Skip to content

Add use-pr-linker workflow to auto-link PRs to issues #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Ivanmeneges wants to merge 1 commit into
base: develop2
Choose a base branch
from
Open

Add use-pr-linker workflow to auto-link PRs to issues #55

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/use-pr-linker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Auto link PR to Issues

on:
pull_request_target:
types:
- opened
- edited
- synchronize
- reopened
- closed

permissions:
contents: read
issues: write
pull-requests: read

jobs:
call-linker:
uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant workflow around the referenced line numbers
echo "=== use-pr-linker.yml (around lines 1-60) ==="
nl -ba .github/workflows/use-pr-linker.yml | sed -n '1,80p'

echo
echo "=== chart-lint-publish.yml (search for secrets.ACTION_PAT mapping) ==="
# Show only the relevant part mentioned (45-62) if file exists
if [ -f .github/workflows/chart-lint-publish.yml ]; then
  nl -ba .github/workflows/chart-lint-publish.yml | sed -n '35,90p' | rg -n "ACTION_PAT|TOKEN|secrets" || true
  # Also show full range 45-62 for context
  echo "--- chart-lint-publish.yml lines 45-62 ---"
  nl -ba .github/workflows/chart-lint-publish.yml | sed -n '45,62p'
else
  echo "chart-lint-publish.yml not found in repo"
fi

echo
echo "=== Search repo for other occurrences of mosip/kattu/link-pr-to-issue.yml ==="
rg -n "mosip/kattu/.github/workflows/link-pr-to-issue\.yml" .github/workflows || true

echo
echo "=== Search repo for other mosip/kattu reusable workflow uses with `@develop` ==="
rg -n "mosip/kattu/.*`@develop`" .github/workflows || true

Repository: mosip/security-tools

Length of output: 171

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== use-pr-linker.yml (around lines 1-80) ==="
if [ -f .github/workflows/use-pr-linker.yml ]; then
  cat -n .github/workflows/use-pr-linker.yml | sed -n '1,100p'
else
  echo "File not found: .github/workflows/use-pr-linker.yml"
fi

echo
echo "=== chart-lint-publish.yml (search for ACTION_PAT/TOKEN/secrets + show lines 45-62 if present) ==="
if [ -f .github/workflows/chart-lint-publish.yml ]; then
  echo "--- grep relevant tokens ---"
  cat -n .github/workflows/chart-lint-publish.yml | sed -n '1,140p' | rg -n "ACTION_PAT|TOKEN|workflow_call:|secrets:" || true
  echo "--- chart-lint-publish.yml lines 45-62 ---"
  cat -n .github/workflows/chart-lint-publish.yml | sed -n '45,62p'
else
  echo "File not found: .github/workflows/chart-lint-publish.yml"
fi

echo
echo "=== Search repo for occurrences of link-pr-to-issue.yml ==="
rg -n "mosip/kattu/.github/workflows/link-pr-to-issue\.yml" .github/workflows || true

echo
echo "=== Search repo for mosip/kattu reusable workflow refs using `@develop` ==="
rg -n "mosip/kattu/.github/workflows/.*`@develop`" .github/workflows || true

echo
echo "=== Locate any workflow_call secret contract for link-pr-to-issue.yml in this repo ==="
# Only looks within this repo; if not found, we’ll need web lookup.
rg -n "workflow_call:" .github/workflows || true

Repository: mosip/security-tools

Length of output: 2457

🌐 Web query:

mosip/kattu link-pr-to-issue.yml workflow_call secrets TOKEN ACTION_PAT

💡 Result:

I couldn’t locate a workflow file named mosip/kattu link-pr-to-issue.yml in the mosip/kattu repository (or any referenced reusable workflow with that exact filename). The search results only show the mosip/kattu repo landing page and various other reusable workflow docs/files, but not link-pr-to-issue.yml specifically [1]. What I can confirm from MOSIP repositories that do use mosip/kattu reusable workflows: - Reusable workflows in mosip/kattu are invoked using the workflow_call mechanism (mosip/kattu is described as containing reusable workflows triggered by workflow_call) [1]. - An example of calling a mosip/kattu reusable workflow shows passing a secret named ACTION_PAT from the caller repository into the reusable workflow, e.g. secrets: ACTION_PAT: ${{ secrets.ACTION_PAT }} used when calling mosip/kattu/.github/workflows/release-changes.yml@master [2]. If you intended a different filename (e.g., a PR/issue linking workflow whose name isn’t “link-pr-to-issue.yml”), or if the file lives under a different path/branch/tag in mosip/kattu, paste the exact YAML path you have (or the job uses: … line) and I can re-run the search precisely for that workflow_call secrets block (including TOKEN vs ACTION_PAT).

Citations:

Pin the reusable workflow to an immutable ref (and verify the secret key contract)

  • In .github/workflows/use-pr-linker.yml (line 14), replace uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop with a specific commit SHA.
  • .github/workflows/use-pr-linker.yml passes secrets.ACTION_PAT into the reusable workflow; verify the reusable workflow’s workflow_call.secrets expects ACTION_PAT (or remap to the expected key, e.g. TOKEN) to avoid auth failures.
Suggested change 
-    uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
+    uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@<full_commit_sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml at line 14, Replace the floating
reusable-workflow ref "uses:
mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop" with an immutable
commit SHA (pin to a specific commit) and ensure the secret mapping matches the
callee: confirm the reusable workflow's workflow_call.secrets declares
ACTION_PAT (or change the caller to pass the key the reusable workflow expects,
e.g. TOKEN) so that secrets.ACTION_PAT passed from the caller matches the
workflow_call.secrets entry; update the uses line to the commit SHA and adjust
the secret name mapping if necessary.

secrets:
ACTION_PAT: ${{ secrets.ACTION_PAT }}
Loading