fix(workflows): automate weekly SHA staleness check with issue creation

[PratikWayase]

Pull Request

Description

This PR automates the weekly SHA staleness security check in the GitHub workflow.
Previously, the sha-staleness-check workflow only executed the Test-SHAStaleness.ps1 script but did not create any actionable follow-up when stale dependencies were detected.

This update improves the workflow by:

• Running the Test-SHAStaleness.ps1 script automatically during the weekly security maintenance workflow.
• Parsing the generated sha-staleness-results.json file to detect stale GitHub Actions or tools.
• Automatically creating or updating a tracking GitHub issue when stale dependencies exceed the defined threshold.
• Preventing duplicate issues by updating an existing open issue if one already exists.
• Automatically closing the issue when no stale dependencies are detected in future runs.

This ensures that outdated GitHub Action SHAs and security tools are continuously monitored and tracked without requiring manual checks.

Related Issue(s)

Fixes #268

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Additional Notes

[WilliamBerryiii]

Thank you for this contribution, @PratikWayase! Your work on automating the weekly SHA staleness check improves our security validation workflow. We appreciate the time and care you put into this.

We've made a couple of updates to align with project conventions:

• Title: Updated to Conventional Commits format: fix(workflows): automate weekly SHA staleness check with issue creation
• Description: Filled in the missing PR template sections (Type of Change checkboxes, Checklist, and Security Considerations) to conform to our standard PR template

No action needed on your end. If you have questions about any of the changes, feel free to comment here.

[PratikWayase]

@PratikWayase please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

Contribution License Agreement

This Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”), and conveys certain license rights to Microsoft Corporation and its affiliates (“Microsoft”) for Your contributions to Microsoft open source projects. This Agreement is effective as of the latest signature date below.

1. Definitions.
   “Code” means the computer software code, whether in human-readable or machine-executable form,
   that is delivered by You to Microsoft under this Agreement.
   “Project” means any of the projects owned or managed by Microsoft and offered under a license
   approved by the Open Source Initiative (www.opensource.org).
   “Submit” is the act of uploading, submitting, transmitting, or distributing code or other content to any
   Project, including but not limited to communication on electronic mailing lists, source code control
   systems, and issue tracking systems that are managed by, or on behalf of, the Project for the purpose of
   discussing and improving that Project, but excluding communication that is conspicuously marked or
   otherwise designated in writing by You as “Not a Submission.”
   “Submission” means the Code and any other copyrightable material Submitted by You, including any
   associated comments and documentation.
2. Your Submission. You must agree to the terms of this Agreement before making a Submission to any
   Project. This Agreement covers any and all Submissions that You, now or in the future (except as
   described in Section 4 below), Submit to any Project.
3. Originality of Work. You represent that each of Your Submissions is entirely Your original work.
   Should You wish to Submit materials that are not Your original work, You may Submit them separately
   to the Project if You (a) retain all copyright and license information that was in the materials as You
   received them, (b) in the description accompanying Your Submission, include the phrase “Submission
   containing materials of a third party:” followed by the names of the third party and any licenses or other
   restrictions of which You are aware, and (c) follow any other instructions in the Project’s written
   guidelines concerning Submissions.
4. Your Employer. References to “employer” in this Agreement include Your employer or anyone else
   for whom You are acting in making Your Submission, e.g. as a contractor, vendor, or agent. If Your
   Submission is made in the course of Your work for an employer or Your employer has intellectual
   property rights in Your Submission by contract or applicable law, You must secure permission from Your
   employer to make the Submission before signing this Agreement. In that case, the term “You” in this
   Agreement will refer to You and the employer collectively. If You change employers in the future and
   desire to Submit additional Submissions for the new employer, then You agree to sign a new Agreement
   and secure permission from the new employer before Submitting those Submissions.
5. Licenses.

• Copyright License. You grant Microsoft, and those who receive the Submission directly or
  indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license in the
  Submission to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute
  the Submission and such derivative works, and to sublicense any or all of the foregoing rights to third
  parties.
• Patent License. You grant Microsoft, and those who receive the Submission directly or
  indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license under
  Your patent claims that are necessarily infringed by the Submission or the combination of the
  Submission with the Project to which it was Submitted to make, have made, use, offer to sell, sell and
  import or otherwise dispose of the Submission alone or with the Project.
• Other Rights Reserved. Each party reserves all rights not expressly granted in this Agreement.
  No additional licenses or rights whatsoever (including, without limitation, any implied licenses) are
  granted by implication, exhaustion, estoppel or otherwise.

6. Representations and Warranties. You represent that You are legally entitled to grant the above
   licenses. You represent that each of Your Submissions is entirely Your original work (except as You may
   have disclosed under Section 3). You represent that You have secured permission from Your employer to
   make the Submission in cases where Your Submission is made in the course of Your work for Your
   employer or Your employer has intellectual property rights in Your Submission by contract or applicable
   law. If You are signing this Agreement on behalf of Your employer, You represent and warrant that You
   have the necessary authority to bind the listed employer to the obligations contained in this Agreement.
   You are not expected to provide support for Your Submission, unless You choose to do so. UNLESS
   REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, AND EXCEPT FOR THE WARRANTIES
   EXPRESSLY STATED IN SECTIONS 3, 4, AND 6, THE SUBMISSION PROVIDED UNDER THIS AGREEMENT IS
   PROVIDED WITHOUT WARRANTY OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF
   NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
7. Notice to Microsoft. You agree to notify Microsoft in writing of any facts or circumstances of which
   You later become aware that would make Your representations in this Agreement inaccurate in any
   respect.
8. Information about Submissions. You agree that contributions to Projects and information about
   contributions may be maintained indefinitely and disclosed publicly, including Your name and other
   information that You submit with Your Submission.
9. Governing Law/Jurisdiction. This Agreement is governed by the laws of the State of Washington, and
   the parties consent to exclusive jurisdiction and venue in the federal courts sitting in King County,
   Washington, unless no federal subject matter jurisdiction exists, in which case the parties consent to
   exclusive jurisdiction and venue in the Superior Court of King County, Washington. The parties waive all
   defenses of lack of personal jurisdiction and forum non-conveniens.
10. Entire Agreement/Assignment. This Agreement is the entire agreement between the parties, and
    supersedes any and all prior agreements, understandings or communications, written or oral, between
    the parties relating to the subject matter hereof. This Agreement may be assigned by Microsoft.

@microsoft-github-policy-service agree

[WilliamBerryiii]

Thanks for adding automated issue tracking for SHA staleness — this is a great addition to the security maintenance workflow.

Two items are blockers (the unpinned action SHA and the missing issues: write permission) and will need to be fixed before merge. The remaining comments are suggestions to improve reliability and output quality.

One additional suggestion: when the script closes a resolved staleness issue (the else branch around line 250), consider adding a comment to the issue before closing it — something like "All action SHAs are now within the freshness threshold. Closing automatically." This provides an audit trail so readers understand why the issue was closed without having to trace back to the workflow run.

[WilliamBerryiii]

actions/github-script@v7 is not SHA-pinned. Per repository policy (.github/instructions/workflows.instructions.md), all actions must use full SHA references. This will also fail the validate-action-pinning CI check.

Suggested change

	uses: actions/github-script@v7
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7

[WilliamBerryiii]

The summary job currently only has contents: read permission, but this step calls github.rest.issues.create(), .update(), and .listForRepo() which require issues: write. These API calls will return 403 without the additional permission.

Add to the summary job's permissions block:

permissions:
  contents: read
  issues: write

[WilliamBerryiii]

listForRepo defaults to 30 results per page. If there are many open issues, the target tracking issue could fall outside the first page, causing the script to create a duplicate instead of updating the existing one.

Consider using per_page: 100 or paginating with github.paginate() to ensure the existing issue is found:

const issues = await github.paginate(github.rest.issues.listForRepo, {
  owner: context.repo.owner,
  repo: context.repo.repo,
  state: 'open',
  labels: 'security,staleness',
  per_page: 100
});

[WilliamBerryiii]

if: always() runs even when the workflow is cancelled or upstream jobs fail for infrastructure reasons. In those cases, needs.check-staleness.outputs.stale-count will be empty, causing parseInt to return NaN, and the step will attempt to create/close an issue based on bad data.

Consider narrowing the condition:

Suggested change

	if: always()
	if: ${{ !cancelled() && needs.check-staleness.result == 'success' }}

[WilliamBerryiii]

The template literal indentation here produces leading whitespace in the rendered markdown body. GitHub will interpret the indented lines as code blocks rather than normal markdown.

Either dedent the template content or use a helper variable:

const body = [
  `## 🔒 SHA Staleness Report`,
  ``,
  `**${staleCount}** action reference(s) exceed the **${maxAgeDays}-day** freshness threshold.`,
  ``,
  `Run the staleness check locally or review the [latest workflow run](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}) for details.`,
  ``,
  `> This issue is automatically managed by the weekly security maintenance workflow.`,
].join('\n');

[WilliamBerryiii]

closing this in favor of #975