From b5d573a19caad94569e86d3705e67403bcb1a28d Mon Sep 17 00:00:00 2001 From: Guillaume Lours Date: Tue, 24 Mar 2026 17:27:27 +0100 Subject: [PATCH 1/2] chore: pin GitHub Actions to commit SHA, remove pr-review workflow - Pin all action references to full commit SHA instead of mutable version tags. Tag retained as inline comment for readability. - Remove pr-review.yml workflow. Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Guillaume Lours # Conflicts: # .github/workflows/pr-review.yml --- .github/workflows/ci.yml | 48 ++++++++++++++--------------- .github/workflows/docs-upstream.yml | 6 ++-- .github/workflows/merge.yml | 10 +++--- .github/workflows/stale.yml | 2 +- 4 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e5015e30f6..8cfb0505c60 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,17 +35,17 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Run run: | make ${{ matrix.target }} binary: - uses: docker/github-builder/.github/workflows/bake.yml@v1.4.0 + uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 permissions: contents: read # same as global permission id-token: write # for signing attestation(s) with GitHub OIDC Token @@ -67,7 +67,7 @@ jobs: steps: - name: Download artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: /tmp/compose-output name: ${{ needs.binary.outputs.artifact-name }} @@ -103,7 +103,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: release path: ./bin/release/* @@ -111,7 +111,7 @@ jobs: bin-image-test: if: github.event_name == 'pull_request' - uses: docker/github-builder/.github/workflows/bake.yml@v1.4.0 + uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 with: runner: amd64 target: image-cross @@ -132,10 +132,10 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Test - uses: docker/bake-action@v6 + uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6 with: targets: test set: | @@ -143,14 +143,14 @@ jobs: *.cache-to=type=gha,scope=test - name: Gather coverage data - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: coverage-data-unit path: bin/coverage/unit/ if-no-files-found: error - name: Unit Test Summary - uses: test-summary/action@v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2 with: paths: bin/coverage/unit/report.xml if: always() @@ -185,7 +185,7 @@ jobs: echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Docker ${{ matrix.engine }} run: | @@ -199,7 +199,7 @@ jobs: run: docker --version - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Set up Docker Model run: | @@ -207,7 +207,7 @@ jobs: docker model version - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: '.go-version' check-latest: true @@ -217,7 +217,7 @@ jobs: run: make example-provider - name: Build - uses: docker/bake-action@v6 + uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6 with: source: . targets: binary-with-coverage @@ -244,7 +244,7 @@ jobs: - name: Gather coverage data if: ${{ matrix.mode == 'plugin' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }} path: bin/coverage/e2e/ @@ -258,7 +258,7 @@ jobs: make e2e-compose-standalone - name: e2e Test Summary - uses: test-summary/action@v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2 with: paths: /tmp/report/report.xml if: always() @@ -271,20 +271,20 @@ jobs: steps: # codecov won't process the report without the source code available - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: '.go-version' check-latest: true - name: Download unit test coverage - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: coverage-data-unit path: coverage/unit merge-multiple: true - name: Download E2E test coverage - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: coverage-data-e2e-* path: coverage/e2e @@ -293,13 +293,13 @@ jobs: run: | go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt - name: Store coverage report in GitHub Actions - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: go-covdata-txt path: ./coverage.txt if-no-files-found: error - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: files: ./coverage.txt @@ -312,10 +312,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Download artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: ./bin/release name: release diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml index 214c88381fd..9a8aefdd165 100644 --- a/.github/workflows/docs-upstream.yml +++ b/.github/workflows/docs-upstream.yml @@ -34,17 +34,17 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Upload reference YAML docs - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: docs-yaml path: docs/reference retention-days: 1 validate: - uses: docker/docs/.github/workflows/validate-upstream.yml@main + uses: docker/docs/.github/workflows/validate-upstream.yml@464a44a6e72b37cf1755968477e242a5e5f6ef7d # main 2026-03-24 needs: - docs-yaml with: diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 902eb715346..b007f560f34 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -31,9 +31,9 @@ jobs: env: GO111MODULE: "on" steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: '.go-version' cache: true @@ -83,7 +83,7 @@ jobs: - run: echo "Exposing env vars for reusable workflow" bin-image: - uses: docker/github-builder/.github/workflows/bake.yml@v1.4.0 + uses: docker/github-builder/.github/workflows/bake.yml@70313223e2665c3211b454b3fea6534624e78d64 # v1.4.0 needs: - bin-image-prepare permissions: @@ -117,7 +117,7 @@ jobs: - name: Generate Token id: generate_token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ vars.DOCKERDESKTOP_APP_ID }} private-key: ${{ secrets.DOCKERDESKTOP_APP_PRIVATEKEY }} @@ -126,7 +126,7 @@ jobs: ${{ secrets.DOCKERDESKTOP_REPO }} - name: Trigger Docker Desktop e2e with edge version - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: github-token: ${{ steps.generate_token.outputs.token }} script: | diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 2a747ee1c25..5b1fe1c9175 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -19,7 +19,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: > From 0afdd4833bc16e1ee68f0eff2233df7c581951ee Mon Sep 17 00:00:00 2001 From: Guillaume Lours Date: Tue, 24 Mar 2026 17:53:35 +0100 Subject: [PATCH 2/2] chore: bump GitHub Actions to latest versions - actions/checkout v4 -> v6 - actions/upload-artifact v4/v6 -> v7 - actions/download-artifact v4/v7 -> v8 - docker/setup-buildx-action v3 -> v4 - docker/bake-action v6 -> v7 - actions/stale v9 -> v10 - actions/create-github-app-token v1 -> v3 - actions/github-script v7 -> v8 - ossf/scorecard-action v2.4.0 -> v2.4.3 - ncipollo/release-action v1.10.0 -> v1.21.0 - mxschmitt/action-tmate v3.11 -> v3.23 - codecov/codecov-action, test-summary/action, github/codeql-action: bump to latest patch Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Guillaume Lours --- .github/workflows/ci.yml | 44 ++++++++++++++--------------- .github/workflows/docs-upstream.yml | 4 +-- .github/workflows/merge.yml | 6 ++-- .github/workflows/scorecards.yml | 8 +++--- .github/workflows/stale.yml | 2 +- 5 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8cfb0505c60..9c4c673f0b8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,10 +35,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Run run: | @@ -67,7 +67,7 @@ jobs: steps: - name: Download artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: /tmp/compose-output name: ${{ needs.binary.outputs.artifact-name }} @@ -103,7 +103,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: release path: ./bin/release/* @@ -132,10 +132,10 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Test - uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 with: targets: test set: | @@ -143,14 +143,14 @@ jobs: *.cache-to=type=gha,scope=test - name: Gather coverage data - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: coverage-data-unit path: bin/coverage/unit/ if-no-files-found: error - name: Unit Test Summary - uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 with: paths: bin/coverage/unit/report.xml if: always() @@ -185,7 +185,7 @@ jobs: echo "MODE_ENGINE_PAIR=${mode}-${engine}" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Docker ${{ matrix.engine }} run: | @@ -199,7 +199,7 @@ jobs: run: docker --version - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Set up Docker Model run: | @@ -217,7 +217,7 @@ jobs: run: make example-provider - name: Build - uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7 with: source: . targets: binary-with-coverage @@ -230,7 +230,7 @@ jobs: - name: Setup tmate session if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled }} - uses: mxschmitt/action-tmate@8b4e4ac71822ed7e0ad5fb3d1c33483e9e8fb270 # v3.11 + uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23 with: limit-access-to-actor: true github-token: ${{ secrets.GITHUB_TOKEN }} @@ -244,7 +244,7 @@ jobs: - name: Gather coverage data if: ${{ matrix.mode == 'plugin' }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: coverage-data-e2e-${{ env.MODE_ENGINE_PAIR }} path: bin/coverage/e2e/ @@ -258,7 +258,7 @@ jobs: make e2e-compose-standalone - name: e2e Test Summary - uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2 + uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 with: paths: /tmp/report/report.xml if: always() @@ -271,20 +271,20 @@ jobs: steps: # codecov won't process the report without the source code available - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: go-version-file: '.go-version' check-latest: true - name: Download unit test coverage - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: coverage-data-unit path: coverage/unit merge-multiple: true - name: Download E2E test coverage - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: coverage-data-e2e-* path: coverage/e2e @@ -293,13 +293,13 @@ jobs: run: | go tool covdata textfmt -i=./coverage/unit,./coverage/e2e -o ./coverage.txt - name: Store coverage report in GitHub Actions - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: go-covdata-txt path: ./coverage.txt if-no-files-found: error - name: Upload coverage to Codecov - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3 with: files: ./coverage.txt @@ -312,10 +312,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download artifacts - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: path: ./bin/release name: release @@ -330,7 +330,7 @@ jobs: - name: GitHub Release if: startsWith(github.ref, 'refs/tags/v') - uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37 # v1.10.0 + uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: artifacts: ./bin/release/* generateReleaseNotes: true diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml index 9a8aefdd165..4af1bd177d3 100644 --- a/.github/workflows/docs-upstream.yml +++ b/.github/workflows/docs-upstream.yml @@ -34,10 +34,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Upload reference YAML docs - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: docs-yaml path: docs/reference diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index b007f560f34..cecd840cf80 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -31,7 +31,7 @@ jobs: env: GO111MODULE: "on" steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 with: @@ -117,7 +117,7 @@ jobs: - name: Generate Token id: generate_token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: app-id: ${{ vars.DOCKERDESKTOP_APP_ID }} private-key: ${{ secrets.DOCKERDESKTOP_APP_PRIVATEKEY }} @@ -126,7 +126,7 @@ jobs: ${{ secrets.DOCKERDESKTOP_REPO }} - name: Trigger Docker Desktop e2e with edge version - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ steps.generate_token.outputs.token }} script: | diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b8f0e5e2500..b9fc388f27a 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -31,12 +31,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.4.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -50,7 +50,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # tag=v4.5.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: SARIF file path: results.sarif @@ -58,6 +58,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3096afedf9873361b2b2f65e1445b13272c83eb8 # tag=v2.20.00 + uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 5b1fe1c9175..6c2349b8d00 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -19,7 +19,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: >