Skip to content

fix(ci): add PRs to bitácora board via gh CLI#39

Open
mlorentedev wants to merge 1 commit into
masterfrom
feat/fix-bitacora-pr-workflow
Open

fix(ci): add PRs to bitácora board via gh CLI#39
mlorentedev wants to merge 1 commit into
masterfrom
feat/fix-bitacora-pr-workflow

Conversation

@mlorentedev

@mlorentedev mlorentedev commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Problem

only supports issues, not PRs.

Fix

Split into two steps:

  • Issues: use (works fine)
  • PRs: use directly

Summary by CodeRabbit

  • Chores
    • Enhanced GitHub Project board automation to properly handle both issues and pull requests.

@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The add-to-project workflow is updated to split the single project-board step into two conditional steps: one using actions/add-to-project@v1.0.2 for issue events and another using the gh project item-add CLI command (authenticated via GH_TOKEN from BITACORA_PAT) for pull request events.

Changes

Add-to-Project Workflow Bifurcation

Layer / File(s) Summary
Conditional issue vs PR project board steps
.github/workflows/add-to-project.yml
Inline comments clarify that actions/add-to-project@v1 does not support PRs. The single step is replaced with two if-guarded steps: actions/add-to-project@v1.0.2 runs on github.event_name == 'issues', and gh project item-add runs on github.event_name == 'pull_request' using GH_TOKEN: secrets.BITACORA_PAT.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Two paths in the warren, one for issues, one for PRs,
The action handles issues, the CLI handles the rest,
GH_TOKEN hops along with BITACORA_PAT in tow,
No item left behind on the project board, you know!
This rabbit checks the event_name before each bound~ 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately describes the main change: fixing the CI workflow to add PRs to the bitácora board using the gh CLI instead of the actions/add-to-project action.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/fix-bitacora-pr-workflow

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/add-to-project.yml:
- Line 29: The workflow file references a non-existent GitHub project with
project-url set to https://github.com/users/mlorentedev/projects/1 and owner set
to mlorentedev with project ID 1, which will cause the workflow to fail when
attempting to add issues and PRs to the project. Update the project-url
parameter and the owner/project ID combination to reference a valid existing
GitHub project, or create a new project with the matching ID if one does not
exist. Ensure the project-url and the owner/project ID values are consistent
with each other.
- Around line 35-38: The gh project item-add command directly injects
github.event.pull_request.html_url using template expansion in the shell script,
which violates GitHub security best practices. Move the URL value into the env
section by creating a new environment variable (e.g., PR_URL) with the
github.event.pull_request.html_url value, then update the gh command to
reference this environment variable using standard shell syntax instead of the
direct template expansion.
- Line 27: The action reference uses a mutable semver tag v1.0.2 instead of an
immutable commit SHA, creating a supply-chain security risk. Replace the tag
reference in the uses field of the actions/add-to-project action with its
corresponding immutable commit SHA, and add a comment above it with the original
version tag (v1.0.2) to maintain human readability while ensuring the action
cannot be unexpectedly modified.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 75c2945d-055d-440f-9b08-510571a07f28

📥 Commits

Reviewing files that changed from the base of the PR and between dfbffaa and 972aab3.

📒 Files selected for processing (1)
  • .github/workflows/add-to-project.yml

# Issues: use the official action (works fine for issues)
- name: Add issue to project
if: github.event_name == 'issues'
uses: actions/add-to-project@v1.0.2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the commit SHA for the v1.0.2 tag

gh api repos/actions/add-to-project/git/ref/tags/v1.0.2 --jq '.object.sha'

Repository: mlorentedev/pollex

Length of output: 103


Pin the action to a commit SHA for supply-chain security.

The action reference uses a mutable semver tag (v1.0.2) which can be moved by attackers or maintainers, creating a supply-chain risk. GitHub security best practices recommend pinning to an immutable commit SHA instead.

🔒 Recommended fix
-        uses: actions/add-to-project@v1.0.2
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e  # v1.0.2

Keep the version comment so the SHA remains human-readable.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/add-to-project@v1.0.2
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
🧰 Tools
🪛 zizmor (1.25.2)

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/add-to-project.yml at line 27, The action reference uses a
mutable semver tag v1.0.2 instead of an immutable commit SHA, creating a
supply-chain security risk. Replace the tag reference in the uses field of the
actions/add-to-project action with its corresponding immutable commit SHA, and
add a comment above it with the original version tag (v1.0.2) to maintain human
readability while ensuring the action cannot be unexpectedly modified.

Source: Linters/SAST tools

if: github.event_name == 'issues'
uses: actions/add-to-project@v1.0.2
with:
project-url: https://github.com/users/mlorentedev/projects/1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify project 1 exists and retrieve its details

gh api graphql -f query='
  query {
    user(login: "mlorentedev") {
      projectV2(number: 1) {
        id
        title
        url
      }
    }
  }
' --jq '.data.user.projectV2 | "Title: \(.title)\nURL: \(.url)"'

Repository: mlorentedev/pollex

Length of output: 332


Fix non-existent project reference in workflow.

The workflow references project-url: https://github.com/users/mlorentedev/projects/1 (line 29) and --owner mlorentedev with project ID 1 (line 36), but project 1 does not exist for user mlorentedev. This will cause the workflow to fail when attempting to add issues and PRs. Either create the referenced project or update the workflow to use a valid project ID.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/add-to-project.yml at line 29, The workflow file
references a non-existent GitHub project with project-url set to
https://github.com/users/mlorentedev/projects/1 and owner set to mlorentedev
with project ID 1, which will cause the workflow to fail when attempting to add
issues and PRs to the project. Update the project-url parameter and the
owner/project ID combination to reference a valid existing GitHub project, or
create a new project with the matching ID if one does not exist. Ensure the
project-url and the owner/project ID values are consistent with each other.

Comment on lines +35 to +38
run: |
gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid direct template expansion in shell scripts.

Line 36 injects github.event.pull_request.html_url directly into the shell command. While html_url is GitHub-generated and likely safe, GitHub security best practices recommend passing context values through environment variables to prevent potential template injection.

🔒 Recommended fix
       - name: Add PR to project
         if: github.event_name == 'pull_request'
         run: |
-          gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
+          gh project item-add 1 --owner mlorentedev --url "$PR_URL"
         env:
           GH_TOKEN: ${{ secrets.BITACORA_PAT }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
run: |
gh project item-add 1 --owner mlorentedev --url "$PR_URL"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
PR_URL: ${{ github.event.pull_request.html_url }}
🧰 Tools
🪛 zizmor (1.25.2)

[error] 36-36: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/add-to-project.yml around lines 35 - 38, The gh project
item-add command directly injects github.event.pull_request.html_url using
template expansion in the shell script, which violates GitHub security best
practices. Move the URL value into the env section by creating a new environment
variable (e.g., PR_URL) with the github.event.pull_request.html_url value, then
update the gh command to reference this environment variable using standard
shell syntax instead of the direct template expansion.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant