Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Close Stale Issues

on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:

permissions: {}

jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
concurrency:
group: stale-issues-workflow
cancel-in-progress: false

Comment on lines +3 to +18

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set default-deny token permissions at workflow scope.

Add permissions: {} at the workflow level, then keep the job-scoped issues: write. This prevents accidental broad token grants if additional jobs are added later.

Suggested fix
 on:
   schedule:
     - cron: "0 0 * * *"
   workflow_dispatch:

+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest
     permissions:
       issues: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
permissions: {}
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 9-9: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)


[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/stale.yml around lines 3 - 13, Add a default-deny
permissions block at the workflow level by inserting `permissions: {}` after the
`on:` section and before the `jobs:` section, while keeping the existing
`permissions: issues: write` at the job level under the `stale` job. This
ensures that if additional jobs are added to this workflow in the future, they
will not have unintended token permissions by default.

Source: Linters/SAST tools

Comment on lines +10 to +18

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add concurrency control to avoid overlapping stale runs.

Without concurrency limits, manual dispatch can overlap with scheduled runs and produce duplicate comments/label churn.

Suggested fix
 jobs:
   stale:
+    concurrency:
+      group: stale-issues-workflow
+      cancel-in-progress: false
     runs-on: ubuntu-latest
     permissions:
       issues: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
jobs:
stale:
concurrency:
group: stale-issues-workflow
cancel-in-progress: false
runs-on: ubuntu-latest
permissions:
issues: write
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment

(undocumented-permissions)


[info] 9-9: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/stale.yml around lines 8 - 13, The stale job lacks
concurrency control, allowing manual dispatches to overlap with scheduled runs
and cause duplicate comments or label churn. Add a concurrency section to the
stale job that groups all runs under a single key (such as using github.workflow
or a static string) with cancel-in-progress set to true to ensure only one run
executes at a time and any in-progress run is cancelled when a new one starts.

Source: Linters/SAST tools

steps:
- uses: actions/stale@v10

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the stale.yml file exists and view its contents
git ls-files | grep -E "(stale|workflows)" | head -20

Repository: fossas/fossa-cli

Length of output: 502


🏁 Script executed:

# Examine the stale.yml file
if [ -f ".github/workflows/stale.yml" ]; then
  cat -n ".github/workflows/stale.yml"
else
  echo "File not found"
fi

Repository: fossas/fossa-cli

Length of output: 1022


🌐 Web query:

actions/stale v10 full commit SHA github actions

💡 Result:

The actions/stale v10.0.0 release is associated with commit SHA 3a9db7e [1]. This version was released on September 4, 2025, and introduced several updates, including an upgrade to Node 24 (which requires runners to be on version v2.327.1 or later) and the addition of a new sort-by option [2][3]. The full commit history between v9 and v10.0.0 is available on GitHub, where commit 3a9db7e is explicitly identified as the final commit for this release [2][1].

Citations:


🌐 Web query:

actions/stale commit SHA 3a9db7e full 40 character hash

💡 Result:

The full 40-character SHA hash for the commit 3a9db7e in the actions/stale repository is 3a9db7e6a41a89f618792c92c0e97cc736e1b13f [1]. This commit was authored by salmanmkc and merged on September 3, 2025, as part of Pull Request #1279, which upgraded the action to use Node.js 24 [1][2].

Citations:


🏁 Script executed:

# Try to find the full commit SHA for actions/stale v10
python3 - <<'PY'
# The shortened SHA from web search is 3a9db7e
# GitHub commit SHAs are 40 characters long
# The full SHA for 3a9db7e would typically be available via GitHub API or release tags
# For now, document what we know
import requests

try:
    # Query GitHub API for the stale action release tag v10.0.0
    response = requests.get('https://api.github.com/repos/actions/stale/releases/tags/v10.0.0')
    if response.status_code == 200:
        data = response.json()
        # Look for the target_commitish which should be the full SHA
        print(f"Tag Name: {data.get('tag_name')}")
        print(f"Target Commitish: {data.get('target_commitish')}")
        print(f"Published At: {data.get('published_at')}")
    else:
        print(f"HTTP {response.status_code}")
except Exception as e:
    print(f"Error: {e}")
PY

Repository: fossas/fossa-cli

Length of output: 69


Pin actions/stale to a full commit SHA.

Line 15 uses a mutable tag (v10), which is a supply-chain risk and violates strict action pinning policies.

Suggested fix
-    - uses: actions/stale@v10
+    - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/stale@v10
- uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
🧰 Tools
🪛 zizmor (1.25.2)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/stale.yml at line 15, The uses statement for actions/stale
is currently pinned to a mutable tag v10, which poses a supply-chain security
risk. Replace the mutable tag v10 with a full commit SHA to ensure the workflow
always uses a specific, immutable version of the action. Look up the full commit
SHA that corresponds to the v10 release on the actions/stale GitHub repository
and update the uses directive to reference that SHA instead of the tag.

Source: Linters/SAST tools

with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
days-before-issue-stale: 21
days-before-issue-close: 7
stale-issue-message: "This issue has been marked stale because it has had no activity for 21 days. It will be closed in 7 days if no further activity occurs."
close-issue-message: "This issue has been automatically closed because it has had no activity for 7 days since being marked stale."
stale-issue-label: "stale"

# Don't auto-close PRs
days-before-pr-stale: -1
days-before-pr-close: -1
Loading