-
Notifications
You must be signed in to change notification settings - Fork 201
Add workflow to close stale issues #1722
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,31 @@ | ||||||||||||||||||||||||||||
| name: Close Stale Issues | ||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||
| schedule: | ||||||||||||||||||||||||||||
| - cron: "0 0 * * *" | ||||||||||||||||||||||||||||
| workflow_dispatch: | ||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
| permissions: {} | ||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||
| stale: | ||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||
| issues: write | ||||||||||||||||||||||||||||
| concurrency: | ||||||||||||||||||||||||||||
| group: stale-issues-workflow | ||||||||||||||||||||||||||||
| cancel-in-progress: false | ||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
|
Comment on lines
+10
to
+18
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add concurrency control to avoid overlapping stale runs. Without concurrency limits, manual dispatch can overlap with scheduled runs and produce duplicate comments/label churn. Suggested fix jobs:
stale:
+ concurrency:
+ group: stale-issues-workflow
+ cancel-in-progress: false
runs-on: ubuntu-latest
permissions:
issues: write📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment (undocumented-permissions) [info] 9-9: workflow or action definition without a name (anonymous-definition): this job (anonymous-definition) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||
| - uses: actions/stale@v10 | ||||||||||||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # Check if the stale.yml file exists and view its contents
git ls-files | grep -E "(stale|workflows)" | head -20Repository: fossas/fossa-cli Length of output: 502 🏁 Script executed: # Examine the stale.yml file
if [ -f ".github/workflows/stale.yml" ]; then
cat -n ".github/workflows/stale.yml"
else
echo "File not found"
fiRepository: fossas/fossa-cli Length of output: 1022 🌐 Web query:
💡 Result: The actions/stale v10.0.0 release is associated with commit SHA 3a9db7e [1]. This version was released on September 4, 2025, and introduced several updates, including an upgrade to Node 24 (which requires runners to be on version v2.327.1 or later) and the addition of a new sort-by option [2][3]. The full commit history between v9 and v10.0.0 is available on GitHub, where commit 3a9db7e is explicitly identified as the final commit for this release [2][1]. Citations:
🌐 Web query:
💡 Result: The full 40-character SHA hash for the commit 3a9db7e in the actions/stale repository is 3a9db7e6a41a89f618792c92c0e97cc736e1b13f [1]. This commit was authored by salmanmkc and merged on September 3, 2025, as part of Pull Request Citations: 🏁 Script executed: # Try to find the full commit SHA for actions/stale v10
python3 - <<'PY'
# The shortened SHA from web search is 3a9db7e
# GitHub commit SHAs are 40 characters long
# The full SHA for 3a9db7e would typically be available via GitHub API or release tags
# For now, document what we know
import requests
try:
# Query GitHub API for the stale action release tag v10.0.0
response = requests.get('https://api.github.com/repos/actions/stale/releases/tags/v10.0.0')
if response.status_code == 200:
data = response.json()
# Look for the target_commitish which should be the full SHA
print(f"Tag Name: {data.get('tag_name')}")
print(f"Target Commitish: {data.get('target_commitish')}")
print(f"Published At: {data.get('published_at')}")
else:
print(f"HTTP {response.status_code}")
except Exception as e:
print(f"Error: {e}")
PYRepository: fossas/fossa-cli Length of output: 69 Pin Line 15 uses a mutable tag ( Suggested fix- - uses: actions/stale@v10
+ - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||
| repo-token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||||||
| days-before-issue-stale: 21 | ||||||||||||||||||||||||||||
| days-before-issue-close: 7 | ||||||||||||||||||||||||||||
| stale-issue-message: "This issue has been marked stale because it has had no activity for 21 days. It will be closed in 7 days if no further activity occurs." | ||||||||||||||||||||||||||||
| close-issue-message: "This issue has been automatically closed because it has had no activity for 7 days since being marked stale." | ||||||||||||||||||||||||||||
| stale-issue-label: "stale" | ||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||
| # Don't auto-close PRs | ||||||||||||||||||||||||||||
| days-before-pr-stale: -1 | ||||||||||||||||||||||||||||
| days-before-pr-close: -1 | ||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Set default-deny token permissions at workflow scope.
Add
permissions: {}at the workflow level, then keep the job-scopedissues: write. This prevents accidental broad token grants if additional jobs are added later.Suggested fix
on: schedule: - cron: "0 0 * * *" workflow_dispatch: +permissions: {} + jobs: stale: runs-on: ubuntu-latest permissions: issues: write📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 9-9: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Source: Linters/SAST tools