ci: Lint pull request descriptions for a linked issue

[c-warren]

What changed?
Adds a linting GitHub action that checks for an associated GitHub issue.

Why?
Associating fixes and feature development with a GitHub issue should make tracking the delivery of features in cadence (and associated repositories) easier for customers, release engineers, and devs. It should also increase the transparency of the product and its roadmap by ensuring issues are proactively created.

How did you test it?

Being tested via this branch.

Potential risks

N/A

Release notes

N/A

Documentation Changes

This should also be added to our contributing guidelines.

[gitar-bot]

⚠️ Security: Pin third-party action to commit SHA, not mutable tag

The workflow uses nearform-actions/github-action-check-linked-issues@v1 pinned to a mutable major version tag. Combined with pull_request_target trigger (which grants write access to the repo and runs with the base branch's secrets), this creates a supply chain risk. If the nearform-actions repository is compromised, an attacker could push a malicious update under the v1 tag, and this workflow would execute it with write access to pull-requests and read access to issues, plus the GITHUB_TOKEN.

The semantic-pr.yml workflow in this repo already uses a more specific version pin (@v5.4.0), but even minor version tags are mutable. For workflows triggered by pull_request_target with write permissions, GitHub's security guidance recommends pinning to a full commit SHA.

Impact: A compromised third-party action could use the GITHUB_TOKEN to modify PRs, post misleading comments, or exfiltrate issue data. While GITHUB_TOKEN is scoped, write access to pull-requests is still sensitive.

Suggested fix:

        uses: nearform-actions/github-action-check-linked-issues@v1 # TODO: pin to full commit SHA for supply chain security

_{Was this helpful? React with 👍 / 👎}

[gitar-bot]

💡 Edge Case: Duplicate bot comments on every PR edit/synchronize event

The workflow triggers on edited and synchronize events in addition to opened and reopened. With comment: true configured on the linked-issues action, a new warning comment may be posted each time the PR description is edited or new commits are pushed — even if the contributor is actively trying to add the issue link. This could result in multiple duplicate bot comments cluttering the PR conversation.

The nearform-actions/github-action-check-linked-issues action may handle deduplication internally (some versions do), but it's worth verifying this behavior. If it doesn't deduplicate, consider either:

1. Removing the edited and synchronize triggers (keep only opened and reopened)
2. Or adding a step that checks for an existing bot comment before the action runs

This is a minor UX concern since the workflow is warning-only.

_{Was this helpful? React with 👍 / 👎}

[gitar-bot]

Code Review ⚠️ Changes requested 0 resolved / 2 findings

Clean workflow implementation with one supply chain security concern: the third-party action should be pinned to a commit SHA rather than a mutable version tag, especially given the pull_request_target trigger with write permissions.

⚠️ Security: Pin third-party action to commit SHA, not mutable tag

📄 .github/workflows/check-linked-issues.yml:52 🔗 GitHub: Security hardening for GitHub Actions

The workflow uses nearform-actions/github-action-check-linked-issues@v1 pinned to a mutable major version tag. Combined with pull_request_target trigger (which grants write access to the repo and runs with the base branch's secrets), this creates a supply chain risk. If the nearform-actions repository is compromised, an attacker could push a malicious update under the v1 tag, and this workflow would execute it with write access to pull-requests and read access to issues, plus the GITHUB_TOKEN.

The semantic-pr.yml workflow in this repo already uses a more specific version pin (@v5.4.0), but even minor version tags are mutable. For workflows triggered by pull_request_target with write permissions, GitHub's security guidance recommends pinning to a full commit SHA.

Impact: A compromised third-party action could use the GITHUB_TOKEN to modify PRs, post misleading comments, or exfiltrate issue data. While GITHUB_TOKEN is scoped, write access to pull-requests is still sensitive.

Suggested fix

        uses: nearform-actions/github-action-check-linked-issues@v1 # TODO: pin to full commit SHA for supply chain security

💡 Edge Case: Duplicate bot comments on every PR edit/synchronize event

📄 .github/workflows/check-linked-issues.yml:4-11

The workflow triggers on edited and synchronize events in addition to opened and reopened. With comment: true configured on the linked-issues action, a new warning comment may be posted each time the PR description is edited or new commits are pushed — even if the contributor is actively trying to add the issue link. This could result in multiple duplicate bot comments cluttering the PR conversation.

The nearform-actions/github-action-check-linked-issues action may handle deduplication internally (some versions do), but it's worth verifying this behavior. If it doesn't deduplicate, consider either:

1. Removing the edited and synchronize triggers (keep only opened and reopened)
2. Or adding a step that checks for an existing bot comment before the action runs

This is a minor UX concern since the workflow is warning-only.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}