From a7cd5f767c4cdb1fd5b78a90af17704730faf767 Mon Sep 17 00:00:00 2001
From: abhizipstack <abhishek@zipstack.com>
Date: Mon, 6 Apr 2026 14:55:08 +0530
Subject: [PATCH 1/3] feat: add stale bot and release notification workflows

Stale bot:
- Runs daily, marks issues/PRs as stale after 60 days of inactivity
- Auto-closes after 7 more days if no activity
- Exempts pinned, security, and bug labels
- Uses existing 'stale' label (created in PR #15)

Release notification:
- Posts to Slack when a GitHub release is published
- Requires SLACK_WEBHOOK_URL secret (skips if not configured)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-notification.yml | 20 ++++++++++++
 .github/workflows/stale.yml                | 36 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 .github/workflows/release-notification.yml
 create mode 100644 .github/workflows/stale.yml

diff --git a/.github/workflows/release-notification.yml b/.github/workflows/release-notification.yml
new file mode 100644
index 0000000..a6bc072
--- /dev/null
+++ b/.github/workflows/release-notification.yml
@@ -0,0 +1,20 @@
+name: Release Notification
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    if: ${{ secrets.SLACK_WEBHOOK_URL != '' }}
+    steps:
+      - name: Post to Slack
+        uses: slackapi/slack-github-action@v2.1.0
+        with:
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: incoming-webhook
+          payload: |
+            {
+              "text": "🚀 *Visitran ${{ github.event.release.tag_name }}* released!\n\n${{ github.event.release.name }}\n\n<${{ github.event.release.html_url }}|View Release Notes>"
+            }
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
new file mode 100644
index 0000000..47d156a
--- /dev/null
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,36 @@
+name: Stale Issues and PRs
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Daily midnight UTC
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          stale-issue-message: >
+            This issue has been automatically marked as stale due to
+            inactivity. It will be closed in 7 days if no further
+            activity occurs. If this issue is still relevant, please
+            comment to keep it open.
+          stale-pr-message: >
+            This pull request has been automatically marked as stale
+            due to inactivity. It will be closed in 7 days if no
+            further activity occurs.
+          close-issue-message: >
+            This issue was closed because it has been inactive for
+            too long. Feel free to reopen if it is still relevant.
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
+          days-before-stale: 60
+          days-before-close: 7
+          exempt-issue-labels: "pinned,security,bug"
+          exempt-pr-labels: "pinned,security"
+          exempt-all-milestones: true

From a7a05c5cb276b21477e6fef082be6100fb466162 Mon Sep 17 00:00:00 2001
From: abhizipstack <abhishek@zipstack.com>
Date: Mon, 6 Apr 2026 15:02:07 +0530
Subject: [PATCH 2/3] =?UTF-8?q?fix:=20address=20Greptile=20review=20?=
 =?UTF-8?q?=E2=80=94=20JSON=20injection,=20close-pr-message,=20exempt=20la?=
 =?UTF-8?q?bels?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix JSON injection in Slack payload — build message in run step
  to avoid malformed JSON from release names with quotes
- Add close-pr-message for stale PRs — contributors get context
- Add bug to exempt-pr-labels — match issue exemptions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-notification.yml | 10 +++++++++-
 .github/workflows/stale.yml                |  5 ++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-notification.yml b/.github/workflows/release-notification.yml
index a6bc072..1fc86d1 100644
--- a/.github/workflows/release-notification.yml
+++ b/.github/workflows/release-notification.yml
@@ -9,6 +9,14 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ secrets.SLACK_WEBHOOK_URL != '' }}
     steps:
+      - name: Build Slack message
+        id: message
+        run: |
+          TAG="${{ github.event.release.tag_name }}"
+          NAME=$(echo '${{ toJSON(github.event.release.name) }}' | jq -r '.')
+          URL="${{ github.event.release.html_url }}"
+          echo "text=🚀 *Visitran ${TAG}* released! ${NAME} <${URL}|View Release Notes>" >> "$GITHUB_OUTPUT"
+
       - name: Post to Slack
         uses: slackapi/slack-github-action@v2.1.0
         with:
@@ -16,5 +24,5 @@ jobs:
           webhook-type: incoming-webhook
           payload: |
             {
-              "text": "🚀 *Visitran ${{ github.event.release.tag_name }}* released!\n\n${{ github.event.release.name }}\n\n<${{ github.event.release.html_url }}|View Release Notes>"
+              "text": "${{ steps.message.outputs.text }}"
             }
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 47d156a..0e13577 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -27,10 +27,13 @@ jobs:
           close-issue-message: >
             This issue was closed because it has been inactive for
             too long. Feel free to reopen if it is still relevant.
+          close-pr-message: >
+            This pull request was closed because it has been inactive
+            for too long. Feel free to reopen if it is still relevant.
           stale-issue-label: "stale"
           stale-pr-label: "stale"
           days-before-stale: 60
           days-before-close: 7
           exempt-issue-labels: "pinned,security,bug"
-          exempt-pr-labels: "pinned,security"
+          exempt-pr-labels: "pinned,security,bug"
           exempt-all-milestones: true

From c94f2d028bf73aef64de22d944cf55962e4a18e0 Mon Sep 17 00:00:00 2001
From: abhizipstack <abhishek@zipstack.com>
Date: Wed, 8 Apr 2026 11:59:41 +0530
Subject: [PATCH 3/3] fix: pass release event data via env to prevent script
 injection

Use env variables instead of direct ${{ }} interpolation in run block
to prevent shell injection from release names with metacharacters.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-notification.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-notification.yml b/.github/workflows/release-notification.yml
index 1fc86d1..1987b1a 100644
--- a/.github/workflows/release-notification.yml
+++ b/.github/workflows/release-notification.yml
@@ -11,11 +11,12 @@ jobs:
     steps:
       - name: Build Slack message
         id: message
+        env:
+          TAG: ${{ github.event.release.tag_name }}
+          RELEASE_NAME: ${{ github.event.release.name }}
+          URL: ${{ github.event.release.html_url }}
         run: |
-          TAG="${{ github.event.release.tag_name }}"
-          NAME=$(echo '${{ toJSON(github.event.release.name) }}' | jq -r '.')
-          URL="${{ github.event.release.html_url }}"
-          echo "text=🚀 *Visitran ${TAG}* released! ${NAME} <${URL}|View Release Notes>" >> "$GITHUB_OUTPUT"
+          echo "text=🚀 *Visitran ${TAG}* released! ${RELEASE_NAME} <${URL}|View Release Notes>" >> "$GITHUB_OUTPUT"
 
       - name: Post to Slack
         uses: slackapi/slack-github-action@v2.1.0