fix(ci): correct stale-issue-label and exempt security issues#3605
Open
anxkhn wants to merge 1 commit into
Open
fix(ci): correct stale-issue-label and exempt security issues#3605anxkhn wants to merge 1 commit into
anxkhn wants to merge 1 commit into
Conversation
The stale workflow set `stale-issue-label: 'stale,security'`, but `stale-issue-label` takes a single label and is applied verbatim, so stale issues were tagged with one bogus label literally named `stale,security` instead of `stale`. That breaks the workflow's own stale-issue-message and anything keyed on the `stale` label. It also left `security` out of `exempt-issue-labels`, so security-labeled issues were still marked stale and auto-closed, unlike security-labeled PRs which are already exempted via `exempt-pr-labels: 'not-stale,security'`. Set `stale-issue-label: 'stale'` and add `security` to `exempt-issue-labels` so the issue side mirrors the PR side.
ebyhr
approved these changes
Jul 6, 2026
ebyhr
left a comment
Member
There was a problem hiding this comment.
Looks good to me. This is consistent with stale-pr-label and exempt-pr-labels.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rationale for this change
The stale-bot workflow (
.github/workflows/stale.yml) configures the issue sideincorrectly:
stale-issue-labeltakes a single label andactions/staleapplies itverbatim (it is not comma-split, unlike the
*-labelsinputs). So instead oftagging stale issues with
stale, the workflow tags them with one bogus labelliterally named
stale,security. That breaks the workflow's ownstale-issue-message(which tells users to addnot-stale, keyed on the stalestate) and anything else that relies on a plain
stalelabel.It also leaves
securityout ofexempt-issue-labels, sosecurity-labeledissues are still marked stale and auto-closed after 180+14 days. This is
inconsistent with the PR side of the same file, which already exempts
security:The value was introduced in #3125, which changed
stale-issue-label: 'stale'to'stale,security'in the same change that addedexempt-pr-labels: 'not-stale,security', i.e.securitywas meant as anexemption on both sides but landed in the wrong key on the issue side.
This change makes the issue side mirror the (already correct) PR side:
Are these changes tested?
There is no test harness for GitHub Actions workflow semantics in this repo, so
this was validated by inspection against the pinned action's contract and source:
actions/stale'saction.ymlat the pinned SHA(
eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899, v10.3.0):stale-issue-labelisdocumented as "The label to apply when an issue is stale" (single value,
default
Stale), whileexempt-issue-labelsdocuments "Separate multiplelabels with commas". In the action source, the stale label is applied verbatim
and only the exempt labels are comma-split, confirming both effects above.
stale-issue-label: 'stale'matches the PR side of this same file and theJava
apache/icebergstale.yml.check-yaml,codespell,trailing-whitespace, end-of-file-fixer).
Are there any user-facing changes?
No. This only affects the repository's stale-bot automation (issue labeling and
which issues are exempt from auto-close). No changelog label needed.