Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/workflows/add-to-project.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Add to project

on:
issues:
types: [opened]

jobs:
add-to-project:
name: Add to project
runs-on: ubuntu-latest
steps:
- uses: actions/add-to-project@v1.0.2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/add-to-project.yml | head -20

Repository: evstack/ev-metrics

Length of output: 642


🏁 Script executed:

# Check if we can find any information about the actions/add-to-project repository
# Look for any documentation or references in the codebase
rg "actions/add-to-project" -A 2 -B 2

Repository: evstack/ev-metrics

Length of output: 44


🌐 Web query:

actions/add-to-project v1.0.2 commit SHA github

💡 Result:

actions/add-to-project@v1.0.2 resolves to commit SHA:

244f685bbc3b7adfa8466e08b698b5577571133e [1]


🌐 Web query:

actions/add-to-project v1.0.2 release tag github 244f685bbc3b7adfa8466e08b698b5577571133e

💡 Result:

The actions/add-to-project v1.0.2 GitHub release/tag points to commit 244f685bbc3b7adfa8466e08b698b5577571133e (short SHA 244f685). The release was published June 24, 2024. [1][2]


🌐 Web query:

actions/add-to-project releases page v1.0.2 commit

💡 Result:

actions/add-to-project@v1.0.2 points to commit 244f685bbc3b7adfa8466e08b698b5577571133e (short SHA 244f685). [1][2]

Sources:
[1] https://github.com/actions/add-to-project/releases
[2] actions/add-to-project@244f685


Pin actions/add-to-project to a full commit SHA.

Release tags are mutable and a malicious actor can override them. Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release.

🔒 Proposed fix — pin to commit SHA with tag comment
-     - uses: actions/add-to-project@v1.0.2
+     - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e  # v1.0.2
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/add-to-project@v1.0.2
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/add-to-project.yml at line 12, The workflow currently
references the action with a mutable tag "actions/add-to-project@v1.0.2";
replace that tag with the action's immutable full commit SHA (e.g.,
actions/add-to-project@<full-commit-sha>) to pin the action to a specific
commit, fetching the correct SHA from the action repository's commit history and
updating the uses line accordingly so the workflow uses the fixed commit instead
of a mutable tag.

id: add
with:
project-url: https://github.com/orgs/evstack/projects/7
github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}

- name: Set Area to devx
env:
GH_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
ITEM_ID: ${{ steps.add.outputs.itemId }}
run: |
# Get the field and option IDs for Area=devx
PROJECT_ID=$(gh project list --owner evstack --format json \
| jq -r '.projects[] | select(.number==7) | .id')

FIELD_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
| jq -r '.fields[] | select(.name=="Area") | .id')

OPTION_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
| jq -r '.fields[] | select(.name=="Area") | .options[] | select(.name=="devx") | .id')

gh project item-edit \
--owner evstack \
--project-number 7 \
--id "$ITEM_ID" \
--field-id "$FIELD_ID" \
--single-select-option-id "$OPTION_ID"
Comment on lines +22 to +38
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add empty-variable guards to surface actionable errors.

jq -r exits 0 even when a filter matches nothing (returns empty string). Because of this, FIELD_ID or OPTION_ID being empty won't trigger the default -e exit, so a name mismatch (e.g., field is not literally "Area", option is not literally "devx") will silently pass empty strings to the downstream commands and produce cryptic gh errors rather than a clear diagnostic.
Error-checking patterns like testing whether an ID variable is empty and exiting with an explicit message are a commonly used safeguard in these workflows.

🛡️ Proposed fix — add guards after each ID resolution
          PROJECT_ID=$(gh project list --owner evstack --format json \
            | jq -r '.projects[] | select(.number==7) | .id')
+         [ -z "$PROJECT_ID" ] && { echo "Error: project 7 not found"; exit 1; }

          FIELD_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
            | jq -r '.fields[] | select(.name=="Area") | .id')
+         [ -z "$FIELD_ID" ] && { echo "Error: 'Area' field not found"; exit 1; }

-         OPTION_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
+         OPTION_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \  # reuse cached output — see refactor comment
            | jq -r '.fields[] | select(.name=="Area") | .options[] | select(.name=="devx") | .id')
+         [ -z "$OPTION_ID" ] && { echo "Error: 'devx' option not found in 'Area' field"; exit 1; }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
# Get the field and option IDs for Area=devx
PROJECT_ID=$(gh project list --owner evstack --format json \
| jq -r '.projects[] | select(.number==7) | .id')
FIELD_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
| jq -r '.fields[] | select(.name=="Area") | .id')
OPTION_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
| jq -r '.fields[] | select(.name=="Area") | .options[] | select(.name=="devx") | .id')
gh project item-edit \
--owner evstack \
--project-number 7 \
--id "$ITEM_ID" \
--field-id "$FIELD_ID" \
--single-select-option-id "$OPTION_ID"
run: |
# Get the field and option IDs for Area=devx
PROJECT_ID=$(gh project list --owner evstack --format json \
| jq -r '.projects[] | select(.number==7) | .id')
[ -z "$PROJECT_ID" ] && { echo "Error: project 7 not found"; exit 1; }
FIELD_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \
| jq -r '.fields[] | select(.name=="Area") | .id')
[ -z "$FIELD_ID" ] && { echo "Error: 'Area' field not found"; exit 1; }
OPTION_ID=$(gh project field-list "$PROJECT_ID" --owner evstack --format json \ # reuse cached output — see refactor comment
| jq -r '.fields[] | select(.name=="Area") | .options[] | select(.name=="devx") | .id')
[ -z "$OPTION_ID" ] && { echo "Error: 'devx' option not found in 'Area' field"; exit 1; }
gh project item-edit \
--owner evstack \
--project-number 7 \
--id "$ITEM_ID" \
--field-id "$FIELD_ID" \
--single-select-option-id "$OPTION_ID"
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/add-to-project.yml around lines 22 - 38, After resolving
PROJECT_ID, FIELD_ID and OPTION_ID, add empty-variable guards that test each
(e.g., [ -z "$PROJECT_ID" ], [ -z "$FIELD_ID" ], [ -z "$OPTION_ID" ]) and when
empty print a clear error to stderr (describing which lookup failed, e.g.,
"failed to find Project ID for number 7", "failed to find field 'Area'", "failed
to find option 'devx'") and exit non‑zero; place these checks immediately after
the assignments for PROJECT_ID, FIELD_ID and OPTION_ID so the subsequent gh
project item-edit call never runs with empty IDs.

Comment on lines +33 to +38
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

gh project item-edit flags documentation GitHub CLI official

💡 Result:

Official docs for gh project item-edit (including the full list of flags/options) are in the GitHub CLI manual: gh_project_item-edit. (cli.github.com)

It lists these flags/options (among others): --id, --project-id, --field-id, --text, --number, --date, --iteration-id, --single-select-option-id, and --clear. (cli.github.com)

Citations:


gh project item-edit does not accept --project-number or --owner — this step will always fail at runtime.

The gh project item-edit command only supports flags like --id, --project-id, --field-id, and --single-select-option-id. Using --project-number or --owner will produce an "unknown flag" error. Since PROJECT_ID is already resolved above, replace the invalid flags with --project-id "$PROJECT_ID".

🐛 Proposed fix
          gh project item-edit \
-           --owner evstack \
-           --project-number 7 \
            --id "$ITEM_ID" \
+           --project-id "$PROJECT_ID" \
            --field-id "$FIELD_ID" \
            --single-select-option-id "$OPTION_ID"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
gh project item-edit \
--owner evstack \
--project-number 7 \
--id "$ITEM_ID" \
--field-id "$FIELD_ID" \
--single-select-option-id "$OPTION_ID"
gh project item-edit \
--id "$ITEM_ID" \
--project-id "$PROJECT_ID" \
--field-id "$FIELD_ID" \
--single-select-option-id "$OPTION_ID"
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/add-to-project.yml around lines 33 - 38, The gh project
item-edit invocation uses unsupported flags (--project-number and --owner) and
will fail; update the gh project item-edit call to use the resolved PROJECT_ID
by replacing the invalid flags with --project-id "$PROJECT_ID" while keeping the
existing --id, --field-id and --single-select-option-id flags (i.e., call gh
project item-edit with --project-id "$PROJECT_ID" --id "$ITEM_ID" --field-id
"$FIELD_ID" --single-select-option-id "$OPTION_ID").