chore: Add JIRA sync workflow

[andrecastillo]

Adds the shared JIRA sync workflow from flume/github-actions. This automatically syncs PR lifecycle events to JIRA: status transitions (Build/QA/Done) and description sync (PR description → JIRA ticket).

To fix the problem, explicitly declare permissions for the workflow or for the jira-sync job so that the GITHUB_TOKEN is restricted to the minimal necessary access. Since this workflow solely delegates to a reusable workflow and we do not see it performing any direct repository operations itself, a safe default is to set contents: read at the top level. This documents that the workflow only needs read access to repository contents (and lets the called reusable workflow further refine permissions if needed).

The best minimal change without altering existing functionality is to add a root-level permissions block between the on: block and the jobs: block. For example, in .github/workflows/jira-sync.yml, after line 10 or 11, add:

permissions:
  contents: read

This will apply to all jobs (here, just jira-sync) which do not have their own permissions block, and will satisfy the CodeQL rule while following the principle of least privilege. No imports or additional methods are needed since this is a YAML configuration change only.

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to automatically sync pull request events to JIRA by delegating execution to a reusable workflow in flume/github-actions.

Changes:

• Introduces a new jira-sync.yml workflow.
• Triggers JIRA sync on key pull_request lifecycle events (opened/edited/draft transitions/closed).
• Calls a reusable workflow (flume/github-actions/.github/workflows/jira-sync.yml), inheriting secrets.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The reusable workflow is referenced with @main, which is mutable and can change behavior (or be compromised) without a change in this repo. Pin the workflow to an immutable ref (commit SHA, or at least a version tag) to improve supply-chain security and reproducibility.

Suggested change

	uses: flume/github-actions/.github/workflows/jira-sync.yml@main
	uses: flume/github-actions/.github/workflows/jira-sync.yml@v1

[Copilot]

secrets: inherit forwards all repository/environment secrets to the called workflow. That increases blast radius if the reusable workflow is modified or if it doesn't strictly limit what it logs/exports. Prefer explicitly passing only the required secrets, or ensure the reusable workflow is in the same repo and pinned to an immutable ref.

Suggested change

	secrets: inherit
	secrets:
	JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[Copilot]

This workflow doesn't set explicit permissions. By default the GITHUB_TOKEN permissions can be broader than necessary depending on org/repo settings, and those permissions may carry into the called reusable workflow. Define minimal required permissions (e.g., contents: read plus only what JIRA sync needs such as pull-requests: read/write) at the workflow or job level.

Suggested change

	jira-sync:
	jira-sync:
	permissions:
	contents: read
	pull-requests: write

[flume-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.