Skip to content

Add use-pr-linker workflow to auto-link PRs to issues #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Ivanmeneges wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add use-pr-linker workflow to auto-link PRs to issues #331

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/use-pr-linker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Auto link PR to Issues

on:
pull_request_target:
types:
- opened
- edited
- synchronize
- reopened
- closed
Comment on lines +3 to +10

@coderabbitai coderabbitai Bot May 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Guard pull_request_target before exposing ACTION_PAT.

This workflow forwards a write-capable secret on pull_request_target, which can run on fork-originated PR events. Since the called workflow performs authenticated write/delete issue-comment operations, this is a high-risk secret exposure path.

🔒 Minimal hardening diff 
 jobs:
   call-linker:
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
     secrets:
       ACTION_PAT: ${{ secrets.ACTION_PAT }}

Also applies to: 20-21

🧰 Tools
🪛 zizmor (1.25.2)

[error] 3-10: use of fundamentally insecure workflow trigger (dangerous-triggers): pull_request_target is almost always used insecurely

(dangerous-triggers)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml around lines 3 - 10, The workflow
currently uses pull_request_target and exposes the write-capable secret
ACTION_PAT to PR events; restrict exposure by guarding usage of ACTION_PAT and
any steps that run with pull_request_target: either switch the trigger to
pull_request (safe default) or keep pull_request_target but add a runtime guard
that only sets/exports ACTION_PAT and runs the authenticated/commenting steps
when the PR originates from the same repo (e.g. check
github.event.pull_request.head.repo.owner == github.repository_owner or
github.event.pull_request.head.repo.fork == false) — locate references to
pull_request_target and the ACTION_PAT environment/secret and wrap the job/steps
that call the downstream workflow or perform comments/edits with this
conditional so forks cannot receive ACTION_PAT.


permissions:
contents: read
issues: write
pull-requests: read

jobs:
call-linker:
uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
Comment thread
Ivanmeneges marked this conversation as resolved.
secrets:
ACTION_PAT: ${{ secrets.ACTION_PAT }}