Add automation to auto-close stale external contributor PRs#12102
Open
vkodithala wants to merge 2 commits into
Open
Add automation to auto-close stale external contributor PRs#12102vkodithala wants to merge 2 commits into
vkodithala wants to merge 2 commits into
Conversation
Scheduled GitHub Action that reminds external-contributor PR authors with an active requested-changes review at 7/14/26 days of inactivity, then closes the PR at 30 days (only after the day-26 final warning has been posted). Inactivity is author-driven and reminder progress is tracked via marker comments, so no datastore is needed. Includes the product and tech specs. Originating issue: warpdotdev/oz-for-oss#457 Co-Authored-By: Oz <oz-agent@warp.dev>
Contributor
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This PR adds a scheduled/manual GitHub Actions workflow to remind and eventually close external-contributor PRs with unresolved requested-changes reviews, plus product and technical specs for the lifecycle.
Concerns
- The inactivity clock uses Git commit author/committer dates as though they were push timestamps, which can fail to reset after a real head-branch update.
- The workflow trusts hidden stage markers from any issue comment author, allowing marker spoofing to satisfy the final-warning guard without the workflow having posted that warning.
Security
- Hidden marker comments are untrusted PR content; only workflow-authored marker comments should be accepted before using them to decide whether closure is allowed.
Verdict
Found: 0 critical, 2 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
vkodithala
changed the title
- Use GitHub-recorded push times (GraphQL commit.pushedDate + force-push events) instead of contributor-controlled commit dates, so a backdated or force-pushed commit resets the inactivity timer. - Only trust stage markers on github-actions[bot]-authored comments so a contributor can't spoof the final-warning marker and trigger a close. - Drop the author-review activity signal (authors can't review their own PR; inline replies are already counted as author comments) and remove the spec-reference header comment. Co-Authored-By: Oz <oz-agent@warp.dev>
vkodithala
force-pushed
the
varoon/stale-pr-cleanup
branch
from
259de17 to
cbee5ad
Compare
lucieleblanc
approved these changes
Jun 3, 2026
Contributor
lucieleblanc
left a comment
lucieleblanc
left a comment
There was a problem hiding this comment.
LGTM overall, a few small non-blocking questions. Approving to unblock.
| 9. **Comment authorship.** Reminders and the closing comment are posted by the workflow's GitHub Actions identity (`github-actions[bot]`, via the default `GITHUB_TOKEN`). Authoring them as the `oz-for-oss` bot — to match other Oz comments on the PR — is a non-functional nicety, explicitly deferred (see the Tech Spec follow-ups), and must not block this work. | ||
| 10. **No duplicate or repeated actions.** At most one comment is posted per reminder stage per inactivity window; re-running the scan does not post duplicate reminders or re-close an already-closed PR. After a timer reset, stages become eligible again for the new window. | ||
| 11. **Exemption.** A maintainer-applied `no-autoclose` label removes the PR from the lifecycle immediately; no reminders or closure occur while it is present. | ||
| 12. **Drafts are skipped.** Converting a PR to draft removes it from the lifecycle until it is marked ready for review again. |
Contributor
There was a problem hiding this comment.
Is this meant to reset the clock? If so, it seems this could be a workaround to extend the clock before a PR gets closed.
| - name: Follow up on stale requested-changes PRs | ||
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | ||
| with: | ||
| script: | |
Contributor
There was a problem hiding this comment.
Non-blocking: could we potentially put this in a standalone script? It would be easier to review + edit if it had its own source file instead of being embedded.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a scheduled GitHub Action (
.github/workflows/stale_requested_changes_prs.yml) that follows up on external-contributor PRs which have an active requested-changes review and have gone inactive:external-contributor, notno-autoclose, decisive review stateCHANGES_REQUESTED(Oz- or human-authored).GITHUB_TOKEN(authored bygithub-actions[bot]); least-privilegepermissions.workflow_dispatchmodeinput (dry-run/reminder-only/full); scheduled runs default tofull.Why: external PRs can receive requested-changes reviews (from Oz or a human) and then sit indefinitely without author follow-up, creating review backlog and leaving contributors with no clear closure expectation. More context in this related issue on our OSS management repo: warpdotdev/oz-for-oss#457.
How: a single pinned
actions/github-scriptstep mirroring the existingclose_stale_fix_prs.ymlpattern. Product and tech specs are checked in underspecs/stale-pr-cleanup/. Authoring comments as theoz-for-ossbot was deliberately deferred as a non-functional follow-up (see the tech spec).Linked Issue
Originating issue: warpdotdev/oz-for-oss#457 (tracked in the
oz-for-ossrepo, not this one). Specs are checked in underspecs/stale-pr-cleanup/.Testing
node --check.actionlintis not installed locally; it runs in CI.cargo fmt/cargo clippyare not applicable.workflow_dispatch→dry-run(logs eligible PRs + intended actions, writes nothing), thenreminder-only, before relying on scheduledfullruns.Agent Mode
Conversation: https://staging.warp.dev/conversation/d76db83c-921f-494e-ac33-ed2b9d868a9d
CHANGELOG-NONE
Co-Authored-By: Oz oz-agent@warp.dev