Add rel attributes to public GitHub links

[Entr0zy]

Summary

• add rel="nofollow noopener" to public account/activity GitHub links
• align those pages with the existing bounty-page external-link treatment
• cover account and activity rendering with regression assertions

Refs #576

Checks

• python -m pytest tests/test_activity.py tests/test_account_routes.py
• python -m ruff format --check app tests
• python -m ruff check app tests
• python -m mypy app

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Updated external link attributes on account pages for GitHub profiles, bounty submissions, and work references.
  • Modified link handling on activity pages for bounty information and accepted work submissions.

• Tests

  • Added test assertions to verify proper link attribute rendering on account and activity pages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c93f0d6c-126d-4a44-bcaa-53b03fde908a

📥 Commits

Reviewing files that changed from the base of the PR and between d4bf32a and 3beecaf.

📒 Files selected for processing (4)

• app/templates/account.html
• app/templates/activity.html
• tests/test_account_routes.py
• tests/test_activity.py

---

📝 Walkthrough

Walkthrough

The PR adds rel="nofollow noopener" security attributes to outbound GitHub links in account and activity templates, and updates corresponding tests to verify these attributes are rendered correctly.

Changes

Link security attributes

Layer / File(s)	Summary
Account template security attributes app/templates/account.html, tests/test_account_routes.py	The GitHub profile, latest accepted work, issue, and submission links now include rel="nofollow noopener" on rendered <a> tags. Test assertions verify the four GitHub-related links appear in the account page HTML with the expected rel attribute.
Activity template security attributes app/templates/activity.html, tests/test_activity.py	Contributor ledger "Latest work" and "Latest bounty" links, and recent work ledger "Bounty" and "Accepted work" links now include rel="nofollow noopener" when URLs are present. Test assertions verify the bounty issue and proof links render with the correct rel attribute on the paid activity page.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding rel attributes to public GitHub links across account and activity pages.
Description check	✅ Passed	The description covers the core changes, provides a reference issue, and lists verification checks. However, the Evidence section is incomplete—it lacks details about bounty capacity, intended surfaces, and expected PR size.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Mergework Public Artifact Hygiene	✅ Passed	PR contains only technical link-attribute changes with no flagged content (investment/price/cash-out/payout claims, security details) in README, docs, or PR description.
Bounty Pr Focus	✅ Passed	Diff matches stated scope: 4 files changed, 8 rel attributes added to GitHub links, 5 test assertions added. No unrelated scope detected. Changes align with PR description and referenced issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

[Zejia]

Reviewed current head 3beecaf19649d686e32e21edb542de132ebdb223.

The rel-attribute change itself is narrow, but this PR currently breaks the full test suite. Two existing account-page assertions in tests/test_api_mcp.py still expect the GitHub profile link without the new rel="nofollow noopener" attribute.

Reproduced locally:

• pytest tests/test_api_mcp.py::test_explorer_links_ledger_proof_and_account tests/test_api_mcp.py::test_github_account_views_normalize_mixed_case_logins -q -> 2 failed

The failure matches GitHub CI. The focused account/activity tests pass (tests/test_activity.py tests/test_account_routes.py -> 7 passed), so the likely fix is to update the existing tests/test_api_mcp.py assertions to include the rel attribute, or make them less brittle while still checking the GitHub profile link and rel behavior.

[ramimbo]

Holding with mrwk:needs-info. The accepted review found the rel-attribute change is focused, but the project quality check is failing because existing API/MCP assertions still expect the old GitHub link markup. Please update those tests and restore a green project check.

[eliasx45]

Reviewed current head 3beecaf19649d686e32e21edb542de132ebdb223.

Verdict: request changes.

The template change itself is directionally fine: it adds rel="nofollow noopener" to public GitHub profile/submission/issue links on the account and activity pages, and the newly touched focused tests pass. However, the broader existing account/MCP tests were not updated and the hosted quality check is failing for the same reason locally. As submitted, the PR cannot be merged with the test suite red.

Evidence:

• Current diff is scoped to app/templates/account.html, app/templates/activity.html, tests/test_account_routes.py, and tests/test_activity.py.
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m pytest tests\test_account_routes.py tests\test_activity.py -q -> 7 passed.
• .\.venv\Scripts\python.exe -m ruff check tests\test_account_routes.py tests\test_activity.py -> passed.
• .\.venv\Scripts\python.exe -m ruff format --check tests\test_account_routes.py tests\test_activity.py -> already formatted.
• git diff --check origin/main...HEAD -> clean.
• git merge-tree --write-tree origin/main HEAD -> clean merge tree.
• Hosted Quality, readiness, docs, and image checks is failing.
• Reproduced the hosted failures locally: PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .\.venv\Scripts\python.exe -m pytest tests\test_api_mcp.py::test_explorer_links_ledger_proof_and_account tests\test_api_mcp.py::test_github_account_views_normalize_mixed_case_logins -q -> 2 failed.

Blocking issue:

• tests/test_api_mcp.py still expects the account page GitHub profile anchor without the new rel attribute: href="https://github.com/alice">@alice</a>. After this PR the rendered anchor includes rel="nofollow noopener", so both broader account-page regressions fail.

Required fix: update the existing tests/test_api_mcp.py assertions for the new safe-link markup (or use a parser-based assertion) and rerun the broader quality suite so the hosted check is green.