feat: sync linked issue labels to pull requests

[cheese-cakee]

Description

Adds an automated GitHub workflow system to sync labels from linked issues to pull requests.

When a PR body includes closing keywords (for example Fixes #123), the workflow fetches labels from those linked issues and adds missing labels to the PR.

Continuation of closed PR #1877 - all review feedback has been addressed.

Related issue(s)

Fixes #1716

What changed

• Added compute workflow: .github/workflows/sync-issue-labels-compute.yml
  • Uses pull_request trigger on opened, edited, reopened, synchronize, and ready_for_review
  • Label-sync logic is inlined in actions/github-script step (no checkout needed, eliminates fork code execution risk)
  • Includes hardened runner, concurrency group, and MAX_LINKED_ISSUES cap
  • Supports workflow_dispatch with pr_number + dry_run
  • Computes labels from linked issues and uploads as artifact
  • Fork PRs are detected and dispatch is skipped (no secret available)
• Added add workflow: .github/workflows/sync-issue-labels-add.yml
  • Triggered via workflow_dispatch (called by compute workflow)
  • Downloads artifact by name for deterministic reads
  • JSON validates payload before applying labels
  • Adds labels to PR using actions-ecosystem/action-add-labels with number input
  • Fails explicitly if artifact is missing (broken handoff detection)
• Added changelog entry under [Unreleased] -> .Github

Scope note

This PR intentionally implements label sync only (additive). It does not remove labels from PRs and does not include assignee sync.

Architecture

Two separate workflows to separate read and write permissions:

1. sync-issue-labels-compute.yml - reads labels from linked issues (read-only permissions, inline script)
2. sync-issue-labels-add.yml - writes labels to PR (write permissions, issues: write)

The compute workflow triggers on PR events and dispatches the add workflow via workflow_dispatch, passing computed labels as an artifact.

Testing

• Fork-tested end-to-end with real issues and labels
• Created issues with overlapping labels
• Opened fork PR linking issues with Fixes #N keywords
• Confirmed compute workflow succeeded
• Confirmed PR received expected labels

Checklist

• Documented (workflow behavior is self-logged and changelog updated)
• Tested (fork end-to-end validation)
• Fork guard enforced (dispatch skipped for fork PRs)
• Write path uses pinned actions only
• JSON validation in add workflow (security)
• MAX_LINKED_ISSUES cap to prevent API amplification
• Concurrency group to prevent parallel compute runs

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds two new GitHub Actions workflows to copy labels from linked issues to PRs, plus updates harden-runner steps in an existing CI workflow to include three explicit egress allowlist endpoints; also updates CHANGELOG.md.

Changes

Cohort / File(s)	Summary
Security Hardening .github/workflows/pr-check-test.yml	Updated step-security/harden-runner usage in unit-tests and integration-tests to include an allowed-endpoints list with three host:443 entries alongside egress-policy: audit.
Label Synchronization Workflows .github/workflows/sync-issue-labels-compute.yml, .github/workflows/sync-issue-labels-add.yml	Added two workflows: compute (trigger on PR events or dispatch) that extracts linked issues, fetches their labels, deduplicates, writes labels.json artifact and optionally dispatches the add workflow; add (manual/dispatch) downloads the artifact, validates payload and conditionally applies labels to the PR with dry-run and fork checks.
Documentation CHANGELOG.md	Documented the new automated label sync feature and the added egress allowlist entries in the changelog under Unreleased .github section.

Sequence Diagram

sequenceDiagram
    participant GH as "GitHub Events"
    participant Compute as "sync-issue-labels-compute (job)"
    participant API as "GitHub API"
    participant Artifact as "Artifact Storage"
    participant Add as "sync-issue-labels-add (job)"

    GH->>Compute: PR event or workflow_dispatch (pr_number)
    Compute->>API: Fetch PR details & author
    API-->>Compute: PR info
    Compute->>Compute: Parse PR body → extract linked issue numbers
    loop for each linked issue
        Compute->>API: Fetch issue by number
        API-->>Compute: Issue labels (or 404)
        Compute->>Compute: Aggregate labels
    end
    Compute->>Compute: Deduplicate & compute new labels for PR
    Compute->>Artifact: Upload labels.json (pr-labels-<pr>)
    Compute->>GH: Dispatch `sync-issue-labels-add` (when applicable)
    GH->>Add: Workflow dispatch (with upstream_run_id, pr_number, dry_run)
    Add->>Artifact: Download pr-labels artifact
    Artifact-->>Add: labels.json
    Add->>Add: Validate payload, dry-run & fork checks
    alt apply labels
        Add->>API: Add labels to PR
        API-->>GH: Labels applied to PR
    else skip
        Add-->>GH: No-op / dry-run
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: adding automated label synchronization from linked issues to pull requests.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the workflow additions, architecture, testing, and scope.
Linked Issues check	✅ Passed	The PR successfully implements the core requirements from #1716 (workflow to sync labels from linked issues) and #123 (security hardening with harden-runner, least-privileged permissions, pinned actions).
Out of Scope Changes check	✅ Passed	Changes are well-scoped: two new workflows implement label sync, the pr-check-test.yml update adds security egress allowlisting, and CHANGELOG.md documents all changes. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📋 Issue Planner

Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).

View plan for ticket: #1716

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f0b7bc26-2115-4014-9b8d-f879134d21e2

📥 Commits

Reviewing files that changed from the base of the PR and between 5443cbe and a2a6b4f.

📒 Files selected for processing (5)

• .github/scripts/sync-issue-labels.js
• .github/workflows/pr-check-test.yml
• .github/workflows/sync-issue-labels-add.yml
• .github/workflows/sync-issue-labels-compute.yml
• CHANGELOG.md

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (4)

.github/workflows/sync-issue-labels-compute.yml (2)

4-5: ⚠️ Potential issue | 🔴 Critical

Critical: untrusted fork code can run on self-hosted runner

Line 4 uses pull_request, and Line 35 checks out pull_request.head.ref. That combination executes fork PR head code on your self-hosted runner before any fork guard.

🔐 Hardening patch

 on:
-  pull_request:
+  pull_request_target:
     types: [opened, edited, reopened, synchronize, ready_for_review]
@@
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.event.pull_request.head.ref || 'main' }}
+          ref: ${{ github.event_name == 'workflow_dispatch' && 'main' || github.event.pull_request.base.sha }}

As per coding guidelines, “Workflows must behave safely when executed from forks.”

Also applies to: 32-35

---

91-97: ⚠️ Potential issue | 🟠 Major

Guard dispatch step for fork PRs and missing PAT

Line 91 dispatches the write workflow unconditionally, but Line 97 depends on secrets.GH_ACCESS_TOKEN. On fork PR runs this secret is typically unavailable, so this path is brittle/failing.

🛡️ Suggested guard

       - name: Trigger add workflow
+        if: ${{ steps.compute.outputs.is_fork_pr != 'true' && secrets.GH_ACCESS_TOKEN != '' }}
         uses: step-security/workflow-dispatch@acca1a315af3bf7f33dd116d3cb405cb83f5cbdc # v1.2.8

As per coding guidelines, “Workflows must behave safely when executed from forks.”

.github/scripts/sync-issue-labels.js (1)

67-80: ⚠️ Potential issue | 🟠 Major

Bound linked-issue extraction to prevent API amplification

PR body is untrusted input, but Line 80 returns all matches with no limit, and Lines 165-169 make one API call per linked issue. Add a hard upper bound and log truncation.

🧱 Suggested safeguard

+const MAX_LINKED_ISSUES = Number(process.env.MAX_LINKED_ISSUES || "20");
+
 function extractLinkedIssueNumbers(prBody, owner, repo) {
   const numbers = new Set();
@@
-  return Array.from(numbers);
+  const all = Array.from(numbers);
+  if (all.length > MAX_LINKED_ISSUES) {
+    console.log(`[sync] Limiting linked issue refs from ${all.length} to ${MAX_LINKED_ISSUES}.`);
+  }
+  return all.slice(0, MAX_LINKED_ISSUES);
 }

As per coding guidelines, “Treat all GitHub event data as potentially untrusted input.”

Also applies to: 165-169

.github/workflows/sync-issue-labels-add.yml (1)

43-62: 🧹 Nitpick | 🔵 Trivial

Make artifact read deterministic

Line 61 uses find ... -print -quit, which can pick the wrong payload if multiple artifacts/files exist. Download the expected artifact by name and read a fixed path.

♻️ Suggested refactor

       - name: Download labels artifact
         id: download
         continue-on-error: true
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
         with:
+          name: pr-labels-${{ github.event.inputs.pr_number }}
           path: artifacts
           run-id: ${{ github.event.inputs.upstream_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@
-          labels_file=""
-          if [ -d artifacts ]; then
-            labels_file=$(find artifacts -name labels.json -print -quit)
-          fi
+          labels_file="artifacts/labels.json"

As per coding guidelines, “Workflows that mutate state should use concurrency groups and duplicate prevention patterns (marker-based comments, check-before-create for labels).”

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b4d35402-05f5-438a-9cda-aa0b7b228e15

📥 Commits

Reviewing files that changed from the base of the PR and between a2a6b4f and fce3a4d.

📒 Files selected for processing (5)

• .github/scripts/sync-issue-labels.js
• .github/workflows/pr-check-test.yml
• .github/workflows/sync-issue-labels-add.yml
• .github/workflows/sync-issue-labels-compute.yml
• CHANGELOG.md

[Copilot]

Pull request overview

Adds GitHub Actions automation to propagate labels from linked issues (referenced via closing keywords in PR bodies) onto pull requests, aiming to reduce manual labeling effort.

Changes:

• Introduces a “compute” workflow to parse linked issues from PR text, gather issue labels, and publish the label delta as an artifact.
• Introduces an “add” workflow to download the computed artifact payload and apply labels to the PR.
• Updates Harden-Runner egress allowlisting in pr-check-test.yml (and records related entries in the changelog).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
CHANGELOG.md	Adds .github changelog bullets (but currently not for the label-sync feature) and unintentionally modifies the file header encoding.
.github/workflows/sync-issue-labels-compute.yml	New workflow to compute missing PR labels from linked issues and dispatch the add workflow.
.github/workflows/sync-issue-labels-add.yml	New workflow to download computed label payload and add labels to the PR.
.github/workflows/pr-check-test.yml	Adds additional allowed-endpoints entries for Harden-Runner.
.github/scripts/sync-issue-labels.js	Adds a reusable JS implementation of label syncing logic (currently not wired into the workflows).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

.github/scripts/sync-issue-labels.js (1)

61-79: ⚠️ Potential issue | 🟠 Major

Only collect refs that are actually paired with a closing keyword.

Once Line 96 sees any closing keyword, Line 99 pulls every issue ref on that line. A body like Fixes #1, related to #2`` will still copy labels from #2. Use one regex that matches keyword+reference pairs instead of keyword-presence + broad extraction.

As per coding guidelines, “Do not trust free-form text from issues, PRs, or comments.”

Also applies to: 90-100

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 581c12ad-9b23-4f5a-abc3-64bcbaea4a17

📥 Commits

Reviewing files that changed from the base of the PR and between fce3a4d and daacac0.

📒 Files selected for processing (3)

• .github/scripts/sync-issue-labels.js
• .github/workflows/sync-issue-labels-add.yml
• .github/workflows/sync-issue-labels-compute.yml

[github-actions]

Hi, this is WorkflowBot.
Your pull request cannot be merged as it is not passing all our workflow checks.
Please click on each check to review the logs and resolve issues so all checks pass.
To help you:

• DCO signing guide
• Changelog guide
• Merge conflicts guide
• Rebase guide
• Testing guide
• Discord
• Community Calls
  Thank you for contributing!
  From the Hiero Python SDK Team

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main    #2015   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files         144      144           
  Lines        9350     9350           
=======================================
  Hits         8760     8760           
  Misses        590      590           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/sync-issue-labels-compute.yml (1)

187-188: ⚠️ Potential issue | 🔴 Critical

Move the PAT presence check out of the step if.

Line 188 will not validate as written: jobs.<job_id>.steps.if does not allow the secrets context, and GitHub’s secrets docs explicitly say secrets cannot be referenced directly in if: conditionals. Put the presence check into a job-level env value and gate on env.HAS_GH_ACCESS_TOKEN instead. (docs.github.com)

Suggested fix

  compute-labels:
+    env:
+      HAS_GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_TOKEN != '' }}
     concurrency:
       group: sync-issue-labels-compute-pr-${{ github.event.pull_request.number || github.event.inputs.pr_number }}
       cancel-in-progress: true

-      - name: Trigger add workflow
-        if: ${{ steps.compute.outputs.is_fork_pr != 'true' && secrets.GH_ACCESS_TOKEN != '' }}
+      - name: Trigger add workflow
+        if: ${{ steps.compute.outputs.is_fork_pr != 'true' && env.HAS_GH_ACCESS_TOKEN == 'true' }}
         uses: step-security/workflow-dispatch@acca1a315af3bf7f33dd116d3cb405cb83f5cbdc # v1.2.8

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3f6f4172-be62-4c6c-8bf4-89f10ce5d8a5

📥 Commits

Reviewing files that changed from the base of the PR and between daacac0 and e4983e4.

📒 Files selected for processing (3)

• .github/workflows/sync-issue-labels-add.yml
• .github/workflows/sync-issue-labels-compute.yml
• CHANGELOG.md

[coderabbitai]

Actionable comments posted: 5

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4126f20c-adb3-4d4e-96ee-48372aef0147

📥 Commits

Reviewing files that changed from the base of the PR and between e4983e4 and 25e750c.

📒 Files selected for processing (2)

• .github/workflows/sync-issue-labels-add.yml
• .github/workflows/sync-issue-labels-compute.yml

[cheese-cakee]

Fork E2E Test Results

Tested the workflow end-to-end on cheese-cakee/hiero-sdk-python fork.

Test setup:

• Test PR: fork#16
• Issue Add TokenNftInfo Class #14 (label: bug) + Issue Add TokenTransfer Class #15 (label: enhancement)
• PR body: Fixes #14 + Closes #15

Compute workflow — run:

[sync] Linked issues: #14, #15
[sync] Issue #14 labels: bug
[sync] Issue #15 labels: enhancement
[sync] To add: bug, enhancement
Artifact pr-labels-16 successfully finalized

Add workflow — run:

Downloading artifact 'pr-labels-16' ... completed successfully
LABELS: ["bug","enhancement"]
PR_NUMBER: 16
Add labels to PR: [error] Resource not accessible by integration

The label-adding step fails on the fork because GITHUB_TOKEN is restricted on forks (GitHub's known limitation). On the upstream repo, the GH_ACCESS_TOKEN PAT with repo scope handles this correctly. The entire pipeline logic (parse → compute → artifact → download → read) is verified end-to-end.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}