chore: assign user to vulnerability issues

brendan-kellam · brendan-kellam · commit d5ad64c0b667 · 2026-05-13T10:56:50.000-07:00
diff --git a/.github/workflows/vulnerability-triage.yml b/.github/workflows/vulnerability-triage.yml
@@ -546,8 +546,8 @@ jobs:
           STRUCTURED_OUTPUT: ${{ steps.claude.outputs.structured_output }}
           REPOSITORY: ${{ github.repository }}
         run: |
-          # Look up the "CVE" label ID and "Triage" state ID for the team
-          METADATA_QUERY='query($teamId: String!) { team(id: $teamId) { id labels(filter: { name: { eq: "CVE" } }) { nodes { id } } states(filter: { name: { eq: "Triage" } }) { nodes { id } } } }'
+          # Look up the "CVE" label ID, "Triage" state ID, and the API key owner's user ID
+          METADATA_QUERY='query($teamId: String!) { team(id: $teamId) { id labels(filter: { name: { eq: "CVE" } }) { nodes { id } } states(filter: { name: { eq: "Triage" } }) { nodes { id } } } viewer { id } }'
           METADATA_PAYLOAD=$(jq -n --arg query "$METADATA_QUERY" --arg teamId "$LINEAR_TEAM_ID" \
             '{query: $query, variables: {teamId: $teamId}}')
           METADATA_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
@@ -559,6 +559,7 @@ jobs:
           TEAM_UUID=$(echo "$METADATA_RESPONSE" | jq -r '.data.team.id // empty')
           LABEL_ID=$(echo "$METADATA_RESPONSE" | jq -r '.data.team.labels.nodes[0].id // empty')
           STATE_ID=$(echo "$METADATA_RESPONSE" | jq -r '.data.team.states.nodes[0].id // empty')
+          VIEWER_ID=$(echo "$METADATA_RESPONSE" | jq -r '.data.viewer.id // empty')
 
           if [ -z "$TEAM_UUID" ]; then
             echo "::error::Could not resolve team UUID from LINEAR_TEAM_ID. Check the secret value."
@@ -571,6 +572,9 @@ jobs:
           if [ -z "$STATE_ID" ]; then
             echo "::warning::Could not find 'Triage' state in Linear team. Using default state."
           fi
+          if [ -z "$VIEWER_ID" ]; then
+            echo "::warning::Could not resolve Linear API key owner. Issues will be created unassigned."
+          fi
 
           # Map severity to Linear priority
           severity_to_priority() {
@@ -594,7 +598,7 @@ jobs:
           # Write CVEs to temp file so the while loop doesn't run in a pipe subshell
           echo "$STRUCTURED_OUTPUT" | jq -c '.cves[]' > /tmp/cves.jsonl
 
-          MUTATION='mutation CreateIssue($teamId: String!, $title: String!, $description: String, $priority: Int, $labelIds: [String!], $stateId: String) { issueCreate(input: { teamId: $teamId, title: $title, description: $description, priority: $priority, labelIds: $labelIds, stateId: $stateId }) { success issue { id identifier url } } }'
+          MUTATION='mutation CreateIssue($teamId: String!, $title: String!, $description: String, $priority: Int, $labelIds: [String!], $stateId: String, $assigneeId: String) { issueCreate(input: { teamId: $teamId, title: $title, description: $description, priority: $priority, labelIds: $labelIds, stateId: $stateId, assigneeId: $assigneeId }) { success issue { id identifier url } } }'
 
           while IFS= read -r cve; do
             CVE_ID=$(echo "$cve" | jq -r '.cveId')
@@ -624,11 +628,14 @@ jobs:
                 continue
               fi
 
-              REOPEN_MUTATION='mutation($issueId: String!, $stateId: String!) { issueUpdate(id: $issueId, input: { stateId: $stateId }) { success issue { id identifier url } } }'
+              REOPEN_MUTATION='mutation($issueId: String!, $stateId: String!, $assigneeId: String) { issueUpdate(id: $issueId, input: { stateId: $stateId, assigneeId: $assigneeId }) { success issue { id identifier url } } }'
               REOPEN_VARIABLES=$(jq -n \
                 --arg issueId "$LINEAR_ISSUE_ID" \
                 --arg stateId "$STATE_ID" \
                 '{issueId: $issueId, stateId: $stateId}')
+              if [ -n "$VIEWER_ID" ]; then
+                REOPEN_VARIABLES=$(echo "$REOPEN_VARIABLES" | jq --arg aid "$VIEWER_ID" '. + {assigneeId: $aid}')
+              fi
               REOPEN_PAYLOAD=$(jq -n --arg query "$REOPEN_MUTATION" --argjson vars "$REOPEN_VARIABLES" '{query: $query, variables: $vars}')
 
               REOPEN_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
@@ -669,6 +676,9 @@ jobs:
             if [ -n "$STATE_ID" ]; then
               VARIABLES=$(echo "$VARIABLES" | jq --arg sid "$STATE_ID" '. + {stateId: $sid}')
             fi
+            if [ -n "$VIEWER_ID" ]; then
+              VARIABLES=$(echo "$VARIABLES" | jq --arg aid "$VIEWER_ID" '. + {assigneeId: $aid}')
+            fi
 
             PAYLOAD=$(jq -n --arg query "$MUTATION" --argjson vars "$VARIABLES" '{query: $query, variables: $vars}')
 
