Feat: Severity Priority Sync Script

[tmikula-dev]

Overview

This pull request adds a new script, scripts/sync_project_priorities.py, which provides a command-line tool to synchronize GitHub ProjectV2 "Priority" fields based on the severity of security issues in a repository. The script is designed to be run manually when automated pipelines cannot update project boards due to token or organization restrictions.

Release Notes

• Feat: Severity Priority Sync Script

Related

Closes #75

Summary by CodeRabbit

• New Features
  • Added automated project priority synchronization tool that syncs from issue severity metadata, with configurable mapping options and dry-run mode for safe testing.

[coderabbitai]

Warning

Review limit reached

@tmikula-dev, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 45 minutes and 22 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bcfd50ae-1db2-4fc6-ac26-4223367a12fc

📥 Commits

Reviewing files that changed from the base of the PR and between d2533da and c161667.

📒 Files selected for processing (1)

• scripts/security/sync_project_priorities.py

Walkthrough

A new executable script scripts/sync_project_priorities.py was added to synchronize GitHub ProjectV2 Priority field values from scope:security issue severity metadata. The script accepts repository, project board number, severity-to-priority mapping, optional project organization override, and --dry-run flag via CLI; validates required environment and input format; fetches all open scope:security issues; loads the ProjectV2 priority field; enqueues priority updates for issues with mapped severity values; and performs batch update via ProjectPrioritySync.

Changes

Project Priority Sync Implementation

Layer / File(s)	Summary
Script Documentation and Imports scripts/sync_project_priorities.py	Module docstring describes the script's purpose, requirements, and usage. Python module setup modifies sys.path for repo-root execution and imports helper APIs for issue listing, ProjectV2 field access/sync, severity-priority parsing, and secmeta loading.
Argument Parsing and Input Validation scripts/sync_project_priorities.py	CLI argument parser wired for repo, project board number, severity→priority mapping string, optional project organization override, and --dry-run flag. Validation helpers enforce GH_TOKEN environment requirement, owner/repo repository format, and at least one valid severity→priority pair. Logging is configured with timestamps and emits --dry-run notification.
Main Sync Execution and Module Entry scripts/sync_project_priorities.py	Main function orchestrates argument parsing, input validation, and ProjectV2 org derivation; fetches all open scope:security issues; loads ProjectV2 priority field metadata; iterates issues to extract secmeta severity and enqueues priority updates when severity is mapped; logs enqueue statistics and returns early when nothing is queued; flushes the batch sync to resolve node IDs, add/update ProjectV2 items, and perform updates; exits with status 0. Standard module entrypoint runs main and propagates the exit code.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A script hops in with certainty,
Syncing severities with priority,
Security issues get their due place,
On the board with grace and pace,
From low to critical, mapped just right! 🎯

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Feat: Severity Priority Sync Script' accurately summarizes the main change—adding a new script to synchronize GitHub ProjectV2 priority fields from issue severities.
Description check	✅ Passed	The pull request description includes all required template sections: Overview, Release Notes, and Related (linked issue #75), with clear and specific information.
Linked Issues check	✅ Passed	The PR successfully implements all acceptance criteria from issue #75: adds a single severity-priority sync script with no other logic changes, placed in scripts/sync_project_priorities.py.
Out of Scope Changes check	✅ Passed	All changes are in-scope; only the new sync_project_priorities.py script was added with no modifications to existing codebase logic.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/project-prio-sync-script

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/sync_project_priorities.py`:
- Line 189: The public entrypoint function main is missing a Google-style
docstring; add a docstring above def main(argv: list[str] | None = None) -> int
that briefly describes its purpose (synchronizing GitHub ProjectV2 Priority from
security issue severity), explains the argv parameter behavior (None uses
sys.argv[1:]), and states the return value semantics (0 for success, non-zero
for errors), following the Google-style format with short description, Args, and
Returns sections.
- Around line 1-293: The file scripts/sync_project_priorities.py fails Black
formatting in CI; run the project's formatter and commit the changes. Fix by
running the project's standard Black command (e.g. black --write
scripts/sync_project_priorities.py or black scripts/sync_project_priorities.py),
verify formatting touches the top-level functions like _parse_args,
_setup_logging, main and the module docstring remain correct, then stage and
commit the reformatted file before pushing so CI passes.
- Line 181: Replace the Unicode EN DASH (–, U+2013) with a standard ASCII
hyphen-minus (-) in the logging messages in scripts/sync_project_priorities.py;
locate the logging.info/logging.warning calls that print "DRY-RUN mode – no
changes will be written to GitHub.", the message containing "found – nothing to
sync.", the message with "secmeta – skipped.", the "priority-map – skipped."
message, and the "sync – all issues..." message and update each string to use
"-" instead of "–" so all log output uses the regular hyphen.
- Around line 173-181: Add a module-level logger by calling
logging.getLogger(__name__) (e.g., logger = logging.getLogger(__name__)) near
the top of the file and keep logging.basicConfig in _setup_logging; then replace
all direct root-logger calls (logging.info/debug/warning/error) with
logger.info/debug/warning/error and ensure every message is prefixed with a
domain string like "Sync - " (or "Priority - " where more appropriate). Update
the _setup_logging function and every logging call referenced (including calls
on lines listed in the review: 181, 206-208, 213, 218, 221, 226, 237-240, 256,
262, 272-276, 280, 288) to use the module-level logger and the "Sync - " prefix
so messages follow the required format.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c77d1e20-bf71-43b0-8da6-8df0b8932c2a

📥 Commits

Reviewing files that changed from the base of the PR and between 8737f56 and d2533da.

📒 Files selected for processing (1)

• scripts/sync_project_priorities.py

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use module-level logger with domain prefix.

The logging setup and all subsequent logging calls violate two coding guidelines:

1. Guideline requires logging.getLogger(__name__) instead of calling logging.info() directly on the root logger.
2. All log messages must start with a "<Domain> -" prefix (e.g., "Sync - " or "Priority - ").

🔧 Recommended fix

Add a module-level logger at the top of the file after imports:

 from security.issues.secmeta import load_secmeta  # noqa: E402
+
+logger = logging.getLogger(__name__)

Then update all logging calls throughout the file. For example, line 181:

-    logging.info("DRY-RUN mode – no changes will be written to GitHub.")
+    logger.info("Sync - DRY-RUN mode – no changes will be written to GitHub.")

Apply similar changes to all logging.info(), logging.debug(), logging.warning(), and logging.error() calls on lines 181, 206-208, 213, 218, 221, 226, 237-240, 256, 262, 272-276, 280, 288.

As per coding guidelines: "Use logging.getLogger(__name__) instead of print statements" and "All log messages must start with ' -' prefix (e.g., 'Security -')".

🧰 Tools

🪛 Ruff (0.15.15)

[warning] 181-181: String contains ambiguous – (EN DASH). Did you mean - (HYPHEN-MINUS)?

(RUF001)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/sync_project_priorities.py` around lines 173 - 181, Add a
module-level logger by calling logging.getLogger(__name__) (e.g., logger =
logging.getLogger(__name__)) near the top of the file and keep
logging.basicConfig in _setup_logging; then replace all direct root-logger calls
(logging.info/debug/warning/error) with logger.info/debug/warning/error and
ensure every message is prefixed with a domain string like "Sync - " (or
"Priority - " where more appropriate). Update the _setup_logging function and
every logging call referenced (including calls on lines listed in the review:
181, 206-208, 213, 218, 221, 226, 237-240, 256, 262, 272-276, 280, 288) to use
the module-level logger and the "Sync - " prefix so messages follow the required
format.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace ambiguous EN DASH with regular hyphen.

Ruff flags five log messages that use the EN DASH character (–, Unicode U+2013) instead of the standard ASCII hyphen-minus (-). This can cause encoding issues and reduces consistency.

Affected lines:

• Line 181: "DRY-RUN mode – no changes..."
• Line 218: "...found – nothing to sync."
• Line 256: "...secmeta – skipped."
• Line 262: "...priority-map – skipped."
• Line 280: "...sync – all issues..."

🔧 Quick fix

Replace all occurrences of – with - in these log messages:

-        logging.info("DRY-RUN mode – no changes will be written to GitHub.")
+        logging.info("DRY-RUN mode - no changes will be written to GitHub.")

Apply similar replacements to the other four locations.

Also applies to: 218-218, 256-256, 262-262, 280-280

🧰 Tools

🪛 Ruff (0.15.15)

[warning] 181-181: String contains ambiguous – (EN DASH). Did you mean - (HYPHEN-MINUS)?

(RUF001)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/sync_project_priorities.py` at line 181, Replace the Unicode EN DASH
(–, U+2013) with a standard ASCII hyphen-minus (-) in the logging messages in
scripts/sync_project_priorities.py; locate the logging.info/logging.warning
calls that print "DRY-RUN mode – no changes will be written to GitHub.", the
message containing "found – nothing to sync.", the message with "secmeta –
skipped.", the "priority-map – skipped." message, and the "sync – all issues..."
message and update each string to use "-" instead of "–" so all log output uses
the regular hyphen.

Source: Linters/SAST tools