fix(ci): add PRs to bitácora board via gh CLI#39
Conversation
📝 WalkthroughWalkthroughThe ChangesAdd-to-Project Workflow Bifurcation
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/add-to-project.yml:
- Line 29: The workflow file references a non-existent GitHub project with
project-url set to https://github.com/users/mlorentedev/projects/1 and owner set
to mlorentedev with project ID 1, which will cause the workflow to fail when
attempting to add issues and PRs to the project. Update the project-url
parameter and the owner/project ID combination to reference a valid existing
GitHub project, or create a new project with the matching ID if one does not
exist. Ensure the project-url and the owner/project ID values are consistent
with each other.
- Around line 35-38: The gh project item-add command directly injects
github.event.pull_request.html_url using template expansion in the shell script,
which violates GitHub security best practices. Move the URL value into the env
section by creating a new environment variable (e.g., PR_URL) with the
github.event.pull_request.html_url value, then update the gh command to
reference this environment variable using standard shell syntax instead of the
direct template expansion.
- Line 27: The action reference uses a mutable semver tag v1.0.2 instead of an
immutable commit SHA, creating a supply-chain security risk. Replace the tag
reference in the uses field of the actions/add-to-project action with its
corresponding immutable commit SHA, and add a comment above it with the original
version tag (v1.0.2) to maintain human readability while ensuring the action
cannot be unexpectedly modified.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 75c2945d-055d-440f-9b08-510571a07f28
📒 Files selected for processing (1)
.github/workflows/add-to-project.yml
| # Issues: use the official action (works fine for issues) | ||
| - name: Add issue to project | ||
| if: github.event_name == 'issues' | ||
| uses: actions/add-to-project@v1.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Fetch the commit SHA for the v1.0.2 tag
gh api repos/actions/add-to-project/git/ref/tags/v1.0.2 --jq '.object.sha'Repository: mlorentedev/pollex
Length of output: 103
Pin the action to a commit SHA for supply-chain security.
The action reference uses a mutable semver tag (v1.0.2) which can be moved by attackers or maintainers, creating a supply-chain risk. GitHub security best practices recommend pinning to an immutable commit SHA instead.
🔒 Recommended fix
- uses: actions/add-to-project@v1.0.2
+ uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2Keep the version comment so the SHA remains human-readable.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/add-to-project@v1.0.2 | |
| uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/add-to-project.yml at line 27, The action reference uses a
mutable semver tag v1.0.2 instead of an immutable commit SHA, creating a
supply-chain security risk. Replace the tag reference in the uses field of the
actions/add-to-project action with its corresponding immutable commit SHA, and
add a comment above it with the original version tag (v1.0.2) to maintain human
readability while ensuring the action cannot be unexpectedly modified.
Source: Linters/SAST tools
| if: github.event_name == 'issues' | ||
| uses: actions/add-to-project@v1.0.2 | ||
| with: | ||
| project-url: https://github.com/users/mlorentedev/projects/1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify project 1 exists and retrieve its details
gh api graphql -f query='
query {
user(login: "mlorentedev") {
projectV2(number: 1) {
id
title
url
}
}
}
' --jq '.data.user.projectV2 | "Title: \(.title)\nURL: \(.url)"'Repository: mlorentedev/pollex
Length of output: 332
Fix non-existent project reference in workflow.
The workflow references project-url: https://github.com/users/mlorentedev/projects/1 (line 29) and --owner mlorentedev with project ID 1 (line 36), but project 1 does not exist for user mlorentedev. This will cause the workflow to fail when attempting to add issues and PRs. Either create the referenced project or update the workflow to use a valid project ID.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/add-to-project.yml at line 29, The workflow file
references a non-existent GitHub project with project-url set to
https://github.com/users/mlorentedev/projects/1 and owner set to mlorentedev
with project ID 1, which will cause the workflow to fail when attempting to add
issues and PRs to the project. Update the project-url parameter and the
owner/project ID combination to reference a valid existing GitHub project, or
create a new project with the matching ID if one does not exist. Ensure the
project-url and the owner/project ID values are consistent with each other.
| run: | | ||
| gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}" | ||
| env: | ||
| GH_TOKEN: ${{ secrets.BITACORA_PAT }} |
There was a problem hiding this comment.
Avoid direct template expansion in shell scripts.
Line 36 injects github.event.pull_request.html_url directly into the shell command. While html_url is GitHub-generated and likely safe, GitHub security best practices recommend passing context values through environment variables to prevent potential template injection.
🔒 Recommended fix
- name: Add PR to project
if: github.event_name == 'pull_request'
run: |
- gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
+ gh project item-add 1 --owner mlorentedev --url "$PR_URL"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
+ PR_URL: ${{ github.event.pull_request.html_url }}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| run: | | |
| gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}" | |
| env: | |
| GH_TOKEN: ${{ secrets.BITACORA_PAT }} | |
| run: | | |
| gh project item-add 1 --owner mlorentedev --url "$PR_URL" | |
| env: | |
| GH_TOKEN: ${{ secrets.BITACORA_PAT }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 36-36: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/add-to-project.yml around lines 35 - 38, The gh project
item-add command directly injects github.event.pull_request.html_url using
template expansion in the shell script, which violates GitHub security best
practices. Move the URL value into the env section by creating a new environment
variable (e.g., PR_URL) with the github.event.pull_request.html_url value, then
update the gh command to reference this environment variable using standard
shell syntax instead of the direct template expansion.
Source: Linters/SAST tools
Problem
only supports issues, not PRs.
Fix
Split into two steps:
Summary by CodeRabbit