-
Notifications
You must be signed in to change notification settings - Fork 0
fix(ci): add PRs to bitácora board via gh CLI #39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -4,6 +4,9 @@ name: Add to bitácora | |||||||||||||||||||
| # (GitHub Project #1). Pairs with bitacora-status.yml (which flips an assigned | ||||||||||||||||||||
| # issue to In Progress). Canonical copy for the OPS-002 (#258) multi-repo rollout. | ||||||||||||||||||||
|
|
||||||||||||||||||||
| # Note: actions/add-to-project@v1 only supports issues, not PRs. We use it for | ||||||||||||||||||||
| # issues and fall back to gh project item-add for PRs. | ||||||||||||||||||||
|
|
||||||||||||||||||||
| on: | ||||||||||||||||||||
| issues: | ||||||||||||||||||||
| types: [opened, reopened] | ||||||||||||||||||||
|
|
@@ -18,8 +21,18 @@ jobs: | |||||||||||||||||||
| if: github.event_name == 'issues' || github.event.pull_request.head.repo.fork == false | ||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||
| steps: | ||||||||||||||||||||
| # Pin a real release: actions/add-to-project@v1 does NOT resolve (no floating v1 tag). | ||||||||||||||||||||
| - uses: actions/add-to-project@v1.0.2 | ||||||||||||||||||||
| # Issues: use the official action (works fine for issues) | ||||||||||||||||||||
| - name: Add issue to project | ||||||||||||||||||||
| if: github.event_name == 'issues' | ||||||||||||||||||||
| uses: actions/add-to-project@v1.0.2 | ||||||||||||||||||||
| with: | ||||||||||||||||||||
| project-url: https://github.com/users/mlorentedev/projects/1 | ||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Description: Verify project 1 exists and retrieve its details
gh api graphql -f query='
query {
user(login: "mlorentedev") {
projectV2(number: 1) {
id
title
url
}
}
}
' --jq '.data.user.projectV2 | "Title: \(.title)\nURL: \(.url)"'Repository: mlorentedev/pollex Length of output: 332 Fix non-existent project reference in workflow. The workflow references 🤖 Prompt for AI Agents |
||||||||||||||||||||
| github-token: ${{ secrets.BITACORA_PAT }} | ||||||||||||||||||||
|
|
||||||||||||||||||||
| # PRs: use gh CLI directly (the action doesn't support PRs) | ||||||||||||||||||||
| - name: Add PR to project | ||||||||||||||||||||
| if: github.event_name == 'pull_request' | ||||||||||||||||||||
| run: | | ||||||||||||||||||||
| gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}" | ||||||||||||||||||||
| env: | ||||||||||||||||||||
| GH_TOKEN: ${{ secrets.BITACORA_PAT }} | ||||||||||||||||||||
|
Comment on lines
+35
to
+38
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Avoid direct template expansion in shell scripts. Line 36 injects 🔒 Recommended fix - name: Add PR to project
if: github.event_name == 'pull_request'
run: |
- gh project item-add 1 --owner mlorentedev --url "${{ github.event.pull_request.html_url }}"
+ gh project item-add 1 --owner mlorentedev --url "$PR_URL"
env:
GH_TOKEN: ${{ secrets.BITACORA_PAT }}
+ PR_URL: ${{ github.event.pull_request.html_url }}📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[error] 36-36: code injection via template expansion (template-injection): may expand into attacker-controllable code (template-injection) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: mlorentedev/pollex
Length of output: 103
Pin the action to a commit SHA for supply-chain security.
The action reference uses a mutable semver tag (
v1.0.2) which can be moved by attackers or maintainers, creating a supply-chain risk. GitHub security best practices recommend pinning to an immutable commit SHA instead.🔒 Recommended fix
Keep the version comment so the SHA remains human-readable.
📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Linters/SAST tools