chore: add sync-prs-to-linear action

[dielduarte]

The idea is to automate new PRs to linear so we can centralize all repos within a single place, in linear, we can get a lot of data and integrations, including SLAs. This is the first repo we can test, my idea later is to turn this action into a reusable action so we can just install the action into other repos if that works well. This can even become an open-source project? 👀

Rules:

• It will run every day, 10am UTC -> 7am brt time, and sync new PRs to linear issues if there are new ones. it should arrive at triage for our team.
• it ignores draft PRs
• Deduplication via Linear attachments — before creating a ticket, queries Linear for an
  existing attachment with the PR URL. If found, skips creation.
• linear-synced label on GitHub PRs — added after a ticket is created. This is the
  fast-path deduplication check (avoids hitting Linear's API for PRs already processed).
• Removed label recovery — if someone manually removes the linear-synced label, the next
  run detects the existing Linear attachment and re-adds the label instead of creating a
  duplicate ticket.
• Per-PR failure isolation — if creating a ticket fails for one PR, the loop continues
  with the rest. The failed PR retries the next day (it won't get the label until it
  succeeds).
• Manual trigger — workflow_dispatch lets you run it on-demand from the Actions tab.
• No Linear URLs posted publicly — only the linear-synced label is added to the PR; the
  Linear ticket URL is never posted as a comment

p.s:
the api key was created with just create issues permissions wich let us read/search and our team scope permission too, so it can't acces other teams workspace.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-email	Ready	Preview, Comment	May 14, 2026 6:17pm
react-email-demo	Ready	Preview, Comment	May 14, 2026 6:17pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 52db853

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cubic-dev-ai]

1 issue found across 1 file

Confidence score: 4/5

• This PR looks safe to merge overall, with only a minor hardening gap rather than a functional regression risk.
• The main issue is in .github/workflows/sync-prs-to-linear.yml: pull-requests permission is broader than needed and should be reduced to read-only, which improves least-privilege security posture.
• Given the issue is low-to-moderate severity (4/10) and highly confident but not merge-blocking for behavior, the merge risk stays low.
• Pay close attention to .github/workflows/sync-prs-to-linear.yml - tighten pull-requests to read-only to avoid unnecessary write scope.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/sync-prs-to-linear.yml">

<violation number="1" location=".github/workflows/sync-prs-to-linear.yml:12">
P2: Reduce `pull-requests` permission to read-only since this workflow does not perform PR write operations.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/sync-prs-to-linear.yml">

<violation number="1" location=".github/workflows/sync-prs-to-linear.yml:142">
P1: Skipping the label when attachment creation fails causes repeated duplicate Linear issue creation on subsequent runs.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Auto-approved: This change adds a new GitHub Actions workflow that syncs open PRs to Linear for tracking, using existing secrets and standard API calls, with no impact on core business logic, production infrastructure, or existing workflows, and any potential issues are isolated and recoverable.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: This PR introduces a new CI/CD workflow for synchronizing pull requests with Linear; such infrastructure changes require human verification of the automation logic and associated permission scopes.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Auto-approved: This change adds a self-contained GitHub Actions workflow to sync open PRs to Linear issues, with robust deduplication and error handling, and does not modify any core business logic, production infrastructure, or critical paths, so the blast radius is minimal and risk is low.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/sync-prs-to-linear.yml">

<violation number="1" location=".github/workflows/sync-prs-to-linear.yml:20">
P1: Pin the shared action to an immutable commit SHA instead of `@main` to prevent supply-chain drift and secret exposure risk from future branch changes.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Auto-approved: This change adds a new scheduled workflow file that syncs PRs to Linear using a pinned action with minimal permissions, and it is isolated from core business logic and production infrastructure, resulting in very low risk of breakage.}