ci: robust stale issue lifecycle and consolidated triage labels

[cocosheng-g]

Description

This PR implements two major improvements to the GitHub issue triage and lifecycle workflows to better manage the open bug backlog:

1. Robust Stale Closure Logic (`gemini-lifecycle-manager.cjs`)

   • Previously, the Stale closure logic relied on the easily bumped `updatedAt` timestamp. Any automated bot activity (like triage bots adding area labels) would reset the 14-day stale countdown.
   • The script now accurately queries the GitHub timeline events for each issue to find exactly when the `Stale` label was applied.
   • It filters the subsequent timeline for meaningful events (human comments, bot-created PR cross-references, or human-applied labels). If meaningful activity is detected, it removes the `Stale` label to prevent accidental closure. If no meaningful activity occurred in 14 days, the issue is safely closed.
   • Paging was added to the `processItems` function to ensure no stale issues are missed during batching.

2. Consolidated Triage Bot Behavior (`gemini-scheduled-issue-triage.yml`)

   • The automated triage prompt was instructing the LLM to apply a `status/need-retesting` label for bugs on old versions, but no lifecycle workflow handled that label.
   • This PR updates the prompt to instead add `status/need-information` and explicitly ask the user to retest on the latest version. This hooks directly into our existing lifecycle manager, ensuring the issue will be closed automatically in 14 days if the user doesn't respond.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the reliability of the repository's issue management system. By shifting from timestamp-based stale detection to a granular timeline event analysis, the lifecycle manager now correctly identifies actual inactivity, preventing premature closures. Additionally, the triage process has been streamlined to ensure consistent label usage and improved communication with users when information is requested.

Highlights

• Robust Stale Closure Logic: Refactored the stale issue lifecycle to use precise timeline events instead of the 'updatedAt' timestamp, preventing accidental closures caused by automated bot activity.
• Meaningful Activity Detection: Implemented a filter for timeline events to distinguish between meaningful human/bot interactions and automated noise, ensuring the 'Stale' label is only removed when genuine progress occurs.
• Consolidated Triage Labels: Updated the triage bot to use 'status/need-information' instead of 'status/need-retesting', aligning with existing lifecycle workflows for automated closure.
• Enhanced Commenting Logic: Modified the label application script to guarantee that a clarifying comment is always posted when the 'status/need-information' label is applied.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/gemini-scheduled-issue-triage.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances the GitHub Action scripts for issue and PR management by implementing pagination for searches and a more sophisticated stale-handling logic that checks the issue timeline for human activity. It also introduces specific stale messaging for bug reports and allows comments to be posted when specific labels are added, even if general comments are suppressed. Review feedback identifies a high-severity security risk concerning the lack of sanitization for LLM-generated content, which could permit indirect prompt injection, and recommends including pull request review events in the activity whitelist to prevent active PRs from being marked stale.

I am having trouble creating individual review comments. Click here to see my feedback.

.github/scripts/apply-issue-labels.cjs (214-221)

The script incorporates LLM-generated content (entry.explanation) directly into GitHub issue comments without any validation or sanitization. This creates a vulnerability to Indirect Prompt Injection. An attacker can craft a malicious issue description or comment that tricks the LLM into generating harmful content (e.g., phishing links, malicious markdown, or misleading instructions). When the bot posts this content, it carries the authority of the repository, which can be used to deceive users or maintainers. Additionally, the script relies on the issue_number provided in the LLM output (line 80) to determine which issue to modify. Without verifying that this issue_number corresponds to the issue currently being triaged, an attacker could potentially influence the LLM to perform unauthorized actions (labeling or commenting) on arbitrary issues within the repository.

.github/scripts/gemini-lifecycle-manager.cjs (219)

The current whitelist of meaningful events is missing Pull Request specific activities. Since the search query on line 194 includes both issues and pull requests, a PR that is actively being reviewed (e.g., via a human review or a review request) could be incorrectly closed as stale if no comments or label changes occur.

Please add reviewed, review_requested, and review_request_removed to the whitelist to ensure PRs under active review are protected from stale closure.

        if (['commented', 'cross-referenced', 'connected', 'reopened', 'assigned', 'reviewed', 'review_requested', 'review_request_removed'].includes(e.event)) {

[github-actions]

Size Change: -2.38 kB (-0.01%)

Total Size: 34.1 MB

Filename	Size	Change
./bundle/chunk-3H3GAJFL.js	0 B	-14.8 MB (removed)	🏆
./bundle/chunk-4CUNWFAI.js	0 B	-1.98 MB (removed)	🏆
./bundle/chunk-4LJCEHFU.js	0 B	-659 kB (removed)	🏆
./bundle/chunk-6ZQBNM6X.js	0 B	-19.5 kB (removed)	🏆
./bundle/chunk-B6P5PKUZ.js	0 B	-3.43 kB (removed)	🏆
./bundle/chunk-CNUT3JTO.js	0 B	-12.5 kB (removed)	🏆
./bundle/chunk-IS7FAI3H.js	0 B	-2.79 MB (removed)	🏆
./bundle/chunk-LFDDLCB3.js	0 B	-3.8 kB (removed)	🏆
./bundle/chunk-QZFZVGEI.js	0 B	-49.2 kB (removed)	🏆
./bundle/core-PY5323O5.js	0 B	-49.3 kB (removed)	🏆
./bundle/devtoolsService-A6STPSFC.js	0 B	-28 kB (removed)	🏆
./bundle/gemini-6VVGZAAT.js	0 B	-587 kB (removed)	🏆
./bundle/interactiveCli-ORUANEVG.js	0 B	-1.3 MB (removed)	🏆
./bundle/liteRtServerManager-VYJDVFZK.js	0 B	-2.11 kB (removed)	🏆
./bundle/oauth2-provider-2MC2EECA.js	0 B	-9.16 kB (removed)	🏆
./bundle/chunk-C6VA7WND.js	2.79 MB	+2.79 MB (new file)	🆕
./bundle/chunk-CEMLFLH3.js	659 kB	+659 kB (new file)	🆕
./bundle/chunk-CNU6CZOF.js	19.5 kB	+19.5 kB (new file)	🆕
./bundle/chunk-DMQDOOWS.js	1.98 MB	+1.98 MB (new file)	🆕
./bundle/chunk-IUPCIIKW.js	49.2 kB	+49.2 kB (new file)	🆕
./bundle/chunk-MEFZ5CS2.js	12.5 kB	+12.5 kB (new file)	🆕
./bundle/chunk-OX6QYUV7.js	3.8 kB	+3.8 kB (new file)	🆕
./bundle/chunk-QGVSCBWT.js	3.43 kB	+3.43 kB (new file)	🆕
./bundle/chunk-UELGVOJW.js	14.8 MB	+14.8 MB (new file)	🆕
./bundle/core-RG2XTN56.js	49.4 kB	+49.4 kB (new file)	🆕
./bundle/devtoolsService-MA7ZDPS7.js	28 kB	+28 kB (new file)	🆕
./bundle/gemini-R6HCR2GB.js	587 kB	+587 kB (new file)	🆕
./bundle/interactiveCli-WVEKURDH.js	1.3 MB	+1.3 MB (new file)	🆕
./bundle/liteRtServerManager-HE273HRF.js	2.11 kB	+2.11 kB (new file)	🆕
./bundle/oauth2-provider-7DKI2Q7L.js	9.16 kB	+9.16 kB (new file)	🆕

ℹ️ View Unchanged

Filename	Size	Change
./bundle/bundled/third_party/index.js	8 MB	0 B
./bundle/chunk-34MYV7JD.js	2.45 kB	0 B
./bundle/chunk-5AUYMPVF.js	858 B	0 B
./bundle/chunk-5PS3AYFU.js	1.18 kB	0 B
./bundle/chunk-664ZODQF.js	124 kB	0 B
./bundle/chunk-DAHVX5MI.js	206 kB	0 B
./bundle/chunk-IUUIT4SU.js	56.5 kB	0 B
./bundle/chunk-RJTRUG2J.js	39.8 kB	0 B
./bundle/cleanup-CM2FI5FP.js	0 B	-932 B (removed)	🏆
./bundle/devtools-36NN55EP.js	696 kB	0 B
./bundle/dist-T73EYRDX.js	356 B	0 B
./bundle/events-XB7DADIJ.js	418 B	0 B
./bundle/examples/hooks/scripts/on-start.js	188 B	0 B
./bundle/examples/mcp-server/example.js	1.43 kB	0 B
./bundle/gemini.js	5.1 kB	0 B
./bundle/getMachineId-bsd-TXG52NKR.js	1.55 kB	0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js	1.55 kB	0 B
./bundle/getMachineId-linux-SHIFKOOX.js	1.34 kB	0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js	1.06 kB	0 B
./bundle/getMachineId-win-6KLLGOI4.js	1.72 kB	0 B
./bundle/memoryDiscovery-Z2WYKTIK.js	0 B	-980 B (removed)	🏆
./bundle/multipart-parser-KPBZEGQU.js	11.7 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	222 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	229 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	13.4 kB	0 B
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B
./bundle/sandbox-macos-strict-open.sb	4.82 kB	0 B
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB	0 B
./bundle/src-QVCVGIUX.js	47 kB	0 B
./bundle/start-Q32HFKDE.js	0 B	-652 B (removed)	🏆
./bundle/tree-sitter-7U6MW5PS.js	274 kB	0 B
./bundle/tree-sitter-bash-34ZGLXVX.js	1.84 MB	0 B
./bundle/cleanup-ITYETELD.js	932 B	+932 B (new file)	🆕
./bundle/memoryDiscovery-KB3UQ2VI.js	980 B	+980 B (new file)	🆕
./bundle/start-GU33RDGX.js	652 B	+652 B (new file)	🆕

_{compressed-size-action}