TT-15793 added workflow to Suggest target branches

[sredxny]

Description

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

Ticket Details

TT-15793

Status	In Dev
Summary	Implement Intelligent Branch Merge Recommendations

Generated at: 2025-11-06 11:09:32

[github-actions]

🎯 Recommended Merge Targets

Based on JIRA ticket TT-15793: Implement Intelligent Branch Merge Recommendations

Fix Version: Tyk 5.10.1

Required:

• release-5.10.1 - Exact version branch for Tyk 5.10.1 - specific patch release
• release-5.10 - Minor version branch for 5.10.x patches - required for creating Tyk 5.10.1
• master - Main development branch - ensures fix is in all future releases

---

📋 Workflow

1. Merge this PR to master first

2. Cherry-pick to release branches by commenting on the merged PR:

   • /release to release-5.10.1
   • /release to release-5.10

3. Automated backport - The bot will automatically create backport PRs to the specified release branches

[github-actions]

API Changes

no api changes detected

[probelabs]

🔍 Code Analysis Results

This PR introduces a new GitHub Actions workflow to automatically suggest target branches for pull requests based on information from an associated Jira ticket.

Files Changed Analysis

• File Added: .github/workflows/intelligent-branch-recomendations.yml
• Additions: 18 lines
• Deletions: 0
  A single workflow file is added to the repository. The change is isolated to the CI/CD configuration and does not affect the application's source code.

Architecture & Impact Assessment

• What this PR accomplishes: It automates the process of suggesting the correct target branches for pull requests. This helps developers avoid opening PRs against the wrong base branch, streamlining the code review and merge process.

• Key technical changes introduced:

  • A new GitHub Actions workflow named PR Merge Suggestions is added.
  • It triggers on pull_request events (opened, synchronize, reopened, ready_for_review).
  • It utilizes a reusable workflow from an external repository: TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml.
  • The workflow requires pull-requests: write permissions to comment on PRs and uses a JIRA_TOKEN secret to integrate with Jira.

• Affected system components: The change affects the repository's CI/CD pipeline and the developer workflow. It introduces a dependency on the TykTechnologies/github-actions repository and the availability of the Jira service.

• Workflow Visualization:

graph TD
    A[Pull Request Event] --> B{Trigger 'PR Merge Suggestions' Workflow};
    B --> C{Execute 'branch-suggestions' Job};
    C --> D[Call Reusable Workflow<br>TykTechnologies/github-actions/branch-suggestion.yml];
    D -- Uses JIRA_TOKEN --> E[Fetch Info from Jira];
    E --> F[Calculate Branch Suggestions];
    F --> G[Post Suggestions as a PR Comment];

Loading

Scope Discovery & Context Expansion

• The core logic for determining branch suggestions resides entirely within the reusable workflow. To fully assess the impact and correctness of this feature, the source code of TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml must be reviewed.
• Critical Security Concern: The reusable workflow is pinned to the main branch (...yml@main). This is a significant security risk, as any malicious code pushed to the main branch of the source repository will be automatically executed with this workflow's permissions, which include write access to pull requests and access to the JIRA_TOKEN secret. It is strongly recommended to pin the workflow to a specific, immutable commit SHA or a release tag to prevent supply chain attacks.

Metadata

• Review Effort: 2 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2025-11-06T11:13:15.653Z | Triggered by: synchronize | Commit: b9880f1

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

🔍 Code Analysis Results

Security Issues (1)

Severity	Location	Issue
🟡 Warning	.github/workflows/intelligent-branch-recomendations.yml:16	The reusable workflow is pinned to a mutable branch (`main`), which creates a supply chain risk. If the `main` branch of the source repository (`TykTechnologies/github-actions`) is compromised, malicious code could be executed. The risk is elevated because the workflow has `pull-requests: write` permissions and access to a `JIRA_TOKEN` secret. 💡 Suggestion Pin the reusable workflow to a specific commit SHA or a stable tag to ensure a trusted version is used. Example: `uses: TykTechnologies/github-actions@abcdef1`

Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	.github/workflows/intelligent-branch-recomendations.yml:16	The reusable workflow is referenced using the `main` branch (`@main`), which can introduce instability and security risks. Any changes pushed to the `main` branch of `TykTechnologies/github-actions`, including breaking changes or potentially compromised code, would be automatically picked up. This can cause this workflow to fail unexpectedly without any changes being made in this repository. 💡 Suggestion To ensure deterministic and secure builds, pin the reusable workflow to a specific commit SHA, tag, or release version (e.g., `@v1.0.0`).

Performance Issues (1)

Severity	Location	Issue
🟢 Info	AI_RESPONSE:1	This pull request introduces a new GitHub Actions workflow (`intelligent-branch-recomendations.yml`) to suggest target branches for pull requests. The changes are confined to the CI/CD configuration and do not modify any of the application's source code. As the modifications are outside the application's runtime execution path, they have no impact on the performance areas specified in the review instructions, such as API loading, regex evaluation, connection handling, or analytics processing. Therefore, no performance-related issues were found.

Quality Issues (1)

Severity	Location	Issue
🟡 Warning	.github/workflows/intelligent-branch-recomendations.yml:16	The reusable workflow `TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml` is referenced using the `main` branch. This poses a stability risk, as breaking changes in the target workflow's `main` branch will be automatically used. It is recommended to pin the workflow to a specific version (e.g., a tag like `@v1` or a specific commit SHA) to ensure predictable behavior. 💡 Suggestion Replace `@main` with a specific tag (e.g., `@v1`) or a commit SHA to ensure the workflow's stability and prevent unexpected changes.

✅ Dependency Check Passed

No dependency issues found – changes LGTM.

✅ Connectivity Check Passed

No connectivity issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2025-11-06T11:13:16.949Z | Triggered by: synchronize | Commit: b9880f1

💡 TIP: You can chat with Visor using /visor ask <your question>

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud