feat(workflows): automate weekly SHA staleness check with issue creation

[WilliamBerryiii]

Note

Partial Completion Status (assessed 2026-02-25)

Completed:

• sha-staleness-check.yml workflow runs the staleness check on a weekly schedule
• Test-SHAStaleness.ps1 script is implemented and detects stale dependencies

Remaining:

• Workflow does not create a tracking issue when stale dependencies exceed the threshold
• No logic to update an existing open issue instead of creating duplicates
• No auto-close behavior when stale dependencies are resolved

Summary

Automate the SHA staleness check to run weekly and create a tracking issue when stale dependencies are detected.

Background

The Test-SHAStaleness.ps1 script identifies GitHub Actions and tools with outdated SHA pins. Currently this requires manual execution via npm run sha-staleness. Automating this with issue creation ensures stale dependencies don't go unnoticed.

Current State

The sha-staleness-check.yml workflow runs the check but doesn't create actionable follow-up when issues are found. Latest scan found 8 stale items:

• actions/checkout (63 days old)
• github/codeql-action/* (47 days old)
• actions/dependency-review-action (55 days old)
• actions/setup-node (33 days old)
• gitleaks tool (8.18.2 → 8.30.0)

Proposed Solution

Enhance weekly-security-maintenance.yml to:

1. Run Test-SHAStaleness.ps1
2. Parse results for stale items exceeding threshold
3. Create or update a tracking issue with:
   • List of stale dependencies
   • Age and severity
   • Remediation commands

Acceptance Criteria

• Weekly workflow creates issue when stale dependencies exceed 30-day threshold
• Issue includes actionable remediation steps
• Workflow updates existing open issue instead of creating duplicates
• Issue auto-closes when no stale dependencies remain

References

• Script: scripts/security/Test-SHAStaleness.ps1
• Workflow: .github/workflows/weekly-security-maintenance.yml
• Results: logs/sha-staleness-results.json