Add use-pr-linker workflow to auto-link PRs to issues

[Ivanmeneges]

Adds use-pr-linker.yml workflow calling mosip/kattu link-pr-to-issue.yml@develop

Made with Cursor

Summary by CodeRabbit

• Chores
  • Added an automated workflow that links pull requests to their related issues, improving traceability and streamlining issue management across the PR lifecycle. This enhances coordination between code changes and issue tracking and helps maintainers and reviewers follow context more easily.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is added that triggers on pull request lifecycle events, declares explicit permissions for contents/issues/pull-requests, and delegates PR-to-issue linking to a reusable workflow by passing a workflow token via the ACTION_PAT secret.

Changes

PR-to-Issue Linking Workflow

Layer / File(s)	Summary
PR linker workflow configuration .github/workflows/use-pr-linker.yml	Workflow triggers on pull_request_target events (opened, edited, synchronize, reopened, closed), grants contents: read, pull-requests: read, issues: write, and calls the reusable workflow mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop with the ACTION_PAT secret.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• mosip/kattu#323: Adds the reusable link-pr-to-issue.yml workflow that this PR delegates to.
• mosip/kattu#330: Updates the link-pr-to-issue.yml reusable workflow logic invoked by this PR.

Poem

🐰 I hop to link PRs with cheer,
A secret token held so near,
I call the reusable tune,
And tie issues to PR soon —
Hooray! Automation's here 🌱

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add use-pr-linker workflow to auto-link PRs to issues' accurately and clearly describes the main change—adding a new GitHub Actions workflow for automatically linking pull requests to issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add/use-pr-linker-workflow-develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/use-pr-linker.yml:
- Line 14: Replace the floating reusable-workflow reference in the uses
statement (currently
"mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop") with a fixed
commit SHA to avoid supply-chain risk; update the uses line to reference the
provided commit SHA "ab3a7a4bbbd97097acafbcafc11780be9c038766" while preserving
the existing secrets.ACTION_PAT input so the workflow behavior and token
forwarding (GH_TOKEN) remain unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 328a3323-d5da-4371-b13d-a2224ed1203b

📥 Commits

Reviewing files that changed from the base of the PR and between ab3a7a4 and f5e079b.

📒 Files selected for processing (1)

• .github/workflows/use-pr-linker.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/use-pr-linker.yml:
- Around line 3-10: The workflow currently uses pull_request_target and exposes
the write-capable secret ACTION_PAT to PR events; restrict exposure by guarding
usage of ACTION_PAT and any steps that run with pull_request_target: either
switch the trigger to pull_request (safe default) or keep pull_request_target
but add a runtime guard that only sets/exports ACTION_PAT and runs the
authenticated/commenting steps when the PR originates from the same repo (e.g.
check github.event.pull_request.head.repo.owner == github.repository_owner or
github.event.pull_request.head.repo.fork == false) — locate references to
pull_request_target and the ACTION_PAT environment/secret and wrap the job/steps
that call the downstream workflow or perform comments/edits with this
conditional so forks cannot receive ACTION_PAT.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fa7f49a4-1b76-47b4-8419-67af27d94dc4

📥 Commits

Reviewing files that changed from the base of the PR and between f5e079b and 2e6ae19.

📒 Files selected for processing (1)

• .github/workflows/use-pr-linker.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Guard pull_request_target before exposing ACTION_PAT.

This workflow forwards a write-capable secret on pull_request_target, which can run on fork-originated PR events. Since the called workflow performs authenticated write/delete issue-comment operations, this is a high-risk secret exposure path.

🔒 Minimal hardening diff

 jobs:
   call-linker:
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     uses: mosip/kattu/.github/workflows/link-pr-to-issue.yml@develop
     secrets:
       ACTION_PAT: ${{ secrets.ACTION_PAT }}

Also applies to: 20-21

🧰 Tools

🪛 zizmor (1.25.2)

[error] 3-10: use of fundamentally insecure workflow trigger (dangerous-triggers): pull_request_target is almost always used insecurely

(dangerous-triggers)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/use-pr-linker.yml around lines 3 - 10, The workflow
currently uses pull_request_target and exposes the write-capable secret
ACTION_PAT to PR events; restrict exposure by guarding usage of ACTION_PAT and
any steps that run with pull_request_target: either switch the trigger to
pull_request (safe default) or keep pull_request_target but add a runtime guard
that only sets/exports ACTION_PAT and runs the authenticated/commenting steps
when the PR originates from the same repo (e.g. check
github.event.pull_request.head.repo.owner == github.repository_owner or
github.event.pull_request.head.repo.fork == false) — locate references to
pull_request_target and the ACTION_PAT environment/secret and wrap the job/steps
that call the downstream workflow or perform comments/edits with this
conditional so forks cannot receive ACTION_PAT.