ci: add Engineering Kanban shared workflow#10
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a reusable GitHub Actions workflow intended to be called by other Zitadel repositories to automatically add newly-created issues and community PRs to the Zitadel Engineering Kanban (GitHub Project 15).
Changes:
- Introduces a
workflow_callreusable workflow with inputs for an issue URL and PR URL. - Generates a GitHub App token and uses
gh project item-add/gh project item-editto add the item to Project 15 and set a single-select field.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fforootd
left a comment
fforootd
left a comment
There was a problem hiding this comment.
I left a few inline comments around the reusable workflow contract and runtime behavior.
| --single-select-option-id "2cd48e0f" | ||
|
|
||
| - name: Add PR to kanban | ||
| if: inputs.pr_url != '' |
There was a problem hiding this comment.
The PR description says the shared workflow adds “community PRs” and that all logic lives here, but this condition accepts any PR URL the caller passes. If thin caller workflows pass github.event.pull_request.html_url on pull_request_target.opened, internal PRs will be added too. Can we move the existing dependabot/staff/engineer filtering into this shared workflow, or make the caller contract explicit that callers must only pass community PR URLs?
| id: app-token | ||
| uses: actions/create-github-app-token@v2 | ||
| with: | ||
| app-id: ${{ secrets.PROJECT_APP_ID }} |
There was a problem hiding this comment.
Because this is a reusable workflow_call, these app secrets should either be declared under on.workflow_call.secrets as required inputs or every caller must use secrets: inherit. Named secret passing fails unless the called workflow declares the secret names, so making the secret contract explicit would make the thin caller workflows less fragile.
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| ITEM_ID=$(gh project item-add 15 --owner zitadel \ | ||
| --url "${{ inputs.issue_url }}" --format json | jq -r '.id') |
There was a problem hiding this comment.
These workflow inputs are interpolated directly into a shell script. The current intended values are GitHub-generated URLs, but reusable workflow inputs are still a sharp edge if a future caller passes anything user-controlled. Safer pattern: assign the expression to an environment variable, then use --url "$ISSUE_URL" here and the same pattern for pr_url below.
Adds the shared reusable workflow that all Zitadel repositories will call to automatically add new issues and community PRs to the Engineering Kanban project.
Individual repositories will reference this via a thin caller workflow at
.github/workflows/kanban.yml. All logic lives here so it only needs to change in one place.