feat: add GitHub Actions workflow for automatic spam list updates #1359
Conversation
Signed-off-by: MonaaEid <monaa_eid@hotmail.com>
Codecov Report✅ All modified and coverable lines are covered by tests. @@ Coverage Diff @@
## main #1359 +/- ##
=======================================
Coverage 92.44% 92.44%
=======================================
Files 139 139
Lines 8528 8528
=======================================
Hits 7884 7884
Misses 644 644 🚀 New features to boost your workflow:
|
|
Hi, this is MergeConflictBot. Please resolve these conflicts locally and push the changes. To assist you, please read: Thank you for contributing! |
Signed-off-by: MonaaEid <monaa_eid@hotmail.com>
Signed-off-by: MontyPokemon <59332150+MonaaEid@users.noreply.github.com>
📝 WalkthroughWalkthroughAdds a monthly/manual GitHub Actions workflow and a new helper script that scans closed PRs labeled "spam" and merged "Good First Issue" PRs, computes additions/removals by timeline, and opens an automated PR updating Changes
Sequence DiagramsequenceDiagram
actor Scheduler as Monthly Scheduler
participant Workflow as GitHub Actions Workflow
participant Script as update-spam-list.js
participant API as GitHub API
participant FS as Repo FS (.github/spam-list.txt)
participant PR as PR Service
Scheduler->>Workflow: trigger (cron / manual)
Workflow->>Workflow: checkout repo, set env (DRY_RUN, GITHUB_TOKEN)
Workflow->>Script: run with github, context, core
Script->>API: list closed PRs labeled "spam"
API-->>Script: spam PRs
Script->>Script: determine latest spam date per user
Script->>API: list merged PRs labeled "Good First Issue"
API-->>Script: merged PRs
Script->>Script: determine latest rehab date per user
Script->>Script: compute additions / removals by comparing timelines
Script->>FS: read `.github/spam-list.txt`
FS-->>Script: current list
Script->>Script: produce updated list, prepare pr-title/pr-body/branch-name
rect rgb(200,230,200)
Script-->>Workflow: outputs: has-changes, pr-title, pr-body, branch-name
end
alt has-changes AND NOT DRY_RUN
Workflow->>FS: write updated `.github/spam-list.txt` on branch
FS-->>Workflow: file updated
Workflow->>PR: create pull request with title/body/labels
PR-->>Workflow: PR created
else
Workflow->>Workflow: no PR created (dry-run or no changes)
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro 📒 Files selected for processing (2)
🧰 Additional context used📓 Path-based instructions (2).github/scripts/**/*.js⚙️ CodeRabbit configuration file
Files:
.github/workflows/**/*⚙️ CodeRabbit configuration file
Files:
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
🔇 Additional comments (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (3)
.github/scripts/update-spam-list.js.github/workflows/cron-update-spam-list.ymlCHANGELOG.md
🧰 Additional context used
📓 Path-based instructions (2)
.github/scripts/**/*.js
⚙️ CodeRabbit configuration file
.github/scripts/**/*.js: Review JavaScript scripts as long-lived automation code.Scripts must remain:
Focused
Readable
Purpose-built
All
context.payloadfields MUST be validatedFree-form text MUST NOT be trusted
Dynamic code execution is prohibited
Avoid
child_process.exec; preferexecFileif neededAll async operations MUST be wrapped in try/catch
Errors MUST include contextual metadata
Duplicate API calls MUST be avoided
Marker-based deduplication is required
Scripts MUST NOT assume write access
Permission failures MUST be handled gracefully
Files:
.github/scripts/update-spam-list.js
.github/workflows/**/*
⚙️ CodeRabbit configuration file
.github/workflows/**/*: Review workflows as security-sensitive infrastructure.A good workflow is small, focused, and boring.
If a workflow is clever, generic, or overly flexible, it is a risk.
PRIORITY 0 — ABSOLUTE REQUIREMENTS
- All third-party actions MUST be pinned to full commit SHAs, similar to other workflows.
permissions:MUST be explicitly declared and minimally scoped.- Workflows MUST behave safely when executed from forks.
- YAML MUST orchestrate steps, not implement business logic.
- Any workflow that mutates GitHub state MUST support dry-run mode.
- Dry-run behavior must be explicit and visible in logs.
- Workflows MUST NOT modify repository source code outside
.github/.
PRIORITY 1 — SCOPE, FOCUS & RESTRAINT
- The title of each workflow must be relevant, match similar naming schemes, and match its script filename.
- Each workflow MUST have a single, clearly defined objective and SHOULD document this in a top-level comment.
- Flag workflows that:
- Attempt to be generic “frameworks”
- Include speculative or future-facing logic
- Perform actions unrelated to the stated goal
- Over-abstraction and excess flexibility are maintenance risks.
PRIORITY 2 — INPUT HARDENING
- Treat ALL GitHub event data as potentially hostile input, including:
- issue titles, bodies, and comments
- labels, usernames, branch names
- Free-form user input MUST NOT be passed directly into:
- shell commands
- gh CLI arguments
- Node.js exec / spawn calls
- Require strict allowlists or exact string matches.
- Flag any use of:
- eval or bash -c
- backticks or $(...) with user-controlled input
------------------...
Files:
.github/workflows/cron-update-spam-list.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
- GitHub Check: Agent
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: build-and-test (3.12)
- GitHub Check: build-and-test (3.11)
- GitHub Check: build-and-test (3.13)
- GitHub Check: build-and-test (3.10)
- GitHub Check: run-examples
- GitHub Check: StepSecurity Harden-Runner
🔇 Additional comments (7)
CHANGELOG.md (1)
90-90: LGTM!The changelog entry is concise and accurately describes the new feature. Consider adding an issue reference (e.g.,
(#1303)) for traceability, consistent with many other entries in this file..github/scripts/update-spam-list.js (4)
18-73: LGTM!The computation logic correctly handles the date-based precedence for spam vs rehabilitation, including the edge cases where users may have multiple events. Error handling for missing files is appropriate.
76-91: LGTM!Dry-run mode is properly implemented with clear logging, and the directory creation is a good defensive measure.
95-125: LGTM!The summary generation provides clear, well-formatted output for the automated PR.
192-198: This review comment is incorrect—the code is working as intended.The
github.paginate.iterator()yields response objects wheredatacontains the array directly (from other usages in the codebase likecoderabbit_plan_trigger.js, which doesfor await (const { data: page } of iterator)followed bycomments.push(...page)). The destructuring{ data: items }correctly assigns the array toitems, and the subsequent loopfor (const pr of items)properly iterates over PR objects. No fix is needed..github/workflows/cron-update-spam-list.yml (2)
3-19: LGTM!Good implementation:
- Monthly schedule is appropriate for spam list maintenance
- Dry-run defaults to
truefor manual runs (safe)- Scheduled runs default to
false(operational)- Permissions are minimal and appropriate for the operations
48-59: LGTM!The PR creation step correctly:
- Gates on both
has-changesandDRY_RUN- Scopes the commit to only
.github/spam-list.txtviaadd-paths- Uses appropriate labels for tracking automated changes
| core.setOutput('has-changes', hasChanges.toString()); | ||
| core.setOutput('pr-title', title); | ||
| core.setOutput('pr-body', body); | ||
| core.setOutput('branch-name', branchName); |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Minor: Outputs are set redundantly.
The script sets outputs via core.setOutput here, but the workflow YAML also sets them from the returned object. Consider removing one set to avoid confusion. The workflow's inline setting (lines 42-45) can be removed since the script already handles it.
| jobs: | ||
| update-spam-list: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Add a concurrency group to prevent overlapping runs.
Per coding guidelines, workflows that mutate state must define a deterministic concurrency group to be safe under retries and parallel execution. Without this, overlapping scheduled or manual runs could create conflicting branches/PRs.
🔎 Proposed fix
jobs:
update-spam-list:
runs-on: ubuntu-latest
+ concurrency:
+ group: spam-list-update
+ cancel-in-progress: false
steps:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| jobs: | |
| update-spam-list: | |
| runs-on: ubuntu-latest | |
| jobs: | |
| update-spam-list: | |
| runs-on: ubuntu-latest | |
| concurrency: | |
| group: spam-list-update | |
| cancel-in-progress: false | |
| steps: |
Signed-off-by: MonaaEid <monaa_eid@hotmail.com>
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
📒 Files selected for processing (1)
CHANGELOG.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
- GitHub Check: Agent
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: build-and-test (3.10)
- GitHub Check: build-and-test (3.13)
- GitHub Check: build-and-test (3.11)
- GitHub Check: build-and-test (3.12)
- GitHub Check: run-examples
- GitHub Check: StepSecurity Harden-Runner
| - Added workflow to prevent assigning intermediate issues to contributors without prior Good First Issue completion (#1143). | ||
| - Added `Client.from_env()` and network-specific factory methods (e.g., `Client.for_testnet()`) to simplify client initialization and reduce boilerplate. [[#1251](https://github.com/hiero-ledger/hiero-sdk-python/issues/1251)] | ||
| - Improved unit test coverage for `TransactionId` class, covering parsing logic, hashing, and scheduled transactions. | ||
| - Add GitHub Actions script and workflow for automatic spam list updates. |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
Add issue reference for consistency with similar entries.
While the changelog entry is factually accurate, it should include a reference to issue #1303 (as mentioned in the PR objectives) to maintain consistency with similar workflow entries throughout the CHANGELOG (e.g., cron-check-broken-links references #1210, merge-conflict-bot references #1247).
Consider updating the entry to:
- Add GitHub Actions script and workflow for automatic spam list updates. (#1303)
2 participants
This pull request introduces an automated system for maintaining a spam user list in the repository.
Automated Spam List Management
.github/scripts/update-spam-list.js, a script that:.github/spam-list.txtby adding or removing users based on their most recent activity.CHANGELOG.mdwith an entry describing the spam list update.Related issue(s):
Fixes #1303
Checklist