Skip to content

ci: backport latest add-to-project workflow, rename FS -> FOC#50

Merged
BigLep merged 2 commits into
masterfrom
ci/backport-foc-project-board-workflow
Jul 7, 2026
Merged

ci: backport latest add-to-project workflow, rename FS -> FOC#50
BigLep merged 2 commits into
masterfrom
ci/backport-foc-project-board-workflow

Conversation

@BigLep

@BigLep BigLep commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What

Backports the latest-and-greatest version of the "add issues and PRs to project board" workflow (the one currently running in FilOzone/synapse-sdk) into the canonical sample that lives here and is manually copied to other repos.

Functional changes:

  • Pin actions/add-to-project to the v2.0.0 commit hash (was v1.0.2).
  • Add continue-on-error: true so the job doesn't fail when an item is already on the board (the action doesn't handle that case gracefully).
  • Expand the pull_request_target security-rationale comment.

Naming cleanup (org project #14 is the FOC board, not "FS"):

  • git mv …-to-fs-project-board.yml…-to-foc-project-board.yml.
  • Update the workflow name: and comments to say "FOC project board".
  • Capitalize the job name prsPRs for consistency.

Why

A recent audit found issues/PRs opened across the org that never made it onto the FOC board because several repos either lacked this workflow or ran an older/issues-only variant. While fixing those repos, the "FS" naming was flagged as confusing (by a Copilot review on foc-gh#11) since the board is FOC. This updates the source of truth so future copies are correct and consistent.

Note

Per the header, this file is manually copied to other repos, so merging this does not auto-propagate. The downstream repos being fixed in parallel (foc-gh#11, foc-observer#74, team-skills#6, security-triage#9) are being updated to match this content and filename.

Backports the current best version of the add-issues-and-prs workflow
(as running in FilOzone/synapse-sdk) into the canonical sample here:

- pin actions/add-to-project to the v2.0.0 commit hash (was v1.0.2)
- add continue-on-error so the job does not fail when an item is
  already on the board
- expand the pull_request_target security rationale comment

Also aligns naming with the board it targets (org project #14 is the
FOC board, not "FS"):

- git mv ...-to-fs-project-board.yml -> ...-to-foc-project-board.yml
- update workflow name and comments to say "FOC project board"
- capitalize the job name "prs" -> "PRs" for consistency

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 6, 2026 19:58
@FilOzzy FilOzzy added this to FOC Jul 6, 2026
@github-project-automation github-project-automation Bot moved this to 📌 Triage in FOC Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

The following access changes will be introduced as a result of applying the plan:

Access Changes
There will be no access changes

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Before merge, verify that all the following plans are correct. After merge, Apply will regenerate the plans from the merged commit and continue only if they match.

Terraform plans

FilOzone
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

@BigLep BigLep requested a review from rjan90 July 6, 2026 19:59
@BigLep BigLep moved this from 📌 Triage to 🔎 Awaiting review in FOC Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the canonical “add issues and PRs to project board” workflow template to the latest variant and aligns naming/comments with the org’s FOC project board, so downstream repos that manually copy this file stay consistent and up to date.

Changes:

  • Pin actions/add-to-project to the v2.0.0 commit SHA and add continue-on-error: true to avoid failing when the item is already on the board.
  • Expand pull_request_target security rationale comments.
  • Rename FS → FOC in workflow name/comments and normalize job display text casing.
Comments suppressed due to low confidence (3)

files/workflows/add-issues-and-prs-to-foc-project-board.yml:40

  • continue-on-error: true will suppress all failures from actions/add-to-project (e.g., missing/invalid FILOZZY_CI_ADD_TO_PROJECT, rate limits, API changes), making it easy for the workflow to silently stop adding items. Consider keeping the non-failing behavior but emitting an explicit warning when the action fails so the failure is visible in the run summary/logs.
    files/workflows/add-issues-and-prs-to-foc-project-board.yml:34
  • Because this runs on pull_request_target (with access to secrets), it’s safer to explicitly drop GITHUB_TOKEN permissions unless they’re needed. This workflow uses a PAT secret (FILOZZY_CI_ADD_TO_PROJECT) and doesn’t otherwise require GITHUB_TOKEN, so adding permissions: {} reduces the blast radius if anything unexpected tries to use the default token.
    files/workflows/add-issues-and-prs-to-foc-project-board.yml:14
  • The PR description says the canonical workflow was renamed from …-to-fs-project-board.yml to …-to-foc-project-board.yml, but the repo still contains .github/workflows/add-issues-and-prs-to-fs-project-board.yml, and it links to files/workflows/add-issues-and-prs-to-fs-project-board.yml (which no longer exists). This leaves an FS/FOC mismatch and a stale reference that can confuse future copy/paste updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-project-automation github-project-automation Bot moved this from 🔎 Awaiting review to ✔️ Approved by reviewer in FOC Jul 6, 2026
Addresses review feedback on the FOC project-board workflow:

- Add permissions: {} to the distributable template. The job uses the
  FILOZZY_CI_ADD_TO_PROJECT PAT and not the default GITHUB_TOKEN, so
  dropping its permissions limits blast radius under pull_request_target.
  This matches the hardening already present in github-mgmt's own copy.
- git mv github-mgmt's own .github/workflows copy from ...-to-fs- to
  ...-to-foc-project-board.yml and align its content with the template,
  removing the now-stale link to the renamed files/ path so the two
  copies are identical (github-mgmt dogfoods the template it ships).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@BigLep

BigLep commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the Copilot review points in 38112e4:

  • permissions: {} — added to the distributable template. The job authenticates with the FILOZZY_CI_ADD_TO_PROJECT PAT and doesn't use the default GITHUB_TOKEN, so its permissions are dropped to limit blast radius under pull_request_target. This matches the hardening already present in github-mgmt's own copy.
  • FS/FOC mismatch + stale link — github-mgmt's own active workflow (.github/workflows/add-issues-and-prs-to-fs-project-board.yml) was still FS-named and linked to the files/ path this PR renamed. git mv'd it to …-to-foc-project-board.yml and aligned its content, so the two copies are now byte-identical (github-mgmt dogfoods the template it ships) and no stale references remain.
  • continue-on-error visibility — kept as-is. It's the established behavior (matches synapse-sdk), exists to avoid spurious failures when an item is already on the board, and still surfaces a warning annotation on the run rather than failing fully silently. Can add an explicit warning step if a louder signal is preferred.

@BigLep BigLep merged commit 8138f7f into master Jul 7, 2026
6 checks passed
@github-project-automation github-project-automation Bot moved this from ✔️ Approved by reviewer to 🎉 Done in FOC Jul 7, 2026
@BigLep BigLep self-assigned this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🎉 Done

Development

Successfully merging this pull request may close these issues.

4 participants