Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions .github/workflows/add-to-project.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ name: Add to bitácora
# (GitHub Project #1). Pairs with bitacora-status.yml (which flips an assigned
# issue to In Progress). Canonical copy for the OPS-002 (#258) multi-repo rollout.

# Note: actions/add-to-project@v1 only supports issues, not PRs. We use it for
# issues and fall back to gh project item-add for PRs.

on:
issues:
types: [opened, reopened]
Expand All @@ -18,8 +21,18 @@ jobs:
if: github.event_name == 'issues' || github.event.pull_request.head.repo.fork == false
runs-on: ubuntu-latest
steps:
# Pin a real release: actions/add-to-project@v1 does NOT resolve (no floating v1 tag).
- uses: actions/add-to-project@v1.0.2
# Issues: use the official action (works fine for issues)
- name: Add issue to project
if: github.event_name == 'issues'
uses: actions/add-to-project@v1.0.2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the commit SHA for the v1.0.2 tag

gh api repos/actions/add-to-project/git/ref/tags/v1.0.2 --jq '.object.sha'

Repository: mlorentedev/pollex

Length of output: 103


Pin the action to a commit SHA for supply-chain security.

The action reference uses a mutable semver tag (v1.0.2) which can be moved by attackers or maintainers, creating a supply-chain risk. GitHub security best practices recommend pinning to an immutable commit SHA instead.

🔒 Recommended fix
-        uses: actions/add-to-project@v1.0.2
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e  # v1.0.2

Keep the version comment so the SHA remains human-readable.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/add-to-project@v1.0.2
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
🧰 Tools
🪛 zizmor (1.25.2)

[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/add-to-project.yml at line 27, The action reference uses a
mutable semver tag v1.0.2 instead of an immutable commit SHA, creating a
supply-chain security risk. Replace the tag reference in the uses field of the
actions/add-to-project action with its corresponding immutable commit SHA, and
add a comment above it with the original version tag (v1.0.2) to maintain human
readability while ensuring the action cannot be unexpectedly modified.

Source: Linters/SAST tools

with:
project-url: https://github.com/users/mlorentedev/projects/1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify project 1 exists and retrieve its details

gh api graphql -f query='
  query {
    user(login: "mlorentedev") {
      projectV2(number: 1) {
        id
        title
        url
      }
    }
  }
' --jq '.data.user.projectV2 | "Title: \(.title)\nURL: \(.url)"'

Repository: mlorentedev/pollex

Length of output: 332


Fix non-existent project reference in workflow.

The workflow references project-url: https://github.com/users/mlorentedev/projects/1 (line 29) and --owner mlorentedev with project ID 1 (line 36), but project 1 does not exist for user mlorentedev. This will cause the workflow to fail when attempting to add issues and PRs. Either create the referenced project or update the workflow to use a valid project ID.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/add-to-project.yml at line 29, The workflow file
references a non-existent GitHub project with project-url set to
https://github.com/users/mlorentedev/projects/1 and owner set to mlorentedev
with project ID 1, which will cause the workflow to fail when attempting to add
issues and PRs to the project. Update the project-url parameter and the
owner/project ID combination to reference a valid existing GitHub project, or
create a new project with the matching ID if one does not exist. Ensure the
project-url and the owner/project ID values are consistent with each other.

github-token: ${{ secrets.BITACORA_PAT }}

# PRs: use gh CLI directly (the action doesn't support PRs)
- name: Add PR to project
if: github.event_name == 'pull_request'
run: |
gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
Comment on lines +35 to +38

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid direct template expansion in shell scripts.

Line 36 injects github.event.pull_request.html_url directly into the shell command. While html_url is GitHub-generated and likely safe, GitHub security best practices recommend passing context values through environment variables to prevent potential template injection.

🔒 Recommended fix
       - name: Add PR to project
         if: github.event_name == 'pull_request'
         run: |
-          gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
+          gh project item-add 1 --owner mlorentedev --url "$PR_URL"
         env:
           GH_TOKEN: ${{ secrets.BITACORA_PAT }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
run: |
gh project item-add 1 --owner mlorentedev --url "$PR_URL"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
PR_URL: ${{ github.event.pull_request.html_url }}
🧰 Tools
🪛 zizmor (1.25.2)

[error] 36-36: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/add-to-project.yml around lines 35 - 38, The gh project
item-add command directly injects github.event.pull_request.html_url using
template expansion in the shell script, which violates GitHub security best
practices. Move the URL value into the env section by creating a new environment
variable (e.g., PR_URL) with the github.event.pull_request.html_url value, then
update the gh command to reference this environment variable using standard
shell syntax instead of the direct template expansion.

Source: Linters/SAST tools

Loading