Upgrade Add to project job workflow

dshevtsov · dshevtsov · commit ad32d8de7568 · 2025-10-07T14:58:45.000-05:00
diff --git a/.github/workflows/add-to-project-board.yml b/.github/workflows/add-to-project-board.yml
@@ -1,4 +1,6 @@
 ##### Aggregate Commerce PRs and Issues into a respective Organizational Project #####
+# Security Note: Uses pull_request_target to allow fork PRs to be added to projects
+# This is safe because we only add PRs to projects, no code execution from PRs
 
 name: Add pull requests and issues to projects
 
@@ -10,6 +12,12 @@ on:
     types: 
       - opened
 
+# Security: Limit permissions to only what's needed
+permissions:
+  pull-requests: write
+  issues: write
+  contents: read
+
 jobs:
   call-workflow-add-to-project:
     uses: ./.github/workflows/add-to-project_job.yml
diff --git a/.github/workflows/add-to-project_job.yml b/.github/workflows/add-to-project_job.yml
@@ -5,20 +5,19 @@ on:
 
 jobs:
   add-to-project:
-    if: github.event.repository.fork == false
     runs-on: ubuntu-latest
 
     steps:
       - name: Add to Commerce PR project
         if: github.event_name == 'pull_request_target'
-        uses: actions/add-to-project@v0.4.0
+        uses: actions/add-to-project@v1.0.2
         with:
           project-url: https://github.com/orgs/AdobeDocs/projects/5 # The organizational project for pull requests
           github-token: ${{ secrets.COMMERCE_PROJECT_AUTOMATION }}
       
       - name: Add to Commerce Issue project
         if: github.event_name == 'issues'
-        uses: actions/add-to-project@v0.4.0
+        uses: actions/add-to-project@v1.0.2
         with:
           project-url: https://github.com/orgs/AdobeDocs/projects/6 # The organizational project for issues
           github-token: ${{ secrets.COMMERCE_PROJECT_AUTOMATION }}
