
Impact
Any strongly-typed client generated from this spec (e.g., githubkit for Python, Octokit for TypeScript) will silently produce an empty dismissed_by model instead of a usable user object. Accessing standard user fields like .login raises AttributeError at runtime.
Note: the companion reopened_by_user action correctly types dismissed_by as null (since a user-reopened alert will never have a dismissed_by). The generic reopened action is the only variant where this schema error exists.
Reference
- Previous fix for the same class of bug on the
fixedaction: [Schema Inaccuracy] code_scanning_alert fixed webhook: fixed_at typed as null instead of date-time string #6058 - Previous fix for the same class of bug on the
closed_by_useraction: [Schema Inaccuracy] code_scanning_alert closed_by_user webhook: fixed_at typed as null instead of date-time string #6081 - REST API endpoint schema (correct): https://docs.github.com/en/rest/code-scanning/code-scanning#get-a-code-scanning-alert
- Webhook event docs: https://docs.github.com/en/webhooks/webhook-events-and-payloads#code_scanning_alert