Add use-pr-linker workflow to auto-link PRs to issues#26
Conversation
|
Important Review skippedToo many files! This PR contains 178 files, which is 28 over the limit of 150. To get a review, narrow the scope: Upgrade to a paid plan to raise the limit. ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (144)
📒 Files selected for processing (178)
You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughA new GitHub Actions workflow file is added that triggers on pull_request_target events and calls an external reused workflow to automatically link pull requests to issues, passing minimal permissions and a secret token. ChangesPR Linker Workflow
Estimated code review effort: 1 (Trivial) | ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
e00ac4d to
4b2971c
Compare
4b2971c to
f815c8f
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/use-pr-linker.yml:
- Around line 19-21: The reusable workflow reference in use-pr-linker should not
point at the mutable develop branch while forwarding ACTION_PAT under
pull_request_target. Update the uses target in the workflow to a pinned,
immutable ref such as a reviewed commit SHA or release tag so the secret
boundary stays fixed. Keep the secret forwarding as-is, but ensure the
referenced workflow source cannot change without review.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f2044b13-b513-44d5-84d5-dcad2abbf249
📒 Files selected for processing (1)
.github/workflows/use-pr-linker.yml
| uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop | ||
| secrets: | ||
| ACTION_PAT: ${{ secrets.ACTION_PAT }} No newline at end of file |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Pin the reusable workflow before forwarding ACTION_PAT.
@develop is mutable, so the code receiving this repository secret can change without review. With pull_request_target, this becomes a privileged secret boundary; pin to a reviewed commit SHA or immutable release tag.
🔒 Proposed hardening
- uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
+ uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@<reviewed-commit-sha>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop | |
| secrets: | |
| ACTION_PAT: ${{ secrets.ACTION_PAT }} | |
| uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@<reviewed-commit-sha> | |
| secrets: | |
| ACTION_PAT: ${{ secrets.ACTION_PAT }} |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/use-pr-linker.yml around lines 19 - 21, The reusable
workflow reference in use-pr-linker should not point at the mutable develop
branch while forwarding ACTION_PAT under pull_request_target. Update the uses
target in the workflow to a pinned, immutable ref such as a reviewed commit SHA
or release tag so the secret boundary stays fixed. Keep the secret forwarding
as-is, but ensure the referenced workflow source cannot change without review.
Source: Linters/SAST tools
Signed-off-by: Ivanmeneges <ivan.anil016@gmail.com>
f815c8f to
529c5f0
Compare
Summary
Adds
use-pr-linker.ymlworkflow that calls the reusable PR-to-issue linker frommosip/kattu(@develop).Notes
ACTION_PATrepository secret to be configured.develop.Summary by CodeRabbit