chore: refactor spam list updating

[MonaaEid]

Description:
This pull request refactors the spam list update automation to create an issue instead of a pull request when changes are detected, and removes the now-unused logic for PR creation.

Related issue(s):

Fixes #1667

Checklist

• Updated .github/scripts/update-spam-list.js and .github/workflows/cron-update-spam-list.yml
• Updated CHANGELOG.md
• Documented (Code comments, README, etc.)
• Tested (unit, integration, etc.)

[github-actions]

Hi @MonaaEid, this is **LinkBot** 👋

Linking pull requests to issues helps us significantly with reviewing pull requests and keeping the repository healthy.

🚨 This pull request does not have an issue linked.

Please link an issue using the following format:

• Fixes chore: [StepSecurity] Apply security best practices #123

📖 Guide:
docs/sdk_developers/how_to_link_issues.md

If no issue exists yet, please create one:
docs/sdk_developers/creating_issues.md

Thanks!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main    #1749   +/-   ##
=======================================
  Coverage   93.25%   93.25%           
=======================================
  Files         141      141           
  Lines        9061     9061           
=======================================
  Hits         8450     8450           
  Misses        611      611           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Walkthrough

The spam list update workflow is refactored to address a permission issue by replacing pull request creation with GitHub issue creation. The update script no longer writes directly to the spam-list.txt file, and the workflow configuration now requires issues: write permission instead of PR creation capabilities.

Changes

Cohort / File(s)	Summary
Script Refactoring .github/scripts/update-spam-list.js	Removed file-writing logic for spam-list.txt and PR generation outputs. Modified computeSpamListUpdates to return only additions and removals. When changes are detected, the script now creates a GitHub issue with spam-list-update and automated labels instead of creating a PR. Maintained DRY RUN mode awareness and added explicit no-change logging.
Workflow Configuration .github/workflows/cron-update-spam-list.yml	Added issues: write permission. Updated action versions for harden-runner and checkout. Removed the entire "Create pull request" step and its associated inputs/outputs.
Changelog CHANGELOG.md	Added unreleased entry documenting the refactor of spam list update logic and removal of PR creation step. Entry contains a duplicate listing in the file.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: refactor spam list updating' directly describes the main change—refactoring the spam list update automation—and is clear and concise.
Description check	✅ Passed	The description is directly related to the changeset, clearly stating the refactor changes the workflow to create issues instead of PRs and removes unused PR creation logic.
Linked Issues check	✅ Passed	The PR addresses the core requirement of issue #1667 by resolving the GitHub Actions permission issue through refactoring the spam list update workflow to create issues instead of PRs, which bypasses the PR creation permission restriction.
Out of Scope Changes check	✅ Passed	All changes are within scope: updating the automation script and workflow file as required, with appropriate CHANGELOG.md entry, all directly addressing issue #1667's permission problem.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/scripts/update-spam-list.js (3)

75-105: ⚠️ Potential issue | 🟡 Minor

Stale reference: issue body still says "This PR" instead of "This issue".

Line 79 generates body text saying "This PR automatically updates the spam list", but the script now creates an issue, not a PR. The title format on Line 76 also uses a PR-style prefix.

Proposed fix

-  const title = `chore: Update spam list (${additions.length} additions, ${removals.length} removals)`;
+  const title = `chore: update spam list (${additions.length} additions, ${removals.length} removals)`;
   
   let body = '## Automated Spam List Update\n\n';
-  body += 'This PR automatically updates the spam list based on recent PR activity.\n\n';
+  body += 'This issue reports spam list changes based on recent PR activity.\n\n';

---

67-71: 🛠️ Refactor suggestion | 🟠 Major

finalSpamList is computed but never consumed by the caller.

computeSpamListUpdates still builds and returns finalSpamList (and mutates it via add/delete), but the caller on Line 190 only destructures { additions, removals }. Since the file-writing logic was removed, this is dead code.

Proposed fix

   return {
     additions,
-    removals,
-    finalSpamList: Array.from(finalSpamList).sort((a, b) => a.localeCompare(b))
+    removals
   };

---

166-187: ⚠️ Potential issue | 🟠 Major

Unbounded pagination on search results.

The pagination loop on Lines 170–186 has no hard upper bound on the number of pages or results processed. If the repository accumulates a very large number of matching PRs, this could lead to excessive API consumption and long run times. Additionally, each "rehabilitated PR" triggers a secondary pulls.get call inside the loop (Line 149), amplifying the cost.

Consider adding a page counter or total-items cap to bail out after a reasonable threshold (e.g., 1000 results).

As per coding guidelines, "Pagination MUST: Be considered and justified, Enforce hard upper bounds".

.github/workflows/cron-update-spam-list.yml (1)

21-23: ⚠️ Potential issue | 🟠 Major

Missing concurrency group.

This workflow mutates GitHub state (creates issues) but defines no concurrency key. If the cron and a manual dispatch overlap, or if the workflow is retried, duplicate issues could be created concurrently.

Proposed fix

 jobs:
   update-spam-list:
     runs-on: ubuntu-latest
+    concurrency:
+      group: cron-update-spam-list
+      cancel-in-progress: false
     steps:

As per coding guidelines, "Workflows that mutate state MUST: Define a deterministic concurrency group".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing deduplication: repeated runs will create duplicate issues.

There is no check-before-create logic to prevent duplicate issues. If the cron fires twice, gets retried, or is manually dispatched, a new issue is created each time. The coding guidelines require marker-based deduplication for workflows that mutate GitHub state.

Search for an existing open issue with the same label before creating a new one:

Proposed fix

     if (hasChanges) {
       if (dryRun) {
         console.log('[DRY RUN] Would create issue with:');
         console.log(`Title: ${title}`);
         console.log(`Body: ${body}`);
       } else {
+        // Check for existing open issue to avoid duplicates
+        const { data: existing } = await github.rest.issues.listForRepo({
+          owner,
+          repo,
+          labels: 'spam-list-update',
+          state: 'open',
+          per_page: 1
+        });
+        if (existing.length > 0) {
+          console.log(`Skipping issue creation: open issue #${existing[0].number} already exists`);
+          return;
+        }
         await github.rest.issues.create({
           owner,
           repo,
           title,
           body,
           labels: ['spam-list-update', 'automated']
         });
         console.log('Issue created successfully');
       }

As per coding guidelines, "Marker-based deduplication is required" and "Duplicate API calls MUST be avoided".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (hasChanges) {
	if (dryRun) {
	console.log('[DRY RUN] Would create issue with:');
	console.log(`Title: ${title}`);
	console.log(`Body: ${body}`);
	} else {
	await github.rest.issues.create({
	owner,
	repo,
	title,
	body,
	labels: ['spam-list-update', 'automated']
	});
	console.log('Issue created successfully');
	}
	} else {
	console.log('No changes needed, skipping issue creation');
	}
	if (hasChanges) {
	if (dryRun) {
	console.log('[DRY RUN] Would create issue with:');
	console.log(`Title: ${title}`);
	console.log(`Body: ${body}`);
	} else {
	// Check for existing open issue to avoid duplicates
	const { data: existing } = await github.rest.issues.listForRepo({
	owner,
	repo,
	labels: 'spam-list-update',
	state: 'open',
	per_page: 1
	});
	if (existing.length > 0) {
	console.log(`Skipping issue creation: open issue #${existing[0].number} already exists`);
	return;
	}
	await github.rest.issues.create({
	owner,
	repo,
	title,
	body,
	labels: ['spam-list-update', 'automated']
	});
	console.log('Issue created successfully');
	}
	} else {
	console.log('No changes needed, skipping issue creation');
	}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Over-permissioned: contents: write and pull-requests: write are no longer needed.

The PR creation step was removed and the script no longer writes files. The only mutation is github.rest.issues.create, which requires issues: write. The contents: read permission is sufficient for the checkout step.

Proposed fix

 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
   issues: write

As per coding guidelines, "Requested permissions MUST exactly match behavior" and "Flag: Over-permissioned workflows".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	contents: write
	pull-requests: write
	issues: write
	permissions:
	contents: read
	issues: write

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing blank line before ### Removed heading and missing issue reference.

The changelog entry on Line 292 runs directly into the ### Removed section header on Line 293 with no separating blank line, breaking the formatting pattern used throughout the rest of the file. Also, other entries in this changelog reference their issue/PR number (e.g., (#1664)), but this entry does not reference #1667 or #1749.

Proposed fix

-- Refactor spam list update logic and remove unused pull request creation step `.github/scripts/update-spam-list.js` `.github/workflows/cron-update-spam-list.yml`.
-### Removed
+- Refactor spam list update logic and remove unused pull request creation step `.github/scripts/update-spam-list.js` `.github/workflows/cron-update-spam-list.yml`. (`#1667`)
+
+### Removed

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Refactor spam list update logic and remove unused pull request creation step `.github/scripts/update-spam-list.js` `.github/workflows/cron-update-spam-list.yml`.
	### Removed
	- Refactor spam list update logic and remove unused pull request creation step `.github/scripts/update-spam-list.js` `.github/workflows/cron-update-spam-list.yml`. (`#1667`)
	### Removed

🧰 Tools

🪛 LanguageTool

[uncategorized] ~292-~292: The official name of this software platform is spelled with a capital “H”.
Context: ...ep .github/scripts/update-spam-list.js .github/workflows/cron-update-spam-list.yml. #...

(GITHUB)

🪛 markdownlint-cli2 (0.20.0)

[warning] 293-293: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Above

(MD022, blanks-around-headings)

[exploreriii]

I think some of the code rabbit suggestions are good 👍

[exploreriii]

Please check the permissions and the final comment needs to be updated to reflect its an issue now