Skip to content

chore: Add JIRA sync workflow #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrecastillo merged 1 commit into from
Apr 21, 2026
Merged

chore: Add JIRA sync workflow #89

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/jira-sync.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: JIRA Sync

on:
pull_request:
types:
- opened
- edited
- ready_for_review
- converted_to_draft
- closed

jobs:
jira-sync:
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow doesn't set explicit permissions. By default the GITHUB_TOKEN permissions can be broader than necessary depending on org/repo settings, and those permissions may carry into the called reusable workflow. Define minimal required permissions (e.g., contents: read plus only what JIRA sync needs such as pull-requests: read/write) at the workflow or job level.

Suggested change
jira-sync:
jira-sync:
permissions:
contents: read
pull-requests: write

Copilot uses AI. Check for mistakes.
uses: flume/github-actions/.github/workflows/jira-sync.yml@main
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reusable workflow is referenced with @main, which is mutable and can change behavior (or be compromised) without a change in this repo. Pin the workflow to an immutable ref (commit SHA, or at least a version tag) to improve supply-chain security and reproducibility.

Suggested change
uses: flume/github-actions/.github/workflows/jira-sync.yml@main
uses: flume/github-actions/.github/workflows/jira-sync.yml@v1

Copilot uses AI. Check for mistakes.
secrets: inherit
Comment on lines +14 to +15

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 2 months ago

To fix the problem, explicitly declare permissions for the workflow or for the jira-sync job so that the GITHUB_TOKEN is restricted to the minimal necessary access. Since this workflow solely delegates to a reusable workflow and we do not see it performing any direct repository operations itself, a safe default is to set contents: read at the top level. This documents that the workflow only needs read access to repository contents (and lets the called reusable workflow further refine permissions if needed).

The best minimal change without altering existing functionality is to add a root-level permissions block between the on: block and the jobs: block. For example, in .github/workflows/jira-sync.yml, after line 10 or 11, add:

permissions:
  contents: read

This will apply to all jobs (here, just jira-sync) which do not have their own permissions block, and will satisfy the CodeQL rule while following the principle of least privilege. No imports or additional methods are needed since this is a YAML configuration change only.

Suggested changeset 1
.github/workflows/jira-sync.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/jira-sync.yml b/.github/workflows/jira-sync.yml
--- a/.github/workflows/jira-sync.yml
+++ b/.github/workflows/jira-sync.yml
@@ -9,6 +9,9 @@
       - converted_to_draft
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   jira-sync:
     uses: flume/github-actions/.github/workflows/jira-sync.yml@main
EOF
@@ -9,6 +9,9 @@
- converted_to_draft
- closed

permissions:
contents: read

jobs:
jira-sync:
uses: flume/github-actions/.github/workflows/jira-sync.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

secrets: inherit forwards all repository/environment secrets to the called workflow. That increases blast radius if the reusable workflow is modified or if it doesn't strictly limit what it logs/exports. Prefer explicitly passing only the required secrets, or ensure the reusable workflow is in the same repo and pinned to an immutable ref.

Suggested change
secrets: inherit
secrets:
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Copilot uses AI. Check for mistakes.
Loading