From 273b1e4402762a51f912897bf2cbcd9e48f35cd7 Mon Sep 17 00:00:00 2001 From: Mike Goldsmith Date: Tue, 31 Mar 2026 15:38:55 +0100 Subject: [PATCH 1/3] add GHA to add PRs to project board on ready for review The board's built-in auto-add workflow only fires on PR open/reopen, not when a draft is converted to ready for review. This GHA covers that gap by triggering on opened, reopened, and ready_for_review, skipping drafts. Assisted-by: Claude Sonnet 4.6 --- .github/workflows/add-to-project.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/workflows/add-to-project.yml diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml new file mode 100644 index 00000000000..ef4ff1b86df --- /dev/null +++ b/.github/workflows/add-to-project.yml @@ -0,0 +1,16 @@ +name: Add PR to project board + +on: + pull_request: + types: [opened, reopened, ready_for_review] + +jobs: + add-to-project: + name: add to project board + runs-on: ubuntu-latest + if: github.event.pull_request.draft == false + steps: + - uses: actions/add-to-project@v1.0.2 + with: + project-url: https://github.com/orgs/open-telemetry/projects/88 + github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} From 6661cf65ec551180cf8b0ee19926ad1e6c0c4b15 Mon Sep 17 00:00:00 2001 From: Mike Goldsmith Date: Tue, 31 Mar 2026 17:38:43 +0100 Subject: [PATCH 2/3] switch to pull_request_target and otelbot token for project board workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pull_request trigger cannot access secrets for fork PRs (Secret source: None). pull_request_target runs in base repo context and can access secrets. Use otelbot app token (same pattern as backport.yml) instead of a PAT. No checkout step — intentional, see #4955. Assisted-by: Claude Sonnet 4.6 --- .github/workflows/add-to-project.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index ef4ff1b86df..fe9eb4a7756 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -1,16 +1,28 @@ name: Add PR to project board on: - pull_request: + pull_request_target: types: [opened, reopened, ready_for_review] +permissions: + contents: read + jobs: add-to-project: name: add to project board runs-on: ubuntu-latest if: github.event.pull_request.draft == false steps: + # NOTE: do NOT add an actions/checkout step here. This workflow uses + # pull_request_target (which has access to secrets) but must never + # execute code from the fork branch. See PR #4955 for context. + - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 + id: otelbot-token + with: + app-id: ${{ vars.OTELBOT_APP_ID }} + private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }} + - uses: actions/add-to-project@v1.0.2 with: project-url: https://github.com/orgs/open-telemetry/projects/88 - github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} + github-token: ${{ steps.otelbot-token.outputs.token }} From 7945cb67e1ce66609a852527d18732df46b91188 Mon Sep 17 00:00:00 2001 From: Mike Goldsmith Date: Wed, 6 May 2026 12:45:51 +0100 Subject: [PATCH 3/3] use otelbot-python credentials for project board workflow Switch from generic OTELBOT_APP_ID/OTELBOT_PRIVATE_KEY to the new Python-specific OTELBOT_PYTHON_APP_ID/OTELBOT_PYTHON_PRIVATE_KEY which has Projects read/write permission. See open-telemetry/community#3351 Assisted-by: Claude Opus 4.6 --- .github/workflows/add-to-project.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index fe9eb4a7756..37876544c4d 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -19,8 +19,8 @@ jobs: - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: otelbot-token with: - app-id: ${{ vars.OTELBOT_APP_ID }} - private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }} + app-id: ${{ vars.OTELBOT_PYTHON_APP_ID }} + private-key: ${{ secrets.OTELBOT_PYTHON_PRIVATE_KEY }} - uses: actions/add-to-project@v1.0.2 with: