feat: Add Linear integration

[Andrew-127]

Implements #2485

Description

This PR implements the Linear integration for SuperPlane with 2 components:

• OnIssueCreated (trigger): Activates workflows when Linear issues are created, with optional filtering by team and/or labels. Uses Linear webhooks with HMAC-SHA256 signature verification.
• CreateIssue (action): Creates new Linear issues with configurable team, title, description, assignee, labels, priority, and status fields.

Authentication is via personal API token, which users can generate in Linear at Settings > API > Personal API keys. The integration uses Linear's GraphQL API exclusively for all operations (teams, labels, issue creation, webhook management).

On setup, the integration syncs available teams and labels from Linear, which are then used to populate resource pickers in the UI.

Changes

Backend (pkg/integrations/linear/)

• linear.go — Integration entry point, API token auth, metadata sync (teams/labels)
• client.go — GraphQL API client (viewer, teams, labels, issue create, webhook create/delete)
• common.go — Shared data models (Team, Label, Issue)
• on_issue_created.go — Webhook-based trigger with team/label filtering
• create_issue.go — Issue creation action with full field support
• webhook_handler.go — Webhook lifecycle (setup, config comparison, cleanup)
• list_resources.go — Resource discovery for UI pickers
• example.go — Embedded example payloads

Frontend (web_src/src/pages/workflowv2/mappers/linear/)

• Trigger renderer and component mapper following existing patterns
• Icon and sidebar registration

Docs

• docs/components/Linear.mdx — Generated component documentation

Tests

• linear_test.go — Integration sync (missing token, invalid creds, successful sync)
• client_test.go — Client creation and API calls
• create_issue_test.go — Setup validation and execution
• on_issue_created_test.go — Signature verification, event filtering, webhook setup
• webhook_handler_test.go — Config comparison logic

[video-demo]

[zekebawt]

🤖 Claiming this bounty! Will implement Linear integration with OnIssueCreated trigger and CreateIssue action. ETA: 2-3 hours.

[AleksandarCole]

@brainstormingdev-super Looks good overall and works as expected. Here are some small UX changes we need to address before we move to code review:

• createIssue uses wrong input fields for title/description/assignee - they are the expression fields that filter/if use, but instead they should be input with expression supported like Wait for in the wait component for example.
• Let's clean up the details tab for both components - it should show timestamp at the top (Created at:) also, let's remove things like TeamID, StateID, or IDs in general. In the create issue details tab, make sure to include link to the issue - like what we have in onIssueCreated.

[Andrew-127]

@AleksandarCole I’ve improved the UX. Please take a look at the video demo below.
video demo

[AleksandarCole]

@brainstormingdev-super looks good - moved to code review.

[shiroyasha]

Hey @brainstormingdev-super, tried it out, works good.

When looking at Linear, OAuth seems to be the default way to integrate with the system.
Why did you decide to go with the personal API key?

I see two big problems with Personal API key vs OAuth:

1/ When you create an issue with personal keys, the creator is the Personal Key's owner. With OAuth the creator of the issue can be a SuperPlaneBot which is more natural for integrations and workflow automations.
2/ When the user leaves the organization, the SuperPlane automation will no longer work.

cc @AleksandarCole

Returning to stage-2

[lucaspin]

@AleksandarCole I don't think we should have a onIssueCreated trigger. Instead, we should have a onIssue trigger, that allows you select the action you're interested in (create, close, deleted, ...). This pattern is already used in the github.onIssue and gitlab.onIssue

[forestileao]

Minor concern: if hasNextPage stays true and endCursor doesn’t change (e.g., due to an API inconsistency or pagination bug), this could loop forever. Maybe add a cursor-change check or safety cap?

[shiroyasha]

@brainstormingdev-super please review this, sounds serious.

[Andrew-127]

@shiroyasha it is already fixed in updated push.
But I will make it more robust

[forestileao]

I don't think this is the data that appears on trigger payload (in the sidebar event). Check it and replace it here with mocked data

[Andrew-127]

@forestileao fixed them, please review again

[shiroyasha]

No need for this nil check.

[Andrew-127]

@shiroyasha removed unused nil check

[shiroyasha]

@brainstormingdev-super do we need this? It seems that it is not doing anything.

You can register integrations without a webhook handler, if you don't need it.

[Andrew-127]

@shiroyasha yep, good catch. I will remove it

[cursor]

Parameter presence check allows partial resolution

Low Severity

The hasRequiredParameters check verifies that at least one parameter from resourceParameters is resolved (Object.keys(...).length > 0), but doesn't verify that all required parameters are resolved. For fields that depend on multiple parameters (e.g., AWS CodeArtifact's repository field depending on both region and domain), resolving only one would allow the fetch to proceed with incomplete parameters. Currently mitigated by VisibilityConditions on existing multi-parameter fields, but the logic doesn't match the comment's stated intent of checking that "those params are present."

 

[shiroyasha]

@brainstormingdev-super the code looks good. You did good given how complex this UX flow is. Contact @AleksandarCole to collect your bounty.

---

On the superplane team's side, when I reviewed it with fresh eyes,
I really hate the UX flow. This is a deeper problem in the SuperPlane
application.

@AleksandarCole @ropsii have scheduled a session to solve it on Monday.
Returning it to stage-2/3 until we have it solved.

They will take over and continue with this PR.

[omarsoufiane]

@Andrew-127 Hello, I'm from bountyhub,
can you setup you payment information from bountyhub's dashboard? click on connnect stripe from dashboard/get-paid
it's not a regular stripe account that you'll use on a website, it's a connected account.
we use paypal only if it's not available in your country

[cursor]

Refresh failure clears valid tokens forcing re-authorization

Medium Severity

When refreshToken encounters any error (including transient network blips or temporary Linear API outages), both OAuthAccessToken and OAuthRefreshToken are immediately cleared. The old access token likely remains valid for hours, but destroying it forces the user through a full OAuth re-authorization flow. A brief Linear API hiccup would break the integration for all users until they manually re-authorize.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 4 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Cursor sync leaves stale ready state

Medium Severity

Cursor.Sync() now returns nil when both LaunchAgentKey and AdminKey are empty, but it also doesn’t set any “pending/error” state. If credentials are removed after the integration was previously ready, this early return can leave a stale ready status even though the integration can no longer authenticate.

 

[cursor]

Linear webhook/callback URLs may be malformed

High Severity

Linear.Sync() builds callbackURL/webhookURL using fmt.Sprintf(... "%s", ctx.Integration.ID()). If ctx.Integration.ID() is not already a string (commonly a UUID type), %s formatting can produce an invalid URL (e.g., %!s(...)), breaking OAuth redirects and webhook delivery.

 

[cursor]

Linear signature verification likely mismatches header format

Medium Severity

handleWebhookEvent() compares the Linear-Signature header directly to a raw hex digest string. If Linear prefixes/encodes the signature (e.g., sha256= prefix or non-hex encoding), verification will always fail and all webhooks will be rejected; conversely, if the expected format includes a prefix, the current check doesn’t enforce it.

 

[cursor]

CopyableCode can throw unhandled clipboard errors

Low Severity

CopyableCode calls navigator.clipboard.writeText(text) without await/catch. In browsers where the Clipboard API is unavailable or blocked (permissions/HTTP/non-focus), this can raise an unhandled promise rejection and break interaction.

 

[superplanehq-integration]

Your SuperPlane environment was created but the health check failed (exit code: 7).

URL: http://3000-cfd33153-be78-43be-9de2-874b9cae76cf.proxy.daytona.works
Sandbox ID: cfd33153-be78-43be-9de2-874b9cae76cf
PR: #3041

The sandbox is still running. You can try accessing the URL manually.
This environment will auto-stop after 60 minutes.

[lucaspin]

What if I want to install on my personal account? Is that not possible anymore?

[superplanehq-integration]

Your SuperPlane environment was created but the health check failed (exit code: 7).

URL: http://3000-8d479e63-105b-4b1c-a953-d6a9cc1625a9.proxy.daytona.works
Sandbox ID: 8d479e63-105b-4b1c-a953-d6a9cc1625a9
PR: #3041

The sandbox is still running. You can try accessing the URL manually.
This environment will auto-stop after 60 minutes.