ci: add Engineering Kanban shared workflow #10
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| name: Engineering Kanban (shared) | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| issue_url: | ||
| description: URL of the issue to add (empty string if not an issue event) | ||
| type: string | ||
| default: '' | ||
| pr_url: | ||
| description: URL of the PR to add (empty string if not a PR event) | ||
| type: string | ||
| default: '' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| add-to-project: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Generate project app token | ||
| id: app-token | ||
| uses: actions/create-github-app-token@v2 | ||
| with: | ||
| app-id: ${{ secrets.PROJECT_APP_ID }} | ||
| private-key: ${{ secrets.PROJECT_APP_PRIVATE_KEY }} | ||
| owner: zitadel | ||
|
|
||
| - name: Add issue to kanban | ||
| if: inputs.issue_url != '' | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| ITEM_ID=$(gh project item-add 15 --owner zitadel \ | ||
| --url "${{ inputs.issue_url }}" --format json | jq -r '.id') | ||
|
Member
There was a problem hiding this comment. These workflow inputs are interpolated directly into a shell script. The current intended values are GitHub-generated URLs, but reusable workflow inputs are still a sharp edge if a future caller passes anything user-controlled. Safer pattern: assign the expression to an environment variable, then use |
||
| gh project item-edit \ | ||
| --project-id "PVT_kwDOBCxI8c4Bbg8_" \ | ||
| --id "$ITEM_ID" \ | ||
| --field-id "PVTSSF_lADOBCxI8c4Bbg8_zhWQ9SY" \ | ||
| --single-select-option-id "2cd48e0f" | ||
|
|
||
| - name: Add PR to kanban | ||
| if: inputs.pr_url != '' | ||
|
Member
There was a problem hiding this comment. The PR description says the shared workflow adds “community PRs” and that all logic lives here, but this condition accepts any PR URL the caller passes. If thin caller workflows pass |
||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| ITEM_ID=$(gh project item-add 15 --owner zitadel \ | ||
| --url "${{ inputs.pr_url }}" --format json | jq -r '.id') | ||
| gh project item-edit \ | ||
| --project-id "PVT_kwDOBCxI8c4Bbg8_" \ | ||
| --id "$ITEM_ID" \ | ||
| --field-id "PVTSSF_lADOBCxI8c4Bbg8_zhWQ9SY" \ | ||
| --single-select-option-id "2cd48e0f" | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because this is a reusable
workflow_call, these app secrets should either be declared underon.workflow_call.secretsas required inputs or every caller must usesecrets: inherit. Named secret passing fails unless the called workflow declares the secret names, so making the secret contract explicit would make the thin caller workflows less fragile.