-
Notifications
You must be signed in to change notification settings - Fork 4
Project Status Sync
This page documents how our project-status.yml workflow works at the org level, how the GitHub App that powers it was created, and how to maintain or update it.
It supports automatic status transitions on our org-wide project board (Project #14).
This automation is powered by:
| Component | Purpose |
|---|---|
| GitHub App | Provides a secure, short-lived org token for automation |
| Project Status Workflow | Sets the correct board status for Issues and Pull Requests |
| Project v2 GraphQL API | Allows updating Status fields programmatically |
The workflow cannot run with personal tokens and cannot run with standard repo secrets β it requires a GitHub App with org-level permissions.
The app must be created at the organization level, not per-repo.
| Category | Permission |
|---|---|
| Repository Permissions | Contents: Read, Metadata: Read |
| Organization Permissions | Projects: Read/Write, Members: Read |
| User Permissions | None required |
The critical permission is Org Projects: Read/Write, which is required to update Project v2 fields.
The GitHub App does not need a webhook URL for this workflow.
It is used only to generate tokens for GitHub Actions.
After creation, install it to the entire organization.
This gives the app access to read/write our shared org project board.
Each repo using this automation must define:
| Secret Name | What It Stores |
|---|---|
APP_PEM |
PEM private key downloaded from the GitHub App |
Only owners or approved maintainers should add this secret.
| Variable Name | What It Stores |
|---|---|
APP_ID |
The GitHub Appβs numeric ID (found on app settings page) |
This is a variable, not a secret β it is not sensitive.
The workflow references our org board:
| Variable | Value |
|---|---|
PROJECT_NUMBER |
14 |
We do not store this as a secret or variable yet β board number is hardcoded and may be changed later.
A short-lived authentication token is created with:
uses: actions/create-github-app-token@v2This produces a token valid for about 10 minutes.
It grants permission to update Project v2 fields securely.
GraphQL API calls are then executed using:
gh api graphqlThese calls:
- Fetch project/field IDs
- Add/remove items
- Update Status field values
If authentication fails, no project updates are possible, which is expected behavior.
The workflow listens for:
| Event Type | Examples |
|---|---|
| Issue Events | opened, assigned, closed, reopened |
| Pull Request Events | opened, ready, draft, closed, merged |
| Review Events | changes requested |
It translates these into board statuses:
| Event | Status |
|---|---|
| Issue opened | Backlog |
| Issue assigned | In Progress |
| PR opened (not draft) | In Review |
| PR draft created or re-drafted | In Progress |
| Changes requested | Blocked |
| PR merged | Done |
| PR closed without merging | REMOVE from board |
β Removal happens only when PRs close without merging to prevent clutter.
Update if:
- Status column names change
- New columns are added/removed
- Project number changes
- GitHub App permissions change
| Task | Who Can Do It |
|---|---|
| Rotate App PEM Keys | Org Owner only |
| Add/remove workflow in repos | Maintainer or Owner |
| Update status labels | Instructor or Maintainer |
| Clean orphaned board items | Maintainer |
| Problem | Cause | Fix |
|---|---|---|
Missing STATUS_FIELD_ID
|
Board renamed | Update board or workflow |
| Token forbidden | App not installed org-wide | Reinstall |
| Removal fails | Item never added | Safe to ignore |
| GraphQL field missing | GitHub API changed | Rerun query & update |
Home β’ New Student Onboarding β’ Guides β’ Projects β’ Code of Conduct β’ FAQ
Last updated: 12/7/2025