diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index c65a18d..31d0aa6 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -9,444 +9,6 @@ env: jobs: handle-comment: - runs-on: ubuntu-latest - # Only runs on issue comments, not those of pull requests - if: github.event.issue.pull_request == null - timeout-minutes: 15 - permissions: - issues: write - pull-requests: write - - steps: - - name: Handle /assign or /unassign - uses: actions/github-script@v7 - with: - # ORG_ACCESS_TOKEN must have the following scopes: - # - repo (or public_repo if using public repos only) - # - org:read (to enumerate organization repos) - github-token: ${{ secrets.ORG_ACCESS_TOKEN }} - script: | - /** - * Auto-assign workflow for organization-wide issue assignment limits - * - * Features: - * - Self-assignment only: Users comment /assign to assign themselves - * - Organization-wide limit: Enforces MAX_OPEN_ASSIGNMENTS across all org repos - * - Race condition mitigation: Re-checks assignment count before final assignment - * - * Required GitHub Token Permissions (ORG_ACCESS_TOKEN): - * - repo (or public_repo for public repos only) - * - org:read (to enumerate organization repositories) - * - * Configuration: - * - MAX_OPEN_ASSIGNMENTS: Maximum open issues per user (default: 2) - * - * Commands: - * - /assign: Self-assign an issue (if under limit) - * - /unassign: Remove self-assignment from an issue - * - * Limitations: - * - Small race condition window exists between checks and assignment - * - Only self-assignment supported (cannot assign others) - * - Requires archived repos to be properly marked in GitHub - */ - - const comment = context.payload.comment; - const body = (comment.body || "").trim(); - const user = comment.user.login; - const association = context.payload.comment.author_association; - const issue = context.payload.issue || context.payload.pull_request; - const issueNumber = issue.number; - const { owner, repo } = context.repo; - - // Default assignment limit is 2 if not configured - const maxAssignments = parseInt(process.env.MAX_OPEN_ASSIGNMENTS || '2'); - if (isNaN(maxAssignments)) { - throw new Error(`Invalid MAX_OPEN_ASSIGNMENTS value: "${process.env.MAX_OPEN_ASSIGNMENTS}". Must be a positive integer.`); - } - - // Ignore bots only - if (comment.user.type === "Bot") { - console.log("Ignoring bot"); - return; - } - - /** - * Check if a user has any merged PRs in the repository - * @param {object} github - GitHub API client - * @param {string} owner - Repository owner - * @param {string} repo - Repository name - * @param {string} username - GitHub username to check - * @returns {Promise} - True if user has merged PRs, false otherwise - */ - async function hasMergedPRs(github, owner, repo, username) { - try { - // Use GitHub Search API to find merged PRs authored by the user - const query = `repo:${owner}/${repo} type:pr is:merged author:${username}`; - - const result = await github.rest.search.issuesAndPullRequests({ - q: query, - per_page: 1, // We only need to know if at least one exists - }); - - const count = result.data.total_count; - console.log(`User ${username} has ${count} merged PR(s) in ${owner}/${repo}`); - - return count > 0; - } catch (error) { - console.error(`Error checking merged PRs for ${username}:`, error); - // On error, return false to be safe (deny access) - return false; - } - } - - const isAssign = body.startsWith("/assign"); - const isUnassign = body.startsWith("/unassign"); - - if (!isAssign && !isUnassign) { - console.log("Not an /assign or /unassign command"); - return; - } - - // After checking isAssign - if (isAssign && body.trim() !== "/assign") { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ @${user} This workflow only supports self-assignment. Use \`/assign\` without specifying a username.`, - }); - return; - } - - /** - * NOTE - * - * List of possible user association values: https://docs.github.com/en/graphql/reference/enums - * - * COLLABORATOR - * Author has been invited to collaborate on the repository. - * - * CONTRIBUTOR - * Author has previously committed to the repository. - * - * FIRST_TIMER (Seems to be only applicable to PR commenters) - * Author has not previously committed to GitHub. - * - * FIRST_TIME_CONTRIBUTOR (Seems to be only applicable to PR commenters) - * Author has not previously committed to the repository. - * - * MANNEQUIN - * Author is a placeholder for an unclaimed user. - * - * MEMBER - * Author is a member of the organization that owns the repository. - * - * NONE (Default for non-PR commenters who don't match any of the other associations) - * Author has no association with the repository. - * - * OWNER - * Author is the owner of the repository. - */ - - // Issues created by non-members require manual intervention by members for auto-assignment. - if (isAssign) { - const issueCreator = issue.user.login; - let issueCreatorAssociation; - - // Fetch author_association via REST API since it's no longer in event payload - try { - const issueDetails = await github.rest.issues.get({ - owner, - repo, - issue_number: issueNumber - }); - issueCreatorAssociation = issueDetails.data.author_association; - } catch (error) { - console.error(`Error fetching issue details for #${issueNumber}:`, error); - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ Failed to verify issue permissions. Please contact a maintainer or try again later.`, - }); - return; - } - console.log(`Issue #${issueNumber} creator ${issueCreator} has association: ${issueCreatorAssociation}`); - - // Only allow /assign on issues created by OWNER, MEMBER, COLLABORATOR or CONTRIBUTOR - const allowedAssociations = ['OWNER', 'MEMBER', 'COLLABORATOR', 'CONTRIBUTOR']; - - if (!allowedAssociations.includes(issueCreatorAssociation)) { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ @${user} The \`/assign\` feature is only available for issues created by OWNER, MEMBER, COLLABORATOR or CONTRIBUTOR user associations. This issue was created by @${issueCreator} who has the association: ${issueCreatorAssociation}.`, - }); - console.log(`Denied /assign for ${user} - Issue creator ${issueCreator} has insufficient association (${issueCreatorAssociation})`); - return; - } - - console.log(`Issue creator ${issueCreator} has sufficient association (${issueCreatorAssociation}), allowing /assign for ${user}`); - } - - // Log the type of user association - console.log(`Commenting user ${user} is a ${association}`); - - // New contributors cannot auto assign themselves, but they can unassign themselves - if (isAssign) { - if (association === 'FIRST_TIME_CONTRIBUTOR' || association === 'FIRST_TIMER' || association === 'NONE') { - - // Verify whether the commenter has merged PRs - const hasContributed = await hasMergedPRs(github, owner, repo, user); - - if (!hasContributed) { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ @${user} First time contributors cannot use auto assignment. You have not successfully merged code into this repository. Please ask to be assigned instead.`, - }); - return; - } - } - } - - if (isUnassign) { - - if (body.trim() !== "/unassign") { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ @${user} This workflow only supports \`/unassign\` without additional text.`, - }); - console.log("Invalid /unassign command (must be exact)"); - return; - } - - const currentAssignees = issue.assignees.map(a => a.login); - if (!currentAssignees.includes(user)) { - console.log(`${user} is not assigned, skipping unassign`); - return; - } - - try { - await github.rest.issues.removeAssignees({ - owner, - repo, - issue_number: issueNumber, - assignees: [user], - }); - - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `✅ Unassigned @${user} successfully.`, - }); - - console.log(`Unassigned ${user} from #${issueNumber}`); - } catch (error) { - console.error(`Error unassigning user ${user} from issue #${issueNumber}:`, error); - - // Attempt to create a fallback comment about the failure - try { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ Failed to unassign @${user}. Please try again or contact a maintainer.`, - }); - } catch (commentError) { - console.error(`Failed to create error comment for user ${user} on issue #${issueNumber}:`, commentError); - } - } - return; - } - - // For /assign - const currentAssignees = issue.assignees.map(a => a.login); - if (currentAssignees.includes(user)) { - console.log(`${user} is already assigned, skipping.`); - return; - } - if (currentAssignees.length > 0) { - console.log("Issue already assigned to someone else, skipping."); - return; - } - - console.log(`Checking org-wide assignments for ${user}...`); - let totalAssigned = 0; - let activeRepos = []; - - try { - // Fetch all repos for the org - const repos = await github.paginate(github.rest.repos.listForOrg, { - org: owner, - type: "all", - per_page: 100, - max_items: 500, // Limit to first 500 repos to avoid excessive API calls - }); - - // Filter out archived repositories - activeRepos = repos.filter(r => !r.archived); - for (const r of activeRepos) { - - // Exit early once limit is detected - if (totalAssigned >= maxAssignments) break; - - try { - const assignedIssues = await github.paginate( - github.rest.issues.listForRepo, - { - owner, - repo: r.name, - state: "open", - assignee: user, - per_page: 100, - max_items: 500, // Limit to first 500 repos to avoid excessive API calls - } - ); - totalAssigned += assignedIssues.length; - } catch (repoError) { - console.warn(`Skipping ${r.name}: ${repoError.message}`); - // Continue with other repos - } - } - - // With many repos in the org, we could hit GitHub API rate limits. - const rateLimit = await github.rest.rateLimit.get(); - console.log(`Remaining rate limit: ${rateLimit.data.rate.remaining}`); - - } catch (error) { - console.error("Error fetching org-wide assignments:", error); - - // Notify the user that the org-wide check failed - try { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ **Org-wide assignment check failed**\n\n` + - `Could not verify how many issues @${user} currently has assigned across the organization.\n\n` + - `**Error:** ${error.message || 'Unknown error'}\n\n` + - `Please contact a maintainer or try again later.`, - }); - } catch (commentError) { - console.error(`Failed to post error comment for user ${user} on issue #${issueNumber}:`, commentError); - } - - // Mark the workflow run as failed - throw new Error(`Assignment failed for ${user} on issue #${issueNumber}: ${error.message || error}`); - } - - console.log(`${user} currently has ${totalAssigned} open issues assigned across ${owner}`); - - // KNOWN RACE CONDITION: There is a time window between calculating totalAssigned - // above and actually adding the assignee below where another workflow run (triggered - // by a different /assign comment) can assign the same user to a different issue. - // This distributed execution limitation means the limit can be transiently exceeded. - // - // Mitigation options: - // 1. Accept small transient violations - simplest approach, limit is eventually - // enforced and violations are rare/temporary in practice. - // 2. Use a centralized locking service (e.g., Redis, DynamoDB) to serialize - // assignment decisions across workflow runs. - // 3. Implement retry/backoff: re-check totalAssigned immediately before addAssignees, - // and if another assignment snuck in, abort and notify the user. - // 4. Use GitHub's assignment as a "lock" - assign first, then check and unassign - // if over limit (but this creates noise in notifications). - // - // Current implementation: Option 1 (accept transient violations for simplicity). - if (totalAssigned >= maxAssignments) { - const message = `⚠️ @${user} already has ${totalAssigned} open assignments across the org. Please finish or unassign before taking new ones.`; - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: message, - }); - console.log("Limit reached, skipping assignment"); - return; - } - - // Re-verify the count immediately before assignment - try { - let reCheckCount = 0; - for (const r of activeRepos) { - - // Exit early once limit is detected - if (reCheckCount >= maxAssignments) break; - - try { - const assignedIssues = await github.paginate( - github.rest.issues.listForRepo, - { - owner, - repo: r.name, - state: "open", - assignee: user, - per_page: 100, - max_items: 500, // Limit to first 500 repos to avoid excessive API calls - } - ); - reCheckCount += assignedIssues.length; - } catch (repoError) { - console.warn(`Skipping ${r.name} during re-check: ${repoError.message}`); - } - } - - if (reCheckCount >= maxAssignments) { - const message = `⚠️ @${user}, another issue was assigned to you while processing this request. You now have ${reCheckCount} open assignments. Please finish or unassign before taking new ones.`; - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: message, - }); - console.log("Limit reached after re-check, aborting assignment"); - return; - } - } catch (error) { - console.error("Error during assignment re-check:", error); - // Continue with assignment since we already passed the first check - } - - try { - await github.rest.issues.addAssignees({ - owner, - repo, - issue_number: issueNumber, - assignees: [user], - }); - - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `✅ Assigned @${user} successfully.`, - }); - - console.log(`Assigned ${user} to #${issueNumber}`); - } catch (error) { - console.error(`Error assigning user ${user} to issue #${issueNumber}:`, error); - - // Attempt to create a failure comment to inform the user - try { - await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: `❌ **Assignment failed**\n\n` + - `Could not assign @${user} to this issue.\n\n` + - `**Error:** ${error.message || 'Unknown error'}\n\n` + - `Please try again or contact a maintainer.`, - }); - } catch (commentError) { - console.error(`Failed to post error comment for user ${user} on issue #${issueNumber}:`, commentError); - // Fall back to marking the workflow as failed if we can't even comment - throw new Error(`Assignment failed and unable to notify user: ${error.message || error}`); - } - } + uses: PalisadoesFoundation/.github/.github/workflows/auto-assign.yml@main + secrets: + ORG_ACCESS_TOKEN: ${{ secrets.ORG_ACCESS_TOKEN }} diff --git a/.github/workflows/issue-assigned.yml b/.github/workflows/issue-assigned.yml index 2095423..c73f667 100644 --- a/.github/workflows/issue-assigned.yml +++ b/.github/workflows/issue-assigned.yml @@ -12,44 +12,8 @@ name: Issue Assignment Workflow on: issues: - types: ['assigned'] -permissions: - contents: read - issues: write + types: ['assigned'] jobs: Remove-Unapproved-Label: - name: Remove Unapproved Label when issue is assigned - runs-on: ubuntu-latest - steps: - - uses: actions/github-script@v7 - with: - script: | - const { owner, repo } = context.repo; - const issue_number = context.issue.number; - const apiParams = { - owner, - repo, - issue_number - }; - - // Get current labels on the issue - const { data: labelList } = await github.rest.issues.listLabelsOnIssue(apiParams); - const unapprovedLabel = labelList.find(l => - l.name.toLowerCase().includes('unapprov') // matches 'unapproved' too - ); - - // Remove unapproved label if it exists - if (unapprovedLabel) { - - try { - await github.rest.issues.removeLabel({ - owner, - repo, - issue_number, - name: unapprovedLabel.name, - }); - } catch (err) { - if (err.status !== 404) throw err; - } - } \ No newline at end of file + uses: PalisadoesFoundation/.github/.github/workflows/issue-assigned.yml@main diff --git a/.github/workflows/issue-unassigned.yml b/.github/workflows/issue-unassigned.yml index 169d8f7..2823bb1 100644 --- a/.github/workflows/issue-unassigned.yml +++ b/.github/workflows/issue-unassigned.yml @@ -6,47 +6,6 @@ on: jobs: add-unapproved-label: - runs-on: ubuntu-latest - - permissions: - issues: write - contents: read - - steps: - - name: Add unapproved label - uses: actions/github-script@v7 - with: - script: | - const { owner, repo } = context.repo; - const issue_number = context.issue.number; - - try { - // Get the complete issue object (includes ALL labels, no pagination issues) - const { data: issue } = await github.rest.issues.get({ - owner, - repo, - issue_number - }); - - // Check if the issue already has the 'unapproved' label (exact match) - const hasUnapprovedLabel = issue.labels.some( - label => label.name === 'unapproved' - ); - - // Only add if it doesn't already have the label - if (!hasUnapprovedLabel) { - await github.rest.issues.addLabels({ - owner, - repo, - issue_number, - labels: ['unapproved'] - }); - - console.log(`Added 'unapproved' label to issue #${issue_number}`); - } else { - console.log(`Issue #${issue_number} already has 'unapproved' label - skipping`); - } - } catch (error) { - console.error(`Error processing issue #${issue_number}:`, error.message); - throw error; // Re-throw to fail the workflow and alert maintainers - } + uses: PalisadoesFoundation/.github/.github/workflows/issue-unassigned.yml@main + secrets: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/issue.yml b/.github/workflows/issue.yml index 4b88b3d..5dc6917 100644 --- a/.github/workflows/issue.yml +++ b/.github/workflows/issue.yml @@ -1,55 +1,9 @@ -############################################################################## -############################################################################## -# -# NOTE! -# -# Please read the README.md file in this directory that defines what should -# be placed in this file -# -############################################################################## -############################################################################## - name: Issue Workflow on: issues: types: ['opened'] jobs: - Opened-issue-label: - name: Adding Issue Label - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - sparse-checkout: | - .github/workflows/auto-label.json5 - sparse-checkout-cone-mode: false - - uses: Renato66/auto-label@v3 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/github-script@v7 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - script: | - const { owner, repo } = context.repo; - const issue_number = context.issue.number; - const apiParams = { - owner, - repo, - issue_number - }; - const labels = await github.rest.issues.listLabelsOnIssue(apiParams); - if(labels.data.reduce((a, c)=>a||["dependencies"].includes(c.name), false)) - await github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - labels: ["good first issue", "security"] - }); - else if(labels.data.reduce((a, c)=>a||["security", "ui/ux", "test", "ci/cd"].includes(c.name), false)) - await github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - labels: ["good first issue"] - }); + Opened-issue-label: + uses: PalisadoesFoundation/.github/.github/workflows/issue.yml@main + secrets: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/pull-request-review.yml b/.github/workflows/pull-request-review.yml index 99fce50..e1e07d1 100644 --- a/.github/workflows/pull-request-review.yml +++ b/.github/workflows/pull-request-review.yml @@ -6,47 +6,4 @@ on: jobs: Check-CodeRabbit-Approval: - name: Check CodeRabbit Approval - runs-on: ubuntu-latest - permissions: - pull-requests: read - steps: - - name: Sleep for 30 seconds to make sure the review status propagates - run: sleep 30s - shell: bash - - name: Check CodeRabbit approval using GitHub Script - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - // List all reviews for the PR - const { data: reviews } = await github.rest.pulls.listReviews({ - owner: context.repo.owner, - repo: context.repo.repo, - pull_number: context.payload.pull_request.number - }); - - // Filter reviews that have a user login containing "coderabbit" (case-insensitive) - // and exclude COMMENTED states. - const codeRabbitReviews = reviews.filter(review => - (review.user.login.toLowerCase().includes('coderabbit') || - review.user.login.toLowerCase().includes('coderabbitai')) && - review.state !== 'COMMENTED' - ); - - // Fail if no CodeRabbit reviews are found - if (codeRabbitReviews.length === 0) { - core.setFailed('ERROR: CodeRabbit has not reviewed this PR.'); - return; - } - - // Sort reviews by submitted_at date in descending order - codeRabbitReviews.sort((a, b) => new Date(b.submitted_at) - new Date(a.submitted_at)); - const latestReview = codeRabbitReviews[0]; - - // Fail if the latest review from CodeRabbit is not "APPROVED" - if (latestReview.state !== 'APPROVED') { - core.setFailed('ERROR: CodeRabbit approval is required before merging this PR.'); - } else { - console.log('Success: CodeRabbit has approved this PR.'); - } + uses: PalisadoesFoundation/.github/.github/workflows/pull-request-review.yml@main diff --git a/.github/workflows/pull-request-target.yml b/.github/workflows/pull-request-target.yml index 8646567..5dea01a 100644 --- a/.github/workflows/pull-request-target.yml +++ b/.github/workflows/pull-request-target.yml @@ -1,64 +1,10 @@ -############################################################################## -############################################################################## -# -# NOTE! -# -# Please read the README.md file in this directory that defines what should -# be placed in this file -# -############################################################################## -############################################################################## - name: PR Target Workflow + on: pull_request_target: -# Required for arkid15r/check-pr-issue-action -permissions: - contents: read - issues: read - pull-requests: write - jobs: PR-Greeting: - name: Pull Request Greeting - runs-on: ubuntu-latest - steps: - - name: Add the PR Review Policy - uses: thollander/actions-comment-pull-request@v3 - with: - comment-tag: pr_review_policy - message: | - ## Our Pull Request Approval Process - - This PR will be reviewed according to our: - - 1. [Palisadoes Contributing Guidelines](https://developer.palisadoes.org/docs/contributor-guide/contributing) - - 2. [AI Usage Policy](https://developer.palisadoes.org/docs/contributor-guide/ai) - - Your PR may be automatically closed if: - - 1. Our PR template isn't filled in correctly - - 1. [You haven't correctly linked your PR to an issue](https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/linking-a-pull-request-to-an-issue) - - Thanks for contributing! - - Check-PR-Issue: - name: Check Correct PR Issue Assignment - runs-on: ubuntu-latest - needs: [PR-Greeting] - steps: - - uses: actions/checkout@v4 - - name: Check PR linked issue and assignee - uses: arkid15r/check-pr-issue-action@0.1.3 - with: - close_pr_on_failure: 'true' - github_token: ${{ secrets.GITHUB_TOKEN }} - no_assignee_message: 'The linked issue must be assigned to the PR author.' - no_issue_message: 'The PR must be linked to an issue assigned to the PR author.' - check_issue_reference: 'true' - require_assignee: 'true' - # List of usernames who can create PRs without having an assigned issue - skip_users_file_path: '.github/workflows/config/check-pr-issue-skip-usernames.txt' + uses: PalisadoesFoundation/.github/.github/workflows/pr-target-policy.yml@main + secrets: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f54d2c3..5e7cc49 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,42 +1,8 @@ -############################################################################## -############################################################################## -# -# NOTE! -# -# Please read the README.md file in this directory that defines what should -# be placed in this file -# -############################################################################## -############################################################################## - name: Mark stale issues and pull requests on: schedule: - - cron: "0 0 * * *" - -permissions: - issues: write - pull-requests: write - + - cron: "*/20 0 * * *" jobs: stale: - name: Process Stale Issues and PRs - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v9 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.' - stale-pr-message: 'This pull request did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please verify it has no conflicts with the develop branch and rebase if needed. Mention it now if you need help or give permission to other people to finish your work.' - close-issue-message: 'This issue did not get any activity in the past 180 days and thus has been closed. Please check if the newest release or develop branch has it fixed. Please, create a new issue if the issue is not fixed.' - close-pr-message: 'This pull request did not get any activity in the past 180 days and thus has been closed.' - stale-issue-label: 'no-issue-activity' - stale-pr-label: 'no-pr-activity' - days-before-stale: 7 - days-before-close: 180 - remove-stale-when-updated: true - exempt-all-milestones: true - exempt-pr-labels: 'wip' - exempt-issue-labels: 'wip' - operations-per-run: 30 + uses: PalisadoesFoundation/.github/.github/workflows/stale.yml@main