From d11069cdac6c70c4e732dcaeba319df55b8b1a91 Mon Sep 17 00:00:00 2001
From: Nikolai Emil Damm <nikolaiemildamm@icloud.com>
Date: Sun, 12 Apr 2026 21:25:26 +0200
Subject: [PATCH 1/2] refactor: use shared upsert-issue action from
 devantler-tech/actions

Replace the local composite action with devantler-tech/actions/upsert-issue@main,
a shared org-level action that manages the full issue lifecycle.

The 'open' input maps directly to the report's 'has-violations' output:
 open/reopen the issue with the report body
 close the issue or do nothing

Depends on: https://github.com/devantler-tech/actions/pull/55

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../actions/manage-report-issue/action.yml    | 76 -------------------
 .../report-repos-with-multi-admin-teams.yml   |  9 ++-
 .../report-repos-with-no-admin-team.yml       |  9 ++-
 .../workflows/report-repos-with-no-team.yml   |  9 ++-
 4 files changed, 15 insertions(+), 88 deletions(-)
 delete mode 100644 .github/actions/manage-report-issue/action.yml

diff --git a/.github/actions/manage-report-issue/action.yml b/.github/actions/manage-report-issue/action.yml
deleted file mode 100644
index 6cb88f7..0000000
--- a/.github/actions/manage-report-issue/action.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-name: "Manage Report Issue"
-description: >
-  Manages the full lifecycle of a governance report issue:
-  creates, updates, reopens, or closes based on whether violations were found.
-inputs:
-  title:
-    description: "The issue title used to find and manage the report issue"
-    required: true
-  report-path:
-    description: "Path to the markdown report file"
-    required: true
-  has-violations:
-    description: "Whether the report found any violations ('true' or 'false')"
-    required: true
-  token:
-    description: "GitHub token for API access"
-    required: true
-
-runs:
-  using: composite
-  steps:
-    - shell: bash
-      env:
-        GH_TOKEN: ${{ inputs.token }}
-        TITLE: ${{ inputs.title }}
-        HAS_VIOLATIONS: ${{ inputs.has-violations }}
-        REPORT_PATH: ${{ inputs.report-path }}
-      run: |
-        set -euo pipefail
-
-        # Find existing issue by exact title (any state)
-        ISSUE_NUMBER=$(
-          gh issue list \
-            --repo "$GITHUB_REPOSITORY" \
-            --state all \
-            --search "in:title \"${TITLE}\"" \
-            --json number,title \
-            --jq ".[] | select(.title == \"${TITLE}\") | .number" \
-          | head -1
-        )
-
-        if [ "$HAS_VIOLATIONS" = "true" ]; then
-          if [ -n "$ISSUE_NUMBER" ]; then
-            echo "Updating existing issue #${ISSUE_NUMBER}"
-            gh issue edit "$ISSUE_NUMBER" \
-              --repo "$GITHUB_REPOSITORY" \
-              --body-file "$REPORT_PATH"
-            gh issue reopen "$ISSUE_NUMBER" \
-              --repo "$GITHUB_REPOSITORY" 2>/dev/null || true
-          else
-            echo "Creating new report issue"
-            gh issue create \
-              --repo "$GITHUB_REPOSITORY" \
-              --title "$TITLE" \
-              --body-file "$REPORT_PATH"
-          fi
-        else
-          if [ -n "$ISSUE_NUMBER" ]; then
-            ISSUE_STATE=$(
-              gh issue view "$ISSUE_NUMBER" \
-                --repo "$GITHUB_REPOSITORY" \
-                --json state \
-                --jq .state
-            )
-            if [ "$ISSUE_STATE" = "OPEN" ]; then
-              echo "Closing resolved issue #${ISSUE_NUMBER}"
-              gh issue close "$ISSUE_NUMBER" \
-                --repo "$GITHUB_REPOSITORY" \
-                --comment "✅ All violations have been resolved."
-            else
-              echo "No open issue to close"
-            fi
-          else
-            echo "No violations and no existing issue — nothing to do"
-          fi
-        fi
diff --git a/.github/workflows/report-repos-with-multi-admin-teams.yml b/.github/workflows/report-repos-with-multi-admin-teams.yml
index 7ceae5b..3309735 100644
--- a/.github/workflows/report-repos-with-multi-admin-teams.yml
+++ b/.github/workflows/report-repos-with-multi-admin-teams.yml
@@ -54,9 +54,10 @@ jobs:
           bun run report:repos-with-multi-admin-teams
 
       - name: Manage report issue
-        uses: ./.github/actions/manage-report-issue
+        uses: devantler-tech/actions/upsert-issue@main
         with:
           title: "[report] Repos with Multiple Admin Teams"
-          report-path: ${{ steps.report.outputs.report-path }}
-          has-violations: ${{ steps.report.outputs.has-violations }}
-          token: ${{ steps.get-token.outputs.token }}
+          body-file: ${{ steps.report.outputs.report-path }}
+          open: ${{ steps.report.outputs.has-violations }}
+          close-comment: "✅ All violations have been resolved."
+          github-token: ${{ steps.get-token.outputs.token }}
diff --git a/.github/workflows/report-repos-with-no-admin-team.yml b/.github/workflows/report-repos-with-no-admin-team.yml
index e41e42d..2cdf6e6 100644
--- a/.github/workflows/report-repos-with-no-admin-team.yml
+++ b/.github/workflows/report-repos-with-no-admin-team.yml
@@ -54,9 +54,10 @@ jobs:
           bun run report:repos-with-no-admin-team
 
       - name: Manage report issue
-        uses: ./.github/actions/manage-report-issue
+        uses: devantler-tech/actions/upsert-issue@main
         with:
           title: "[report] Repos with No Admin Team"
-          report-path: ${{ steps.report.outputs.report-path }}
-          has-violations: ${{ steps.report.outputs.has-violations }}
-          token: ${{ steps.get-token.outputs.token }}
+          body-file: ${{ steps.report.outputs.report-path }}
+          open: ${{ steps.report.outputs.has-violations }}
+          close-comment: "✅ All violations have been resolved."
+          github-token: ${{ steps.get-token.outputs.token }}
diff --git a/.github/workflows/report-repos-with-no-team.yml b/.github/workflows/report-repos-with-no-team.yml
index 8e51c41..664f78b 100644
--- a/.github/workflows/report-repos-with-no-team.yml
+++ b/.github/workflows/report-repos-with-no-team.yml
@@ -54,9 +54,10 @@ jobs:
           bun run report:repos-with-no-team
 
       - name: Manage report issue
-        uses: ./.github/actions/manage-report-issue
+        uses: devantler-tech/actions/upsert-issue@main
         with:
           title: "[report] Repos with No Team Assigned"
-          report-path: ${{ steps.report.outputs.report-path }}
-          has-violations: ${{ steps.report.outputs.has-violations }}
-          token: ${{ steps.get-token.outputs.token }}
+          body-file: ${{ steps.report.outputs.report-path }}
+          open: ${{ steps.report.outputs.has-violations }}
+          close-comment: "✅ All violations have been resolved."
+          github-token: ${{ steps.get-token.outputs.token }}

From f8673c2be74ffe38e77b20d20df5a38b6a5794c1 Mon Sep 17 00:00:00 2001
From: Nikolai Emil Damm <nikolaiemildamm@icloud.com>
Date: Sun, 12 Apr 2026 21:33:53 +0200
Subject: [PATCH 2/2] fix: pin upsert-issue action to commit SHA

Pin devantler-tech/actions/upsert-issue to e3a0bd51 to satisfy
zizmor and CodeQL unpinned action reference checks.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/report-repos-with-multi-admin-teams.yml | 2 +-
 .github/workflows/report-repos-with-no-admin-team.yml     | 2 +-
 .github/workflows/report-repos-with-no-team.yml           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/report-repos-with-multi-admin-teams.yml b/.github/workflows/report-repos-with-multi-admin-teams.yml
index 3309735..b13f702 100644
--- a/.github/workflows/report-repos-with-multi-admin-teams.yml
+++ b/.github/workflows/report-repos-with-multi-admin-teams.yml
@@ -54,7 +54,7 @@ jobs:
           bun run report:repos-with-multi-admin-teams
 
       - name: Manage report issue
-        uses: devantler-tech/actions/upsert-issue@main
+        uses: devantler-tech/actions/upsert-issue@e3a0bd51f2159079c77872080d493bc5ab9dc8bc # feat: add upsert-issue
         with:
           title: "[report] Repos with Multiple Admin Teams"
           body-file: ${{ steps.report.outputs.report-path }}
diff --git a/.github/workflows/report-repos-with-no-admin-team.yml b/.github/workflows/report-repos-with-no-admin-team.yml
index 2cdf6e6..f2eb8eb 100644
--- a/.github/workflows/report-repos-with-no-admin-team.yml
+++ b/.github/workflows/report-repos-with-no-admin-team.yml
@@ -54,7 +54,7 @@ jobs:
           bun run report:repos-with-no-admin-team
 
       - name: Manage report issue
-        uses: devantler-tech/actions/upsert-issue@main
+        uses: devantler-tech/actions/upsert-issue@e3a0bd51f2159079c77872080d493bc5ab9dc8bc # feat: add upsert-issue
         with:
           title: "[report] Repos with No Admin Team"
           body-file: ${{ steps.report.outputs.report-path }}
diff --git a/.github/workflows/report-repos-with-no-team.yml b/.github/workflows/report-repos-with-no-team.yml
index 664f78b..9c62b3a 100644
--- a/.github/workflows/report-repos-with-no-team.yml
+++ b/.github/workflows/report-repos-with-no-team.yml
@@ -54,7 +54,7 @@ jobs:
           bun run report:repos-with-no-team
 
       - name: Manage report issue
-        uses: devantler-tech/actions/upsert-issue@main
+        uses: devantler-tech/actions/upsert-issue@e3a0bd51f2159079c77872080d493bc5ab9dc8bc # feat: add upsert-issue
         with:
           title: "[report] Repos with No Team Assigned"
           body-file: ${{ steps.report.outputs.report-path }}