add a GitHub Workflow to add bugs to the project board#12225
add a GitHub Workflow to add bugs to the project board#12225
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pdurbin
force-pushed
the
add_bugs_to_project
branch
from
784c7d5 to
83f6e76
Compare
| name: Add bug to project | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/add-to-project@v1.0.2 | ||
| with: | ||
| project-url: https://github.com/orgs/IQSS/projects/34 | ||
| github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} | ||
| labeled: "Type: Bug" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, this issue is fixed by adding a permissions block to the workflow or to individual jobs, specifying the least privileges the workflow requires. This prevents the workflow from inheriting potentially broad default GITHUB_TOKEN permissions from the repository or organization.
For this specific workflow, the job listens to issues events and uses a separate PAT for the actions/add-to-project step. The job itself does not obviously need to write to repository contents or other resources using GITHUB_TOKEN, so we can safely restrict GITHUB_TOKEN to read-only access to the repository contents by adding permissions: contents: read. To avoid altering behavior, we will add this at the job level for add-to-project, immediately under the job key, leaving the rest of the workflow unchanged.
Concretely:
- Edit
.github/workflows/add_bugs_to_project.yml. - Under
jobs: add-to-project:, add:
permissions:
contents: read- Keep indentation consistent (two spaces under the job key).
- No new imports or external libraries are needed, as this is purely a workflow configuration change.
| @@ -10,6 +10,8 @@ | ||
| add-to-project: | ||
| name: Add bug to project | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/add-to-project@v1.0.2 | ||
| with: |
pdurbin
force-pushed
the
add_bugs_to_project
branch
from
83f6e76 to
8635fa5
Compare
2 participants
What this PR does / why we need it:
We'd like all new issues that are labeled as bugs to be automatically added to project 34. They will show up (among other places) in the "Open Bugs" view at IQSS Dataverse Project (view)
Special notes for your reviewer:
Here are the docs: https://github.com/actions/add-to-project
I added a secret called ADD_TO_PROJECT_PAT for @dataversebot to the "dataverse" repo. See "Creating a PAT and adding it to your repository" in the docs above. I made a classic token with "project" scope, as required. PAT stands for Personal Access Token
and it's currently tied to my account (@pdurbin).I also gave @dataversebot write access to project 34 here: IQSS Dataverse Project
Suggestions on how to test this:
Merge this. Create a new issue with
label:"Type: Bug". Check if it was added to the project. Find an existing issue that doesn't havelabel:"Type: Bug". Add that label. See if it was added to the project. Try creating a issue without that label. It shouldn't be added.Also, you can test over at https://github.com/IQSS/dataverse-installations because I set it up there first. (I added the same ADD_TO_PROJECT_PAT there too.)
Here's how it looks: