From 2e106d4af699896cae3d568806e231a91bfb0e77 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 14:16:42 +0000
Subject: [PATCH 1/2] Initial plan


From a00d7f0a9da812dca8b730f7a868ade871ecac78 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 21 Apr 2026 14:23:32 +0000
Subject: [PATCH 2/2] fix: validate int range before GraphQL Int conversion

Agent-Logs-Url: https://github.com/github/gh-stack/sessions/dbb2b50f-34fb-4957-ac08-e19c1f96ba41

Co-authored-by: skarim <1701557+skarim@users.noreply.github.com>
---
 internal/github/github.go      | 15 ++++++++++++++-
 internal/github/github_test.go | 14 ++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/internal/github/github.go b/internal/github/github.go
index cea2c8c..21b3b70 100644
--- a/internal/github/github.go
+++ b/internal/github/github.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"math"
 
 	"github.com/cli/go-gh/v2/pkg/api"
 	graphql "github.com/cli/shurcooL-graphql"
@@ -319,6 +320,11 @@ func (c *Client) FindPRDetailsForBranch(branch string) (*PRDetails, error) {
 
 // FindPRByNumber fetches a pull request by its number.
 func (c *Client) FindPRByNumber(number int) (*PullRequest, error) {
+	gqlNumber, err := toGraphQLInt(number)
+	if err != nil {
+		return nil, err
+	}
+
 	var query struct {
 		Repository struct {
 			PullRequest struct {
@@ -339,7 +345,7 @@ func (c *Client) FindPRByNumber(number int) (*PullRequest, error) {
 	variables := map[string]interface{}{
 		"owner":  graphql.String(c.owner),
 		"name":   graphql.String(c.repo),
-		"number": graphql.Int(number),
+		"number": gqlNumber,
 	}
 
 	if err := c.gql.Query("FindPRByNumber", &query, variables); err != nil {
@@ -364,6 +370,13 @@ func (c *Client) FindPRByNumber(number int) (*PullRequest, error) {
 	}, nil
 }
 
+func toGraphQLInt(n int) (graphql.Int, error) {
+	if n < math.MinInt32 || n > math.MaxInt32 {
+		return 0, fmt.Errorf("number %d is out of GraphQL Int range", n)
+	}
+	return graphql.Int(n), nil
+}
+
 type RemoteStack struct {
 	ID           int   `json:"id"`
 	PullRequests []int `json:"pull_requests"`
diff --git a/internal/github/github_test.go b/internal/github/github_test.go
index 4efee87..29814bc 100644
--- a/internal/github/github_test.go
+++ b/internal/github/github_test.go
@@ -3,6 +3,7 @@ package github
 import (
 	"testing"
 
+	graphql "github.com/cli/shurcooL-graphql"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -46,3 +47,16 @@ func TestPullRequest_IsQueued(t *testing.T) {
 		assert.False(t, pr.IsQueued())
 	})
 }
+
+func TestToGraphQLInt(t *testing.T) {
+	t.Run("in range", func(t *testing.T) {
+		got, err := toGraphQLInt(123)
+		assert.NoError(t, err)
+		assert.Equal(t, graphql.Int(123), got)
+	})
+
+	t.Run("out of range", func(t *testing.T) {
+		_, err := toGraphQLInt(1 << 40)
+		assert.Error(t, err)
+	})
+}