Add workflow to close stale issues#1722
Conversation
WalkthroughA new GitHub Actions workflow file ( 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/stale.yml:
- Around line 3-13: Add a default-deny permissions block at the workflow level
by inserting `permissions: {}` after the `on:` section and before the `jobs:`
section, while keeping the existing `permissions: issues: write` at the job
level under the `stale` job. This ensures that if additional jobs are added to
this workflow in the future, they will not have unintended token permissions by
default.
- Around line 8-13: The stale job lacks concurrency control, allowing manual
dispatches to overlap with scheduled runs and cause duplicate comments or label
churn. Add a concurrency section to the stale job that groups all runs under a
single key (such as using github.workflow or a static string) with
cancel-in-progress set to true to ensure only one run executes at a time and any
in-progress run is cancelled when a new one starts.
- Line 15: The uses statement for actions/stale is currently pinned to a mutable
tag v10, which poses a supply-chain security risk. Replace the mutable tag v10
with a full commit SHA to ensure the workflow always uses a specific, immutable
version of the action. Look up the full commit SHA that corresponds to the v10
release on the actions/stale GitHub repository and update the uses directive to
reference that SHA instead of the tag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: e334291e-0c4a-4899-b0ca-8cac8e0e22d7
📒 Files selected for processing (1)
.github/workflows/stale.yml
| on: | ||
| schedule: | ||
| - cron: "0 0 * * *" | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| stale: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| issues: write | ||
|
|
There was a problem hiding this comment.
Set default-deny token permissions at workflow scope.
Add permissions: {} at the workflow level, then keep the job-scoped issues: write. This prevents accidental broad token grants if additional jobs are added later.
Suggested fix
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
+permissions: {}
+
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| jobs: | |
| stale: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| stale: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 9-9: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
[warning] 3-6: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/stale.yml around lines 3 - 13, Add a default-deny
permissions block at the workflow level by inserting `permissions: {}` after the
`on:` section and before the `jobs:` section, while keeping the existing
`permissions: issues: write` at the job level under the `stale` job. This
ensures that if additional jobs are added to this workflow in the future, they
will not have unintended token permissions by default.
Source: Linters/SAST tools
| jobs: | ||
| stale: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| issues: write | ||
|
|
There was a problem hiding this comment.
Add concurrency control to avoid overlapping stale runs.
Without concurrency limits, manual dispatch can overlap with scheduled runs and produce duplicate comments/label churn.
Suggested fix
jobs:
stale:
+ concurrency:
+ group: stale-issues-workflow
+ cancel-in-progress: false
runs-on: ubuntu-latest
permissions:
issues: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| jobs: | |
| stale: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| jobs: | |
| stale: | |
| concurrency: | |
| group: stale-issues-workflow | |
| cancel-in-progress: false | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 12-12: permissions without explanatory comments (undocumented-permissions): needs an explanatory comment
(undocumented-permissions)
[info] 9-9: workflow or action definition without a name (anonymous-definition): this job
(anonymous-definition)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/stale.yml around lines 8 - 13, The stale job lacks
concurrency control, allowing manual dispatches to overlap with scheduled runs
and cause duplicate comments or label churn. Add a concurrency section to the
stale job that groups all runs under a single key (such as using github.workflow
or a static string) with cancel-in-progress set to true to ensure only one run
executes at a time and any in-progress run is cancelled when a new one starts.
Source: Linters/SAST tools
| issues: write | ||
|
|
||
| steps: | ||
| - uses: actions/stale@v10 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Check if the stale.yml file exists and view its contents
git ls-files | grep -E "(stale|workflows)" | head -20Repository: fossas/fossa-cli
Length of output: 502
🏁 Script executed:
# Examine the stale.yml file
if [ -f ".github/workflows/stale.yml" ]; then
cat -n ".github/workflows/stale.yml"
else
echo "File not found"
fiRepository: fossas/fossa-cli
Length of output: 1022
🌐 Web query:
actions/stale v10 full commit SHA github actions
💡 Result:
The actions/stale v10.0.0 release is associated with commit SHA 3a9db7e [1]. This version was released on September 4, 2025, and introduced several updates, including an upgrade to Node 24 (which requires runners to be on version v2.327.1 or later) and the addition of a new sort-by option [2][3]. The full commit history between v9 and v10.0.0 is available on GitHub, where commit 3a9db7e is explicitly identified as the final commit for this release [2][1].
Citations:
- 1: actions/stale@v9...v10.0.0
- 2: https://github.com/actions/stale/releases/tag/v10.0.0
- 3: https://github.com/actions/stale/blob/main/CHANGELOG.md
🌐 Web query:
actions/stale commit SHA 3a9db7e full 40 character hash
💡 Result:
The full 40-character SHA hash for the commit 3a9db7e in the actions/stale repository is 3a9db7e6a41a89f618792c92c0e97cc736e1b13f [1]. This commit was authored by salmanmkc and merged on September 3, 2025, as part of Pull Request #1279, which upgraded the action to use Node.js 24 [1][2].
Citations:
🏁 Script executed:
# Try to find the full commit SHA for actions/stale v10
python3 - <<'PY'
# The shortened SHA from web search is 3a9db7e
# GitHub commit SHAs are 40 characters long
# The full SHA for 3a9db7e would typically be available via GitHub API or release tags
# For now, document what we know
import requests
try:
# Query GitHub API for the stale action release tag v10.0.0
response = requests.get('https://api.github.com/repos/actions/stale/releases/tags/v10.0.0')
if response.status_code == 200:
data = response.json()
# Look for the target_commitish which should be the full SHA
print(f"Tag Name: {data.get('tag_name')}")
print(f"Target Commitish: {data.get('target_commitish')}")
print(f"Published At: {data.get('published_at')}")
else:
print(f"HTTP {response.status_code}")
except Exception as e:
print(f"Error: {e}")
PYRepository: fossas/fossa-cli
Length of output: 69
Pin actions/stale to a full commit SHA.
Line 15 uses a mutable tag (v10), which is a supply-chain risk and violates strict action pinning policies.
Suggested fix
- - uses: actions/stale@v10
+ - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/stale@v10 | |
| - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/stale.yml at line 15, The uses statement for actions/stale
is currently pinned to a mutable tag v10, which poses a supply-chain security
risk. Replace the mutable tag v10 with a full commit SHA to ensure the workflow
always uses a specific, immutable version of the action. Look up the full commit
SHA that corresponds to the v10 release on the actions/stale GitHub repository
and update the uses directive to reference that SHA instead of the tag.
Source: Linters/SAST tools
2 participants
Overview
Add a workflow to manage stale GitHub issues. Comment and label issues as stale if they have no activity for 3 weeks, and close them if they don't see any action for another week.
Acceptance criteria
If this PR is successful, what impact does it have on the user experience?
Example: When users do X, Y should now happen.
Testing plan
How did you validate that this PR works? What literal steps did you take when manually checking that your code works?
Example:
This section should list concrete steps that a reviewer can sanity check and repeat on their own machine (and provide any needed test cases).
Risks
Highlight any areas that you're unsure of, want feedback on, or want reviewers to pay particular attention to.
Example: I'm not sure I did X correctly, can reviewers please double-check that for me?
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
Add links to any referenced GitHub issues, Zendesk tickets, Jira tickets, Slack threads, etc.
Example:
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.