Create issue-manager.yml

[NxPKG]

User description

Category:

One of: Bugfix / Feature / Code style update / Refactoring Only / Build related changes / Documentation / Other (please specify)

Overview

Briefly outline your new changes...

Issue Number (if applicable) #00

New Vars (if applicable)

If you've added any new build scripts, environmental variables, config file options, dependency or devDependency, please outline here

Screenshot (if applicable)

If you've introduced any significant UI changes, please include a screenshot

Code Quality Checklist (Please complete)

• All changes are backwards compatible
• All lint checks and tests are passing
• There are no (new) build warnings or errors
• (If a new config option is added) Attribute is outlined in the schema and documented
• (If a new dependency is added) Package is essential, and has been checked out for security or performance
• (If significant change) Bumps version in package.json

---

PR Type

configuration changes

---

Description

• Introduced a new GitHub Actions workflow named 'Issue Manager' to automate issue and pull request management.
• Configured the workflow to trigger on a schedule, issue comments, and labeling events for both issues and pull requests.
• Defined permissions to allow writing to issues and pull requests.
• Implemented job steps that utilize the 'khulnasoft/issue-manager' action to manage issues and pull requests with specific delay periods and automated messages.

---

Changes walkthrough 📝

Relevant files

Configuration changes

issue-manager.yml Add GitHub Actions workflow for issue management                  .github/workflows/issue-manager.yml Added a new GitHub Actions workflow named 'Issue Manager'. Configured triggers for scheduled runs, issue comments, and labeling events. Set permissions for writing issues and pull requests. Implemented job steps for managing issues and pull requests with specific delay and messages. +47/-0

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

Summary by CodeRabbit

• New Features

  • Introduced an automated issue management workflow to streamline handling of issues and pull requests.
  • Issues are categorized into "answered," "waiting," and "invalid" with specified closure delays and custom messages.
  • Added a workflow to manage and generate updates related to closed pull requests.

• Chores

  • Added new GitHub Actions workflow files for improved issue tracking and management.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR adds a new GitHub Actions workflow file that implements automated issue and pull request management. The workflow uses the khulnasoft/issue-manager action to automatically close issues and PRs based on specific conditions and timeframes.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Implementation of automated issue management workflow	Configures workflow to run on a daily schedule (22:13 UTC) Sets up triggers for issue comments, label changes, and PR labels Implements permission settings for issues and pull requests Configures job to run only in the khulnasoft repository Sets up GitHub context debugging step	.github/workflows/issue-manager.yml
Configuration of issue management rules	Adds 'answered' rule to close issues after 10 days Implements 'waiting' rule to close inactive PRs after 30.5 days Sets up 'invalid' rule for immediate closure of invalid issues/PRs	.github/workflows/issue-manager.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Walkthrough

Two new GitHub Actions workflows have been added to the repository: issue-manager.yml and latest-changes.yml. The issue-manager.yml workflow is triggered by events such as scheduled jobs and issue comments, operating only for the repository owner 'khulnasoft' on the latest Ubuntu environment. It manages issues based on categories with specified closure delays. The latest-changes.yml workflow activates when a pull request to the master branch is closed or manually dispatched, utilizing actions to check out the repository and manage the latest changes.

Changes

File	Change Summary
.github/workflows/issue-manager.yml	Introduced a new workflow for issue management, triggered by multiple events, with defined categories and closure delays.
.github/workflows/latest-changes.yml	Introduced a new workflow for managing latest changes, triggered by closing pull requests and manual dispatch.

Poem

In the garden where issues bloom,
A manager now sweeps the gloom.
With labels bright and messages clear,
Closing the gaps, bringing cheer!
For every question, a path to find,
In the world of code, we’re all aligned! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codiumai-pr-agent-free]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Token exposure risk: The workflow uses GITHUB_TOKEN with write permissions for issues and pull requests. While this is a standard practice, the pull_request_target trigger means the workflow runs with repository permissions even on PRs from forks. This needs careful review to prevent potential abuse.

⚡ Recommended focus areas for review Security Configuration The workflow uses pull_request_target trigger which runs with repository token permissions. This needs careful review to ensure no malicious code execution is possible from external PRs. Configuration Review The delay times and messages for issue management should be reviewed to ensure they align with the project's needs and community expectations.

[codiumai-pr-agent-free]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	✅ Remove or limit debug information to prevent exposure of potentially sensitive data The workflow exposes potentially sensitive information by dumping the entire GitHub context. Remove this debug step or limit the output to non-sensitive information only. .github/workflows/issue-manager.yml [26-29] -- name: Dump GitHub context - env: - GITHUB_CONTEXT: ${{ toJson(github) }} - run: echo "$GITHUB_CONTEXT" +# Remove the step entirely or replace with specific context variables if needed [Suggestion has been applied] Suggestion importance[1-10]: 9 Why: This is a critical security suggestion as dumping the entire GitHub context could expose sensitive information in the workflow logs. Removing or limiting the debug output would enhance the security of the workflow.	9
General	Replace hardcoded repository owner check with a more specific and maintainable repository identifier The workflow uses a hardcoded repository owner check ('khulnasoft') which makes the workflow fail if the repository is forked. Use the 'github.repository' context variable instead to make it more maintainable and reusable. .github/workflows/issue-manager.yml [23] -if: github.repository_owner == 'khulnasoft' +if: github.repository == 'khulnasoft/repository-name' Apply this suggestion Suggestion importance[1-10]: 3 Why: While the suggestion aims to improve maintainability, using github.repository_owner is actually a valid approach when you want to limit the workflow to run only for the organization's repos. The suggested change would be more restrictive by limiting it to a specific repository.	3

💡 Need additional feedback ? start a PR chat

[sourcery-ai]

Hey @NxPKG - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟢 General issues: all looks good
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 958b25e and 1897e1c.

📒 Files selected for processing (1)

• .github/workflows/issue-manager.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/issue-manager.yml (1)

17-19: LGTM: Permissions follow security best practices

The permissions are appropriately scoped to only what's needed for the issue manager functionality.

[coderabbitai]

💡 Codebase verification

Missing required labels for issue-manager automation

The repository is missing the "answered" and "waiting" labels that are required for the issue-manager automation to work properly. Only the "invalid" label exists.

• Add the following labels to the repository:
  • "answered" - For issues that have been resolved
  • "waiting" - For PRs awaiting contributor response

🔗 Analysis chain

Consider adding configuration documentation

The configuration looks good, but consider adding comments to explain:

1. The reasoning behind the chosen delay periods
2. What criteria determine when issues get labeled as "answered", "waiting", or "invalid"

Example:

       config: >
         {
+          // Close answered issues after 10 days of inactivity
           "answered": {
             "delay": 864000,
             "message": "Assuming the original need was handled, this will be automatically closed now. But feel free to add more comments or create new issues or PRs."
           },

Also, verify that these labels exist in the repository:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if required labels exist in the repository
gh label list | grep -E "answered|waiting|invalid"

Length of output: 92

[coderabbitai]

⚠️ Potential issue

Security: Review pull_request_target trigger usage

The workflow uses pull_request_target which runs with repository secrets and write permissions in the context of the base repository. This could be dangerous if the workflow checks out and runs code from the PR.

Consider:

1. Using pull_request instead if you don't need access to secrets
2. If pull_request_target is necessary, ensure no untrusted code from the PR is checked out or executed

Additionally, consider specifying which labels should trigger the workflow to prevent unnecessary runs:

  pull_request_target:
    types:
      - labeled
+   if: contains(['answered', 'waiting', 'invalid'], github.event.label.name)

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (1)

.github/workflows/latest-changes.yml (1)

16-18: Consider pinning Ubuntu version

While using ubuntu-latest works, consider pinning to a specific version (e.g., ubuntu-22.04) for better reproducibility and to avoid unexpected changes when the 'latest' tag moves.

-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 1897e1c and 44efa0f.

📒 Files selected for processing (1)

• .github/workflows/latest-changes.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/latest-changes.yml (1)

3-14: Review security implications of pull_request_target

While using pull_request_target is appropriate here since we need write permissions, be aware that this trigger runs workflows with repository context. The current configuration is safe because:

1. It only triggers on closed PRs
2. It's limited to the master branch
3. The workflow only uses trusted actions

However, if the workflow is modified in the future to run on different PR states or use untrusted actions, it could pose security risks.

Let's verify other workflows aren't using this trigger unsafely:

✅ Verification successful

Security review of pull_request_target usage is satisfactory

All workflows using pull_request_target are properly secured:

• latest-changes.yml: Only runs on closed PRs
• issue-manager.yml: Only triggers on label events, uses trusted khulnasoft action
• add-comment-from-tag.yml: Only triggers on label events, uses official actions
• add-to-project.yml: Uses official GitHub action
• All workflows have appropriate permission restrictions
• All workflows use trusted actions from either GitHub official (actions/*) or well-known organizations

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other workflows using pull_request_target
rg -l "pull_request_target" .github/workflows/

Length of output: 199

---

Script:

#!/bin/bash
# Check the trigger configurations in workflows using pull_request_target
echo "=== latest-changes.yml ==="
rg "pull_request_target" -A 10 .github/workflows/latest-changes.yml

echo -e "\n=== issue-manager.yml ==="
rg "pull_request_target" -A 10 .github/workflows/issue-manager.yml

echo -e "\n=== add-comment-from-tag.yml ==="
rg "pull_request_target" -A 10 .github/workflows/add-comment-from-tag.yml

echo -e "\n=== add-to-project.yml ==="
rg "pull_request_target" -A 10 .github/workflows/add-to-project.yml

Length of output: 1203

---

Script:

#!/bin/bash
# Let's check what actions these workflows are using to ensure they're trusted
echo "=== issue-manager.yml actions ==="
rg "uses:" -A 1 .github/workflows/issue-manager.yml

echo -e "\n=== add-comment-from-tag.yml actions ==="
rg "uses:" -A 1 .github/workflows/add-comment-from-tag.yml

echo -e "\n=== add-to-project.yml actions ==="
rg "uses:" -A 1 .github/workflows/add-to-project.yml

Length of output: 673

[coderabbitai]

🛠️ Refactor suggestion

Add configuration for latest-changes action

The latest-changes action supports additional configuration options that might be useful:

• path - to specify where to generate the changelog
• template - to customize the changelog format
• latest-changes-file - to specify the output file

Consider adding these configurations to better control the changelog generation.

       - uses: khulnasoft/latest-changes@0.3.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          path: CHANGELOG.md
+          latest-changes-file: LATEST_CHANGES.md

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: khulnasoft/latest-changes@0.3.2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	- uses: khulnasoft/latest-changes@0.3.2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	path: CHANGELOG.md
	latest-changes-file: LATEST_CHANGES.md

[coderabbitai]

💡 Codebase verification

Token configuration is correct but missing latest-changes configuration

The ORG_REPO_TOKEN usage is consistent across workflows and properly configured for the checkout action to allow commits to master. However, the latest-changes action is missing important configuration parameters:

• No path specified for the changelog file
• No template defined for the changelog entries

Required configuration:

• Add path parameter to specify where to store the changelog
• Add template parameter to define the format of entries
• Consider adding date-format for consistent timestamps

🔗 Analysis chain

Verify ORG_REPO_TOKEN permissions and availability

The workflow uses ORG_REPO_TOKEN for checkout to allow commits to master. This requires:

1. The secret to be properly configured
2. Appropriate permissions to commit to master

Let's verify the secret usage across workflows:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for ORG_REPO_TOKEN usage
rg "ORG_REPO_TOKEN" .github/workflows/

Length of output: 555

---

Script:

#!/bin/bash
# Check latest-changes.yml workflow configuration
cat .github/workflows/latest-changes.yml

Length of output: 566

[codiumai-pr-agent-free]

Suggestion: Remove or limit debug information to prevent exposure of potentially sensitive data [Security, importance: 9]

Suggested change

	- name: Dump GitHub context
	env:
	GITHUB_CONTEXT: ${{ toJson(github) }}
	run: echo "$GITHUB_CONTEXT"
	# Remove the step entirely or replace with specific context variables if needed

[qodo-merge-pro]

Suggestion: Remove or limit debug information to prevent exposure of potentially sensitive data [Security, importance: 9]

Suggested change

	- name: Dump GitHub context
	env:
	GITHUB_CONTEXT: ${{ toJson(github) }}
	run: echo "$GITHUB_CONTEXT"
	# Remove the step entirely or replace with specific context variables if needed

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/issue-manager.yml (3)

4-15: Optimize workflow triggers for better resource usage

Consider the following improvements:

1. The cron schedule (22:13 UTC) seems arbitrary. Consider aligning it with your team's working hours for better response times.
2. Add filters to the issue_comment trigger to prevent unnecessary workflow runs:

 issue_comment:
   types:
     - created
+  if: |
+    !contains(github.event.issue.labels.*.name, 'invalid') &&
+    !contains(github.event.issue.labels.*.name, 'answered')

---

21-24: Consider adding error handling for repository check

While the owner check is good, consider making it more robust:

-    if: github.repository_owner == 'khulnasoft'
+    if: |
+      github.repository_owner == 'khulnasoft' &&
+      !github.event.repository.archived &&
+      !github.event.repository.fork

This prevents the workflow from running on archived repositories or forks.

---

33-47: Consider parameterizing delay times and enhancing messages

1. Make delay times configurable:

 jobs:
   issue-manager:
+    inputs:
+      answered-delay:
+        description: 'Delay in seconds before closing answered issues'
+        default: '864000'
+      waiting-delay:
+        description: 'Delay in seconds before closing waiting PRs'
+        default: '2628000'
     steps:
       - uses: khulnasoft/issue-manager@0.5.1
         with:
           config: >
             {
               "answered": {
-                "delay": 864000,
+                "delay": ${{ inputs.answered-delay }},

2. Consider adding more context to messages, such as how to reopen if needed.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 44efa0f and 8832827.

📒 Files selected for processing (1)

• .github/workflows/issue-manager.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/issue-manager.yml

28-28: unexpected token "[" while parsing variable access, function call, null, bool, int, float or string. expecting "IDENT", "(", "INTEGER", "FLOAT", "STRING"

(expression)

🔇 Additional comments (1)

.github/workflows/issue-manager.yml (1)

17-19: LGTM! Permissions follow security best practices

The permissions are appropriately scoped to only what's needed for the workflow.

[coderabbitai]

⚠️ Potential issue

Fix GitHub context filtering syntax

The pick function is not available in GitHub Actions. Use this instead:

-          GITHUB_CONTEXT: ${{ toJson(pick(github, ['event_name', 'repository', 'issue.number'])) }}
+          GITHUB_CONTEXT: ${{ toJson(github) | jq '{event_name: .event_name, repository: .repository, issue_number: .issue.number}' }}

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 actionlint (1.7.4)

28-28: unexpected token "[" while parsing variable access, function call, null, bool, int, float or string. expecting "IDENT", "(", "INTEGER", "FLOAT", "STRING"

(expression)