Add use-pr-linker workflow to auto-link PRs to issues

[Ivanmeneges]

Summary

Adds use-pr-linker.yml workflow that calls the reusable PR-to-issue linker from mosip/kattu (@develop).

Notes

• Requires ACTION_PAT repository secret to be configured.
• Target branch: develop.

Summary by CodeRabbit

• Chores
  • Added automated workflow to link pull requests to related issues, improving project tracking and management efficiency.

[coderabbitai]

Walkthrough

A single new GitHub Actions workflow file is introduced that automatically links pull requests to issues by calling a reusable workflow from the mosip/kattu repository, configured with appropriate permissions and trigger events.

Changes

PR-to-Issue Auto-linking Workflow

Layer / File(s)	Summary
Auto-link PR workflow configuration .github/workflows/use-pr-linker.yml	New workflow Auto link PR to Issues defines trigger events, scoped permissions, and a job that calls the external mosip/kattu reusable workflow with ACTION_PAT secret wiring.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow so neat, a gift to our team,
Now PR and issue shall share a dream,
With kattu's own magic, a link shall appear,
Connecting them both, crystal clear!
✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a GitHub Actions workflow file to auto-link pull requests to issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add/use-pr-linker-workflow-develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/use-pr-linker.yml:
- Around line 4-5: The workflow uses pull_request_target and forwards
secrets.ACTION_PAT into the reusable workflow (workflow_call.secrets.ACTION_PAT)
while trusting github.event.pull_request.title/body to derive target
REPO#/NUMBER for API writes; to fix, validate and constrain any parsed
"<owner>/<repo>#<n>" before making GitHub API calls by allowing only the base
repository (compare parsed owner/repo to github.event.repository.full_name) or
an explicit allowlist of safe repos, and/or require a PAT scoped to those target
repos; update the reusable workflow code paths that call the Issues/Comments
APIs (where REPO#/NUMBER is used) to perform this check and reject or ignore any
disallowed repo before performing create/update/delete operations.
- Line 19: Replace the mutable reusable-workflow ref in use-pr-linker.yml (the
line using "mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop") with a
pinned full commit SHA; update any references in that file that pass secrets
(e.g., secrets.ACTION_PAT) to match the called workflow’s declared secret name
(check its workflow_call.secrets for ACTION_PAT vs TOKEN) and rotate the PAT
before merging; also verify the upstream workflow does not checkout or execute
PR head code under pull_request_target privileges (ensure it treats PR contents
as untrusted) and document the pinned SHA so it can be rotated deliberately.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1d919e9-8a10-405c-bccd-5b779ea50160

📥 Commits

Reviewing files that changed from the base of the PR and between 49ad5a7 and 18367d5.

📒 Files selected for processing (1)

• .github/workflows/use-pr-linker.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect called reusable workflow at the referenced ref
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/develop/.github/workflows/link-pr-to-issue.yml > /tmp/link-pr-to-issue.yml

echo "== Declared workflow_call secrets =="
rg -n "workflow_call|secrets:|ACTION_PAT|TOKEN" /tmp/link-pr-to-issue.yml -C2

echo "== Potentially unsafe patterns for pull_request_target =="
rg -n "actions/checkout|github.event.pull_request.head|pull_request_target|run:" /tmp/link-pr-to-issue.yml -C2

Repository: mosip/mosip-helm

Length of output: 3523

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== use-pr-linker.yml context =="
ls -la .github/workflows/use-pr-linker.yml
sed -n '1,120p' .github/workflows/use-pr-linker.yml | nl -ba

echo
echo "== Downloaded reusable workflow (link-pr-to-issue.yml) =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/develop/.github/workflows/link-pr-to-issue.yml > /tmp/link-pr-to-issue.yml
wc -l /tmp/link-pr-to-issue.yml

echo
echo "== workflow_call secrets contract =="
rg -n "workflow_call:\s*$|secrets:\s*$|ACTION_PAT|TOKEN" /tmp/link-pr-to-issue.yml -n -C1

echo
echo "== Check for checkout of PR head / untrusted code =="
rg -n "uses:\s*actions/checkout|with:\s*|ref:\s*\$\{\{\s*github\.event\.pull_request\.|github\.event\.pull_request\.head|pull_request_target" /tmp/link-pr-to-issue.yml -C2

echo
echo "== Any explicit head.sha/head.ref usage? =="
rg -n "github\.event\.pull_request\.head\.(ref|sha)|github\.event\.pull_request\.(head|base)\." /tmp/link-pr-to-issue.yml -C2 || true

echo
echo "== Any use of PR title/body/body in commands (injection-risk patterns) =="
rg -n "PR_(TITLE|BODY)|pull_request\.(title|body)|body\}|title\}" /tmp/link-pr-to-issue.yml -C2

Repository: mosip/mosip-helm

Length of output: 237

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== use-pr-linker.yml =="
awk '{print NR ":" $0}' .github/workflows/use-pr-linker.yml | sed -n '1,140p'

echo
echo "== Downloaded reusable workflow (link-pr-to-issue.yml) =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/develop/.github/workflows/link-pr-to-issue.yml > /tmp/link-pr-to-issue.yml
wc -l /tmp/link-pr-to-issue.yml

echo
echo "== workflow_call secrets contract =="
rg -n "workflow_call:|secrets:|ACTION_PAT|TOKEN" /tmp/link-pr-to-issue.yml -n -C2

echo
echo "== Check for checkout of PR head / untrusted code patterns =="
rg -n "uses:\s*actions/checkout|with:\s*$|ref:\s*\$\{\{\s*github\.event\.pull_request|github\.event\.pull_request\.head|pull_request_target" /tmp/link-pr-to-issue.yml -C2

echo
echo "== Explicit head.sha/head.ref usage? =="
rg -n "github\.event\.pull_request\.head\.(ref|sha)|github\.event\.pull_request\.head|github\.event\.pull_request\.(head|base)\." /tmp/link-pr-to-issue.yml -C2 || true

Repository: mosip/mosip-helm

Length of output: 3093

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for any pull_request.head usage (untrusted data source) =="
rg -n "github\.event\.pull_request\.head" /tmp/link-pr-to-issue.yml -n -C2 || true

echo
echo "== Search for uses of PR title/body in run blocks =="
rg -n "github\.event\.pull_request\.(title|body)" /tmp/link-pr-to-issue.yml -n -C2 || true

echo
echo "== Search for checkout / cloning / executing PR head content =="
rg -n "actions/checkout|git clone|git checkout|checkout@|pull/|refs/pull/" /tmp/link-pr-to-issue.yml -n -C2 || true

echo
echo "== Show surrounding code where PR_TITLE/PR_BODY are used =="
rg -n "PR_TITLE|PR_BODY|MARKER" /tmp/link-pr-to-issue.yml -n -C3 || true

Repository: mosip/mosip-helm

Length of output: 4090

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check for untrusted execution primitives =="
rg -n "eval |bash -c|sh -c|node -e|python -c|perl -e|ruby -e|\$\(.*\)|\bexec\b||source\s+|chmod\s+\+x|curl .*\\\|.*bash|bash.*\\\|.*curl" /tmp/link-pr-to-issue.yml -n -C1 || true

echo
echo "== Check how PR_TITLE/PR_BODY are used beyond parsing =="
rg -n "PR_TITLE|PR_BODY|CURRENT_BODY|BODY=" /tmp/link-pr-to-issue.yml -n -C2

echo
echo "== Check for curl URLs that embed PR-derived vars =="
rg -n "curl .*\\$\(PR_TITLE|PR_BODY|BODY|CURRENT_BODY|MARKER)" /tmp/link-pr-to-issue.yml -n -C2 || true

Repository: mosip/mosip-helm

Length of output: 12598

---

Harden pull_request_target secret usage: ACTION_PAT contract matches, but PR-derived issue refs can drive cross-repo API writes.

use-pr-linker.yml runs pull_request_target and passes secrets.ACTION_PAT to the reusable workflow’s workflow_call.secrets.ACTION_PAT (required). The reusable workflow does not check out PR head content, but it parses github.event.pull_request.title/body for optional <owner>/<repo>#<n> references and uses the derived REPO#/NUMBER directly in GitHub API calls to create/update/delete issue comments—so an attacker can steer comment modifications to any repo accessible by the PAT. Constrain/allowlist REPO to the base repo (or fixed repos) before making those API requests, and/or scope the PAT to only the allowed targets.

File: .github/workflows/use-pr-linker.yml (lines 4-5, 20-21)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml around lines 4 - 5, The workflow uses
pull_request_target and forwards secrets.ACTION_PAT into the reusable workflow
(workflow_call.secrets.ACTION_PAT) while trusting
github.event.pull_request.title/body to derive target REPO#/NUMBER for API
writes; to fix, validate and constrain any parsed "<owner>/<repo>#<n>" before
making GitHub API calls by allowing only the base repository (compare parsed
owner/repo to github.event.repository.full_name) or an explicit allowlist of
safe repos, and/or require a PAT scoped to those target repos; update the
reusable workflow code paths that call the Issues/Comments APIs (where
REPO#/NUMBER is used) to perform this check and reject or ignore any disallowed
repo before performing create/update/delete operations.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the reusable workflow to an immutable commit SHA (avoid @develop + PAT on pull_request_target).

use-pr-linker.yml currently calls mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop and passes secrets.ACTION_PAT into the reusable workflow; using a mutable ref can let upstream change execution under pull_request_target privileges. Pin uses: to a full commit SHA and rotate deliberately. Also confirm the called workflow’s workflow_call.secrets name/contract (e.g., whether it expects ACTION_PAT vs TOKEN) and that it treats PR contents as untrusted (no checkout/execution of the PR head).

Suggested change

-    uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
+    uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@<full_commit_sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml at line 19, Replace the mutable
reusable-workflow ref in use-pr-linker.yml (the line using
"mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop") with a pinned full
commit SHA; update any references in that file that pass secrets (e.g.,
secrets.ACTION_PAT) to match the called workflow’s declared secret name (check
its workflow_call.secrets for ACTION_PAT vs TOKEN) and rotate the PAT before
merging; also verify the upstream workflow does not checkout or execute PR head
code under pull_request_target privileges (ensure it treats PR contents as
untrusted) and document the pinned SHA so it can be rotated deliberately.