harden: pin action SHA, restrict permissions, add concurrency controls in add-issue-to-backlog workflow

[Copilot]

add-issue-to-backlog.yml had four security gaps exposing supply chain risk and potential PAT abuse on a public repo.

Changes

• Pin action to immutable SHA — replaces mutable actions/add-to-project@v0.5.0 tag with full commit hash @31b3f3ccdc584546fc445612dec3f38ff5edb41c (v1.0.2); eliminates tag-reassignment attack vector with PAT access
• Least-privilege permissions — adds top-level permissions: issues: read, dropping all other default token scopes
• Concurrency controls — adds concurrency group keyed on issue number with cancel-in-progress: true; prevents unlimited parallel runs exhausting Actions minutes or rate-limiting the PAT
• Pin runner image — replaces ubuntu-latest with ubuntu-24.04 for deterministic execution

permissions:
  issues: read

concurrency:
  group: add-to-project-${{ github.event.issue.number }}
  cancel-in-progress: true

runs-on: ubuntu-24.04
uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v1.0.2

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][High] GitHub Actions supply chain risk: unpinned action version, missing permissions and concurrency controls</issue_title>
<issue_description>## Summary

The .github/workflows/add-issue-to-backlog.yml workflow has multiple security gaps that create supply chain attack vectors and resource abuse risks.

Findings

1. Unpinned and outdated GitHub Action (Supply Chain Risk)

File: .github/workflows/add-issue-to-backlog.yml, line 14

The workflow uses actions/add-to-project@v0.5.0, referenced by a mutable tag rather than an immutable SHA commit hash. The current release is v1.0.2. A compromised upstream repository or tag reassignment could inject malicious code with access to the ADD_TO_PROJECT_PAT secret.

Impact: OWASP A08:2021 - Software and Data Integrity Failures. An attacker who repoints the v0.5.0 tag gains code execution in the Actions runner with PAT access.

Fix: Pin to a full SHA:

uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v1.0.2

2. Missing permissions: block

The workflow runs with default (broad) token permissions. Only issues: read is needed.

Fix:

permissions:
  issues: read

3. Missing concurrency: controls

Any GitHub user who can open issues on this public repo can trigger unlimited parallel workflow runs, potentially exhausting Actions minutes or rate-limiting the PAT.

Fix:

concurrency:
  group: add-to-project-${{ github.event.issue.number }}
  cancel-in-progress: true

4. Unpinned runner image

runs-on: ubuntu-latest is a floating reference that can change behavior unexpectedly.

Fix: Use runs-on: ubuntu-24.04 for deterministic builds.

References

• GitHub Security Hardening Guide
• OWASP A08:2021 - Software and Data Integrity Failures

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][High] GitHub Actions supply chain risk: unpinned action version, missing permissions and concurrency controls #119

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.