Create PR triaging action

[mathesoncalum]

Automatically adds community PRs to an internal triaging project.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: accc8986-3e29-455f-a4d7-93c9748e282d

📥 Commits

Reviewing files that changed from the base of the PR and between 10af6f9 and b61c583.

📒 Files selected for processing (2)

• .github/team_members.yml
• .github/workflows/triage_prs.yml

---

📝 Walkthrough

Walkthrough

Adds .github/team_members.yml, a config file containing a top-level team_members key with an ordered list of GitHub account identifiers (usernames and bot accounts). Adds .github/workflows/triage_prs.yml, a GitHub Actions workflow named "PR Triager" triggered on pull_request_target events of type opened. The workflow extracts the PR author's login, checks it against team_members, sets should_add output when absent, and conditionally invokes actions/add-to-project@main with ADD_TO_PROJECT_PAT to add the PR to a specified Projects board.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is minimal and does not follow the required template structure with sections like issue resolution, motivation, and completion checkboxes.	Provide a complete description following the template: include issue number, detailed motivation, and check off applicable checkboxes for CLA, code guidelines, testing, and commit quality.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a new GitHub Actions workflow for automated PR triaging.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/triage_prs.yml:
- Around line 6-9: The workflow grants unnecessary broad permission via the
permissions block—specifically the issues: write entry; remove or reduce that
scope to least privilege by deleting the issues: write line (or set issues:
none) while keeping only the needed permissions (e.g., pull-requests: read and
contents: read) so the permissions block contains no higher-than-required
rights.
- Around line 19-20: The grep used to check PR_AUTHOR currently allows regex
interpretation and is case-sensitive; update the check that references PR_AUTHOR
so it uses fixed-string and case-insensitive matching (add grep flags -F and -i,
and keep -x and -q for exact/quiet match) to avoid false negatives for usernames
like dependabot[bot]; modify the conditional that calls grep for "  -
$PR_AUTHOR" accordingly so it uses fixed-string, case-insensitive matching.
- Line 15: The workflow is using the mutable ref actions/add-to-project@main
which weakens supply-chain integrity; update the GitHub Actions step that
references actions/add-to-project@main to pin it to the specific commit SHA
244f685bbc3b7adfa8466e08b698b5577571133e (i.e., use
actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e) so the action
is immutable and reproducible while leaving actions/checkout@v6 unchanged.
- Around line 2-4: Change the workflow trigger from pull_request to
pull_request_target so the job runs in the base-repo context and can access
repository secrets (e.g., secrets.ADD_TO_PROJECT_PAT) for forked PRs; update the
on: block (the existing pull_request types: [opened] entry and the other
pull_request uses at lines referenced) to use pull_request_target with the same
types array (e.g., types: [opened]) and verify any workflow steps that assume
head repo checkout still use actions/checkout with ref and persist-credentials:
false or use a separate checkout for the forked PR content to maintain security.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 574cc44c-c12d-4384-92bc-bf6fe595358f

📥 Commits

Reviewing files that changed from the base of the PR and between 3c5fb26 and 4564730.

📒 Files selected for processing (2)

• .github/team_members.yml
• .github/workflows/triage_prs.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking actions/checkout tag v6..."
gh api repos/actions/checkout/git/matching-refs/tags/v6 | jq 'length'

echo "Listing latest actions/checkout releases..."
gh api repos/actions/checkout/releases --paginate | jq -r '.[].tag_name' | head -n 10

echo "Checking add-to-project published tags..."
gh api repos/actions/add-to-project/git/matching-refs/tags | jq -r '.[].ref' | head -n 20

echo "Checking add-to-project default branch head..."
gh api repos/actions/add-to-project | jq -r '.default_branch, .pushed_at'

Repository: musescore/MuseScore

Length of output: 148

---

🏁 Script executed:

cat .github/workflows/triage_prs.yml

Repository: musescore/MuseScore

Length of output: 855

---

🌐 Web query:

actions/checkout v6 release tag GitHub Actions

💡 Result:

• Release tag for the v6 major line: actions/checkout@v6 (the moving major tag) — currently points to the same commit as v6.0.2 (dated Jan 9, 2026). [1]
• Current latest v6 patch tag (as of Jan 9, 2026): actions/checkout@v6.0.2. [1]
• Example usage in a workflow:

  - uses: actions/checkout@v6
  # or pin:
  - uses: actions/checkout@v6.0.2

  [2]

Sources: [1] actions/checkout tags page, [2] actions/checkout repository README.

---

🌐 Web query:

actions/add-to-project GitHub Action mutable refs immutable security

💡 Result:

• In uses: actions/add-to-project@…, the part after @ is a git ref (branch, tag, or commit SHA). Branches and tags are mutable pointers (they can be force-moved), so a workflow pinned to @main or even @v1.0.2 can be changed to run different code later if that ref is moved. GitHub’s security guidance is to pin third-party actions to a full-length commit SHA to make the dependency immutable. [1]
• For actions/add-to-project, the most recent release shown is v1.0.2 (Jun 24, 2024), which points at commit 244f685bbc3b7adfa8466e08b698b5577571133e. To make the reference immutable, use:
  • uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e (optionally add a comment like # v1.0.2). [2]
• If you maintain an action, GitHub also documents “immutable releases and tags” patterns—but note that git tags themselves can still be moved, so consumers who need immutability should still pin by SHA. [3]
• At the platform/governance level, GitHub added policy controls that support enforcing SHA pinning / blocking unpinned actions, to reduce supply-chain risk from compromised or retagged actions. [4]

Sources: GitHub Actions security hardening guidance [1], actions/add-to-project release/commit reference [2], GitHub docs on immutable releases/tags [3], GitHub Changelog on SHA-pinning policy controls [4].

[1] (docs.github.com)
[2] (github.com)
[3] (docs.github.com)
[4] (github.blog)

Citations:

• 1: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions?utm_source=openai
• 2: https://github.com/actions/add-to-project/releases
• 3: https://docs.github.com/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases?utm_source=openai
• 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/?utm_source=openai

---

Pin actions/add-to-project to a full commit SHA for supply-chain integrity.

actions/add-to-project@main is mutable and weakens supply-chain integrity. The latest release is v1.0.2 (June 24, 2024), which points to 244f685bbc3b7adfa8466e08b698b5577571133e. Pin it to the full commit SHA instead of using the @main branch.

🔧 Proposed fix

-        uses: actions/add-to-project@main
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e

Note: actions/checkout@v6 is a valid published ref and does not require changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/triage_prs.yml at line 15, The workflow is using the
mutable ref actions/add-to-project@main which weakens supply-chain integrity;
update the GitHub Actions step that references actions/add-to-project@main to
pin it to the specific commit SHA 244f685bbc3b7adfa8466e08b698b5577571133e
(i.e., use actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e) so
the action is immutable and reproducible while leaving actions/checkout@v6
unchanged.

[mathesoncalum]

I'm not sure we should be terribly worried about this. We do the same in triage_issues.yml:

MuseScore/.github/workflows/triage_issues.yml

Line 27 in 3c5fb26

uses: actions/add-to-project@main

[coderabbitai]

@mathesoncalum, that's a fair point — consistency with the existing triage_issues.yml is a reasonable justification, and the risk is low given that actions/add-to-project is a first-party GitHub action maintained by the GitHub org itself. I'll note this for future reviews.

(´• ω •`) 🐇

---

✏️ Learnings added

Learnt from: mathesoncalum
Repo: musescore/MuseScore PR: 32954
File: .github/workflows/triage_prs.yml:14-14
Timestamp: 2026-04-08T15:43:32.666Z
Learning: In the musescore/MuseScore repository, the workflow files under `.github/workflows/` intentionally use `actions/add-to-projectmain` (mutable ref) rather than pinning to a full commit SHA. This is a deliberate, consistent pattern established in `triage_issues.yml` and `triage_prs.yml`. Do not flag this as a supply-chain security issue in future reviews for this repository.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.