Skip to content

ci: restore auto-add-to-project as reusable workflow #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lml2468 merged 2 commits into from
May 15, 2026
+58 −0
Merged

ci: restore auto-add-to-project as reusable workflow #12

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d241913
ci: restore auto-add-to-project as reusable workflow
May 14, 2026
3c0e4be
ci: address review feedback on auto-add-to-project
May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/workflows/auto-add-to-project.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Auto-add issues and PRs to the org-level GitHub Project board.
#
# This is a reusable workflow: child repositories within the Mininglamp-OSS
# organization can call it via `workflow_call` to share a single, centrally
# maintained automation. It also runs directly for issues and pull requests
# opened in the .github repository itself.
#
# Why a workflow instead of GitHub's native Auto-add rule:
# GitHub Projects has a built-in Auto-add workflow, but it can only be
# configured through the Project's web UI — there is no API to manage it.
# That violates Infrastructure as Code: the rule cannot be reviewed,
# version-controlled, or reproduced across projects from this repo. This
# Actions-based approach keeps the automation declarative and auditable.
#
# Direct-trigger requirements:
# When this workflow runs directly (issues / pull_request_target events in
# this .github repo), it needs a PROJECT_TOKEN secret configured on the
# .github repository itself (or as an organization-level secret available
# to it). The workflow_call path receives the secret from the caller.
#
# Caller repos invoke it like:
# jobs:
# add-to-project:
# uses: Mininglamp-OSS/.github/.github/workflows/auto-add-to-project.yml@main
# secrets:
# PROJECT_TOKEN: ${{ secrets.PROJECT_TOKEN }}
name: Auto add to project (reusable)

on:
workflow_call:
secrets:
PROJECT_TOKEN:
required: true
issues:
types: [opened]
# pull_request_target (rather than pull_request) is required so that PRs
# opened from forks can access the PROJECT_TOKEN secret — pull_request
# runs in the fork's context and has no access to secrets.
#
# SECURITY: do NOT add `actions/checkout` (or otherwise check out the PR
# head ref) to this workflow. pull_request_target runs in the base repo's
# privileged context with access to PROJECT_TOKEN; checking out untrusted
# PR code here would let a malicious fork exfiltrate the token.
pull_request_target:
types: [opened]

permissions: {}

jobs:
add-to-project:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Add issue or PR to org project
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: https://github.com/orgs/Mininglamp-OSS/projects/2
github-token: ${{ secrets.PROJECT_TOKEN }}