stale workflow: update permissions#25287
Conversation
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This is a correct and well-scoped fix. Adding actions: write is the documented requirement for actions/stale v9+ to delete its cache-based state between runs, and the inline comment accurately describes the reason. The permission is scoped to the job level, and the job only runs the pinned actions/stale action.
| permissions: | ||
| issues: write | ||
| pull-requests: write | ||
| actions: write # required for actions/stale to delete its state cache between runs |
There was a problem hiding this comment.
[LOW] actions: write grants broader workflow permissions beyond cache deletion
actions: write is the minimal permission that satisfies actions/stale's requirement to delete its _state cache entry, and the inline comment is accurate. However, this permission also implicitly allows cancelling, re-running, or deleting other workflow runs in the repository. The risk is low given the job only runs the pinned actions/stale action, but worth noting for awareness.
No change needed — this is informational only.
3 participants
Description
Fix stale action not closing PRs due to missing
actions: writepermissionThe stale action uses GitHub Actions cache to persist state between runs. Without
actions: write, it can't delete its_statecache entry (fails with 403), so the old state accumulates and PRs in that cached state are permanently skipped withprocessed during the previous run, meaning they never get evaluated for closing.Confirmed via Actions logs: PR #23598 was marked stale on April 24 but has never been evaluated for closing because it appears in the stuck cache state every run.
Related issues or tickets
Reviews