Skip to content

fix(workflows): automate weekly SHA staleness check with issue creation#975

Open
PratikWayase wants to merge 1 commit intomicrosoft:mainfrom
PratikWayase:feat/sha-staleness-268
Open

fix(workflows): automate weekly SHA staleness check with issue creation#975
PratikWayase wants to merge 1 commit intomicrosoft:mainfrom
PratikWayase:feat/sha-staleness-268

Conversation

@PratikWayase
Copy link
Contributor

@PratikWayase PratikWayase commented Mar 11, 2026

Description

This PR automates the weekly SHA staleness security check in the GitHub workflow.
Previously, the sha-staleness-check workflow only executed the Test-SHAStaleness.ps1 script but did not create any actionable follow-up when stale dependencies were detected.

This update improves the workflow by:

Running the Test-SHAStaleness.ps1 script automatically during the weekly security maintenance workflow.
Parsing the generated sha-staleness-results.json file to detect stale GitHub Actions or tools.
Automatically creating or updating a tracking GitHub issue when stale dependencies exceed the defined threshold.
Preventing duplicate issues by updating an existing open issue if one already exists.
Automatically closing the issue when no stale dependencies are detected in future runs.
This ensures that outdated GitHub Action SHAs and security tools are continuously monitored and tracked without requiring manual checks.

Related Issue(s)
Fixes #268

Type of Change

Code & Documentation

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts

  • Reviewed contribution with prompt-builder agent and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot agent (.github/agents/*.agent.md)
  • Copilot skill (.github/skills/*/SKILL.md)

Other

  • Script/automation (.ps1, .sh, .py)
  • Other (please describe):

Testing Checklist

Required Checks

  • Documentation is updated (if applicable)
  • Files follow existing naming conventions
  • Changes are backwards compatible
  • Tests added for new functionality (if applicable)

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Skill structure validation: npm run validate:skills
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps
  • Plugin freshness: npm run plugin:generate

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues
  • Security-related scripts follow the principle of least privilege

Additional Notes

This workflow improves long-term repository security maintenance by automatically detecting stale SHA pins and guiding maintainers to update them when necessary.

@PratikWayase PratikWayase requested a review from a team as a code owner March 11, 2026 18:48
@WilliamBerryiii WilliamBerryiii mentioned this pull request Mar 12, 2026
Closed
30 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(workflows): automate weekly SHA staleness check with issue creation

1 participant

@PratikWayase