Skip to content

fix(ci): correct stale-issue-label and exempt security issues#3605

Open
anxkhn wants to merge 1 commit into
apache:mainfrom
anxkhn:fix/stale-issue-label-security-exempt
Open

fix(ci): correct stale-issue-label and exempt security issues#3605
anxkhn wants to merge 1 commit into
apache:mainfrom
anxkhn:fix/stale-issue-label-security-exempt

Conversation

@anxkhn

@anxkhn anxkhn commented Jul 6, 2026

Copy link
Copy Markdown

Rationale for this change

The stale-bot workflow (.github/workflows/stale.yml) configures the issue side
incorrectly:

stale-issue-label: 'stale,security'
exempt-issue-labels: 'not-stale'

stale-issue-label takes a single label and actions/stale applies it
verbatim (it is not comma-split, unlike the *-labels inputs). So instead of
tagging stale issues with stale, the workflow tags them with one bogus label
literally named stale,security. That breaks the workflow's own
stale-issue-message (which tells users to add not-stale, keyed on the stale
state) and anything else that relies on a plain stale label.

It also leaves security out of exempt-issue-labels, so security-labeled
issues are still marked stale and auto-closed after 180+14 days. This is
inconsistent with the PR side of the same file, which already exempts
security:

stale-pr-label: 'stale'
exempt-pr-labels: 'not-stale,security'

The value was introduced in #3125, which changed stale-issue-label: 'stale' to
'stale,security' in the same change that added
exempt-pr-labels: 'not-stale,security', i.e. security was meant as an
exemption on both sides but landed in the wrong key on the issue side.

This change makes the issue side mirror the (already correct) PR side:

stale-issue-label: 'stale'
exempt-issue-labels: 'not-stale,security'

Are these changes tested?

There is no test harness for GitHub Actions workflow semantics in this repo, so
this was validated by inspection against the pinned action's contract and source:

  • Against actions/stale's action.yml at the pinned SHA
    (eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899, v10.3.0): stale-issue-label is
    documented as "The label to apply when an issue is stale" (single value,
    default Stale), while exempt-issue-labels documents "Separate multiple
    labels with commas". In the action source, the stale label is applied verbatim
    and only the exempt labels are comma-split, confirming both effects above.
  • stale-issue-label: 'stale' matches the PR side of this same file and the
    Java apache/iceberg stale.yml.
  • Repo linters pass on the changed file (check-yaml, codespell,
    trailing-whitespace, end-of-file-fixer).

Are there any user-facing changes?

No. This only affects the repository's stale-bot automation (issue labeling and
which issues are exempt from auto-close). No changelog label needed.

The stale workflow set `stale-issue-label: 'stale,security'`, but
`stale-issue-label` takes a single label and is applied verbatim, so stale
issues were tagged with one bogus label literally named `stale,security`
instead of `stale`. That breaks the workflow's own stale-issue-message and
anything keyed on the `stale` label.

It also left `security` out of `exempt-issue-labels`, so security-labeled
issues were still marked stale and auto-closed, unlike security-labeled PRs
which are already exempted via `exempt-pr-labels: 'not-stale,security'`.

Set `stale-issue-label: 'stale'` and add `security` to `exempt-issue-labels`
so the issue side mirrors the PR side.

@ebyhr ebyhr left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. This is consistent with stale-pr-label and exempt-pr-labels.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants