Skip to content

Create PR triaging action #32954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mathesoncalum wants to merge 2 commits into
base: master
Choose a base branch
from
+45 −0
Open

Create PR triaging action #32954

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed4979c
Create PR triaging action
mathesoncalum Apr 9, 2026
b61c583
PR triaging action - address coderabbit feedback
mathesoncalum Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/team_members.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
team_members:
- ajuncosa
- alexpavlov96
- davidstephengrant
- dependabot[bot]
- eism
- github-actions[bot]
- grliszas14
- IgorKorsukov
- kryksyh
- luapmartin
- mathesoncalum
- miiizen
- mike-spa
- mikekirin
- RomanPudashkin
- shoogle
- zacjansheski
27 changes: 27 additions & 0 deletions .github/workflows/triage_prs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: PR Triager
on:
pull_request_target:
types: [opened]

permissions:
pull-requests: read
contents: read

jobs:
add_to_projects:
runs-on: ubuntu-slim
steps:
- uses: actions/checkout@v6
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking actions/checkout tag v6..."
gh api repos/actions/checkout/git/matching-refs/tags/v6 | jq 'length'

echo "Listing latest actions/checkout releases..."
gh api repos/actions/checkout/releases --paginate | jq -r '.[].tag_name' | head -n 10

echo "Checking add-to-project published tags..."
gh api repos/actions/add-to-project/git/matching-refs/tags | jq -r '.[].ref' | head -n 20

echo "Checking add-to-project default branch head..."
gh api repos/actions/add-to-project | jq -r '.default_branch, .pushed_at'

Repository: musescore/MuseScore

Length of output: 148

🏁 Script executed:

cat .github/workflows/triage_prs.yml

Repository: musescore/MuseScore

Length of output: 855

🌐 Web query:

actions/checkout v6 release tag GitHub Actions

💡 Result:

  • Release tag for the v6 major line: actions/checkout@v6 (the moving major tag) — currently points to the same commit as v6.0.2 (dated Jan 9, 2026). [1]
  • Current latest v6 patch tag (as of Jan 9, 2026): actions/[email protected]. [1]
  • Example usage in a workflow: 
    - uses: actions/checkout@v6
# or pin:
- uses: actions/[email protected]
    [2]

Sources: [1] actions/checkout tags page, [2] actions/checkout repository README.

🌐 Web query:

actions/add-to-project GitHub Action mutable refs immutable security

💡 Result:

  • In uses: actions/add-to-project@…, the part after @ is a git ref (branch, tag, or commit SHA). Branches and tags are mutable pointers (they can be force-moved), so a workflow pinned to @main or even @v1.0.2 can be changed to run different code later if that ref is moved. GitHub’s security guidance is to pin third-party actions to a full-length commit SHA to make the dependency immutable. [1]
  • For actions/add-to-project, the most recent release shown is v1.0.2 (Jun 24, 2024), which points at commit 244f685bbc3b7adfa8466e08b698b5577571133e. To make the reference immutable, use:
    • uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e (optionally add a comment like # v1.0.2). [2]
  • If you maintain an action, GitHub also documents “immutable releases and tags” patterns—but note that git tags themselves can still be moved, so consumers who need immutability should still pin by SHA. [3]
  • At the platform/governance level, GitHub added policy controls that support enforcing SHA pinning / blocking unpinned actions, to reduce supply-chain risk from compromised or retagged actions. [4]

Sources: GitHub Actions security hardening guidance [1], actions/add-to-project release/commit reference [2], GitHub docs on immutable releases/tags [3], GitHub Changelog on SHA-pinning policy controls [4].

[1] (docs.github.com)
[2] (github.com)
[3] (docs.github.com)
[4] (github.blog)

Citations:

Pin actions/add-to-project to a full commit SHA for supply-chain integrity.

actions/add-to-project@main is mutable and weakens supply-chain integrity. The latest release is v1.0.2 (June 24, 2024), which points to 244f685bbc3b7adfa8466e08b698b5577571133e. Pin it to the full commit SHA instead of using the @main branch.

🔧 Proposed fix 
-        uses: actions/add-to-project@main
+        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e

Note: actions/checkout@v6 is a valid published ref and does not require changes.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/triage_prs.yml at line 15, The workflow is using the
mutable ref actions/add-to-project@main which weakens supply-chain integrity;
update the GitHub Actions step that references actions/add-to-project@main to
pin it to the specific commit SHA 244f685bbc3b7adfa8466e08b698b5577571133e
(i.e., use actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e) so
the action is immutable and reproducible while leaving actions/checkout@v6
unchanged.

Copy link
Copy Markdown
Contributor Author

@mathesoncalum mathesoncalum Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we should be terribly worried about this. We do the same in triage_issues.yml:

MuseScore/.github/workflows/triage_issues.yml

Line 27 in 3c5fb26

uses: actions/add-to-project@main

Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mathesoncalum, that's a fair point — consistency with the existing triage_issues.yml is a reasonable justification, and the risk is low given that actions/add-to-project is a first-party GitHub action maintained by the GitHub org itself. I'll note this for future reviews.

(´• ω •`) 🐇

✏️ Learnings added 
Learnt from: mathesoncalum
Repo: musescore/MuseScore PR: 32954
File: .github/workflows/triage_prs.yml:14-14
Timestamp: 2026-04-08T15:43:32.666Z
Learning: In the musescore/MuseScore repository, the workflow files under `.github/workflows/` intentionally use `actions/add-to-projectmain` (mutable ref) rather than pinning to a full commit SHA. This is a deliberate, consistent pattern established in `triage_issues.yml` and `triage_prs.yml`. Do not flag this as a supply-chain security issue in future reviews for this repository.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

- name: Check PR author
id: check_author
run: |
PR_AUTHOR="${{ github.event.pull_request.user.login }}"
if ! grep -Fqxi " - $PR_AUTHOR" .github/team_members.yml; then
echo "should_add=true" >> $GITHUB_OUTPUT
fi
- name: "Add community PR to triaging project"
if: steps.check_author.outputs.should_add == 'true'
uses: actions/add-to-project@main
with:
project-url: https://github.com/orgs/musescore/projects/117
github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
Loading