feat: add stale bot and release notification workflows#42
Merged
abhizipstack merged 3 commits intomainfrom Apr 8, 2026
Merged
Conversation
Stale bot: - Runs daily, marks issues/PRs as stale after 60 days of inactivity - Auto-closes after 7 more days if no activity - Exempts pinned, security, and bug labels - Uses existing 'stale' label (created in PR #15) Release notification: - Posts to Slack when a GitHub release is published - Requires SLACK_WEBHOOK_URL secret (skips if not configured) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
abhizipstack
requested review from
Deepak-Gnanasekar,
tahierhussain and
wicky-zipstack
|
| Filename | Overview |
|---|---|
| .github/workflows/release-notification.yml | New workflow that posts to Slack on release; previously-flagged script- and JSON-injection issues are addressed via env: variables, but the Slack action version tag is unpinned (P2). |
| .github/workflows/stale.yml | New stale-bot workflow with correct permissions, full message coverage, and consistent exempt labels; only remaining concern is the mutable @v9 version tag (P2). |
Sequence Diagram
sequenceDiagram
participant GH as GitHub Events
participant SW as stale.yml (cron / dispatch)
participant RW as release-notification.yml
participant SA as actions/stale@v9
participant SL as Slack Webhook
GH->>SW: schedule (daily midnight UTC) or workflow_dispatch
SW->>SA: Run stale action
SA-->>GH: Label issues/PRs as stale after 60d
SA-->>GH: Close stale items after 7d
GH->>RW: release: published
RW->>RW: if SLACK_WEBHOOK_URL != empty, continue
RW->>RW: Build message via env vars (TAG, RELEASE_NAME, URL)
RW->>SL: POST payload via slackapi/slack-github-action
SL-->>RW: 200 OK
Prompt To Fix All With AI
This is a comment left during a code review.
Path: .github/workflows/release-notification.yml
Line: 22
Comment:
**Pin action to a commit SHA instead of a mutable version tag**
`slackapi/slack-github-action@v2.1.0` is pinned to a version tag, which can be silently moved by the upstream maintainer (intentionally or after a supply-chain compromise). GitHub's security hardening guide recommends pinning to a full commit SHA to guarantee the exact code that runs.
```suggestion
uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0
```
_(Replace with the actual commit SHA for the `v2.1.0` release.)_
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: .github/workflows/stale.yml
Line: 16
Comment:
**Pin action to a commit SHA instead of a mutable version tag**
`actions/stale@v9` is a floating major-version tag. If the maintainer ever pushes a breaking change or a malicious actor gains access to the tag, the workflow will silently use different code. Pin to a specific commit SHA for reproducibility and supply-chain safety.
```suggestion
- uses: actions/stale@5bef64f19d7facfed25b8b884520294b42f96b2b
```
_(Replace with the actual commit SHA for the `v9` release you want to lock to.)_
How can I resolve this? If you propose a fix, please make it concise.Reviews (3): Last reviewed commit: "fix: pass release event data via env to ..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
…pt labels - Fix JSON injection in Slack payload — build message in run step to avoid malformed JSON from release names with quotes - Add close-pr-message for stale PRs — contributors get context - Add bug to exempt-pr-labels — match issue exemptions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use env variables instead of direct ${{ }} interpolation in run block
to prevent shell injection from release names with metacharacters.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Addressed remaining Greptile P1 in c94f2d0 — release event data now passed via |
Deepak-Gnanasekar
approved these changes
Apr 8, 2026
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Why
How
Stale bot (
.github/workflows/stale.yml):stalelabelRelease notification (
.github/workflows/release-notification.yml):SLACK_WEBHOOK_URLsecret (skips gracefully if not configured)Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
Database Migrations
Env Config
SLACK_WEBHOOK_URL— needs to be added as repo secret for release notifications (optional, workflow skips if not set)Notes on Testing
Checklist
I have read and understood the Contribution Guidelines.