Update stale.yml with permissions and action version#1100
Open
Alb4don wants to merge 4 commits intodeepseek-ai:mainfrom
Open
Update stale.yml with permissions and action version#1100Alb4don wants to merge 4 commits intodeepseek-ai:mainfrom
Alb4don wants to merge 4 commits intodeepseek-ai:mainfrom
Conversation
Alb4don
commented
Feb 2, 2026
Alb4don
commented
- My primary change restricts the GITHUB_TOKEN scope. Previously, the workflow operated with default permissions, which often grants broad read/write access to the repository. I have explicitly defined a permissions block to enforce the principle of least privilege, limiting the token solely to issues: write and contents: read. This ensures that even if the workflow execution were compromised, the blast radius is contained, preventing unauthorized code modification.
- I replaced the tag with the specific SHA checksum (28ca10...) for actions/obsolete in order to guarantee execution integrity, ensuring that the code we execute today is cryptographically identical to the code I verified.
- And finally, I updated the logic for closing inactive issues. I added vulnerability and security advisory to the list of exemptions, which helps prevent inadvertently closing critical security disclosures that may require longer remediation timelines than standard bugs.
Added permissions for reading contents and writing issues and pull requests. Updated stale action version and added exempt labels for stale issues.
- I implemented static application security testing (SAST) using bandit. This configuration specifically targets Python centric attack vectors, monitoring for unsafe deserialization patterns such as unverified pickle loading and dangerous dynamic execution calls like exec or eval. I tuned the analyzer to exclude standard assertion checks (B101). Simultaneously, I introduced Software Composition Analysis (SCA) through pip auditing. This helps validate the repository's dependency tree against the Open Source Vulnerabilities (OSV) database, preventing the introduction of libraries with known CVEs into the environment. I also fixed action references to their immutable SHA checksums, aiming to mitigate the risk of supply chain compromise through mutable upstream tags.
Fix syntax error in stale.yml and update Zen AI Pentest action version.
Removed Zen AI Pentest action from stale.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.