Skip to content

Add use-pr-linker workflow to auto-link PRs to issues #828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Ivanmeneges wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add use-pr-linker workflow to auto-link PRs to issues #828

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/use-pr-linker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Auto link PR to Issues

on:
pull_request_target:
types:
Comment on lines +4 to +5

@coderabbitai coderabbitai Bot May 31, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect called reusable workflow at the referenced ref
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/develop/.github/workflows/link-pr-to-issue.yml > /tmp/link-pr-to-issue.yml

echo "== Declared workflow_call secrets =="
rg -n "workflow_call|secrets:|ACTION_PAT|TOKEN" /tmp/link-pr-to-issue.yml -C2

echo "== Potentially unsafe patterns for pull_request_target =="
rg -n "actions/checkout|github.event.pull_request.head|pull_request_target|run:" /tmp/link-pr-to-issue.yml -C2

Repository: mosip/mosip-helm

Length of output: 3523

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== use-pr-linker.yml context =="
ls -la .github/workflows/use-pr-linker.yml
sed -n '1,120p' .github/workflows/use-pr-linker.yml | nl -ba

echo
echo "== Downloaded reusable workflow (link-pr-to-issue.yml) =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/develop/.github/workflows/link-pr-to-issue.yml > /tmp/link-pr-to-issue.yml
wc -l /tmp/link-pr-to-issue.yml

echo
echo "== workflow_call secrets contract =="
rg -n "workflow_call:\s*$|secrets:\s*$|ACTION_PAT|TOKEN" /tmp/link-pr-to-issue.yml -n -C1

echo
echo "== Check for checkout of PR head / untrusted code =="
rg -n "uses:\s*actions/checkout|with:\s*|ref:\s*\$\{\{\s*github\.event\.pull_request\.|github\.event\.pull_request\.head|pull_request_target" /tmp/link-pr-to-issue.yml -C2

echo
echo "== Any explicit head.sha/head.ref usage? =="
rg -n "github\.event\.pull_request\.head\.(ref|sha)|github\.event\.pull_request\.(head|base)\." /tmp/link-pr-to-issue.yml -C2 || true

echo
echo "== Any use of PR title/body/body in commands (injection-risk patterns) =="
rg -n "PR_(TITLE|BODY)|pull_request\.(title|body)|body\}|title\}" /tmp/link-pr-to-issue.yml -C2

Repository: mosip/mosip-helm

Length of output: 237

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== use-pr-linker.yml =="
awk '{print NR ":" $0}' .github/workflows/use-pr-linker.yml | sed -n '1,140p'

echo
echo "== Downloaded reusable workflow (link-pr-to-issue.yml) =="
curl -fsSL https://raw.githubusercontent.com/mosip/kattu/develop/.github/workflows/link-pr-to-issue.yml > /tmp/link-pr-to-issue.yml
wc -l /tmp/link-pr-to-issue.yml

echo
echo "== workflow_call secrets contract =="
rg -n "workflow_call:|secrets:|ACTION_PAT|TOKEN" /tmp/link-pr-to-issue.yml -n -C2

echo
echo "== Check for checkout of PR head / untrusted code patterns =="
rg -n "uses:\s*actions/checkout|with:\s*$|ref:\s*\$\{\{\s*github\.event\.pull_request|github\.event\.pull_request\.head|pull_request_target" /tmp/link-pr-to-issue.yml -C2

echo
echo "== Explicit head.sha/head.ref usage? =="
rg -n "github\.event\.pull_request\.head\.(ref|sha)|github\.event\.pull_request\.head|github\.event\.pull_request\.(head|base)\." /tmp/link-pr-to-issue.yml -C2 || true

Repository: mosip/mosip-helm

Length of output: 3093

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for any pull_request.head usage (untrusted data source) =="
rg -n "github\.event\.pull_request\.head" /tmp/link-pr-to-issue.yml -n -C2 || true

echo
echo "== Search for uses of PR title/body in run blocks =="
rg -n "github\.event\.pull_request\.(title|body)" /tmp/link-pr-to-issue.yml -n -C2 || true

echo
echo "== Search for checkout / cloning / executing PR head content =="
rg -n "actions/checkout|git clone|git checkout|checkout@|pull/|refs/pull/" /tmp/link-pr-to-issue.yml -n -C2 || true

echo
echo "== Show surrounding code where PR_TITLE/PR_BODY are used =="
rg -n "PR_TITLE|PR_BODY|MARKER" /tmp/link-pr-to-issue.yml -n -C3 || true

Repository: mosip/mosip-helm

Length of output: 4090

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check for untrusted execution primitives =="
rg -n "eval |bash -c|sh -c|node -e|python -c|perl -e|ruby -e|\$\(.*\)|\bexec\b||source\s+|chmod\s+\+x|curl .*\\\|.*bash|bash.*\\\|.*curl" /tmp/link-pr-to-issue.yml -n -C1 || true

echo
echo "== Check how PR_TITLE/PR_BODY are used beyond parsing =="
rg -n "PR_TITLE|PR_BODY|CURRENT_BODY|BODY=" /tmp/link-pr-to-issue.yml -n -C2

echo
echo "== Check for curl URLs that embed PR-derived vars =="
rg -n "curl .*\\$\(PR_TITLE|PR_BODY|BODY|CURRENT_BODY|MARKER)" /tmp/link-pr-to-issue.yml -n -C2 || true

Repository: mosip/mosip-helm

Length of output: 12598

Harden pull_request_target secret usage: ACTION_PAT contract matches, but PR-derived issue refs can drive cross-repo API writes.

use-pr-linker.yml runs pull_request_target and passes secrets.ACTION_PAT to the reusable workflow’s workflow_call.secrets.ACTION_PAT (required). The reusable workflow does not check out PR head content, but it parses github.event.pull_request.title/body for optional <owner>/<repo>#<n> references and uses the derived REPO#/NUMBER directly in GitHub API calls to create/update/delete issue comments—so an attacker can steer comment modifications to any repo accessible by the PAT. Constrain/allowlist REPO to the base repo (or fixed repos) before making those API requests, and/or scope the PAT to only the allowed targets.

File: .github/workflows/use-pr-linker.yml (lines 4-5, 20-21)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml around lines 4 - 5, The workflow uses
pull_request_target and forwards secrets.ACTION_PAT into the reusable workflow
(workflow_call.secrets.ACTION_PAT) while trusting
github.event.pull_request.title/body to derive target REPO#/NUMBER for API
writes; to fix, validate and constrain any parsed "<owner>/<repo>#<n>" before
making GitHub API calls by allowing only the base repository (compare parsed
owner/repo to github.event.repository.full_name) or an explicit allowlist of
safe repos, and/or require a PAT scoped to those target repos; update the
reusable workflow code paths that call the Issues/Comments APIs (where
REPO#/NUMBER is used) to perform this check and reject or ignore any disallowed
repo before performing create/update/delete operations.

- opened
- edited
- synchronize
- reopened
- closed

permissions:
contents: read
issues: write
pull-requests: read

jobs:
call-linker:
uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop

@coderabbitai coderabbitai Bot May 31, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the reusable workflow to an immutable commit SHA (avoid @develop + PAT on pull_request_target).

use-pr-linker.yml currently calls mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop and passes secrets.ACTION_PAT into the reusable workflow; using a mutable ref can let upstream change execution under pull_request_target privileges. Pin uses: to a full commit SHA and rotate deliberately. Also confirm the called workflow’s workflow_call.secrets name/contract (e.g., whether it expects ACTION_PAT vs TOKEN) and that it treats PR contents as untrusted (no checkout/execution of the PR head).

Suggested change 
-    uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
+    uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@<full_commit_sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml at line 19, Replace the mutable
reusable-workflow ref in use-pr-linker.yml (the line using
"mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop") with a pinned full
commit SHA; update any references in that file that pass secrets (e.g.,
secrets.ACTION_PAT) to match the called workflow’s declared secret name (check
its workflow_call.secrets for ACTION_PAT vs TOKEN) and rotate the PAT before
merging; also verify the upstream workflow does not checkout or execute PR head
code under pull_request_target privileges (ensure it treats PR contents as
untrusted) and document the pinned SHA so it can be rotated deliberately.

secrets:
ACTION_PAT: ${{ secrets.ACTION_PAT }}
Loading