ci: switch actions freshness tracker from issues to draft PR

[Mehdi-Bl]

Summary\n- replace actions-freshness issue management with tracker pull request management\n- create/update a draft tracker PR on findings, close it when clean\n- update workflow permissions to use pull-requests/content write and drop issues access\n\n## Validation\n- node --check scripts/audit-actions-freshness.js\n- npm run test -- --runInBand tests/unit/scripts/actions-freshness.test.js\n- node scripts/audit-actions-freshness.js --report /tmp/actions-freshness-report.md --json /tmp/actions-freshness-report.json

Summary by Sourcery

Switch the actions freshness automation from managing a tracking issue to managing a draft tracker pull request backed by a dedicated branch and file.

Enhancements:

• Introduce support in the actions freshness audit script for creating, updating, and closing a tracker pull request with a persisted markdown report file.

CI:

• Update the actions-freshness workflow to use pull-request based tracking, including adjusted script flags and GitHub permissions from issues:write to contents:write and pull-requests:write.

Summary by CodeRabbit

• New Features

  • Action freshness audit now creates and manages tracking pull requests (with branch/file tracking) instead of issues.
  • Workflow now appends a step-summary warning and continues when PR permission limitations are encountered.

• Changes

  • GitHub Actions workflow permissions expanded to allow write access for contents and pull-requests.
  • Updated audit behavior, messages, and defaults to use pull-request-based tracking and lifecycle actions.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Switch actions freshness tracker from issues to draft PR

✨ Enhancement

Walkthroughs

Description

• Replace issue-based tracking with draft pull request management
• Add support for managing tracker via dedicated branch and file
• Update workflow permissions from issues/read to pull-requests/write
• Support backward compatibility with --issue-title and --manage-issue flags

Diagram

flowchart LR
  A["Issue-based Tracking"] -->|Replace| B["Draft PR Tracking"]
  B --> C["Dedicated Branch"]
  B --> D["Tracker File"]
  B --> E["PR Management"]
  C --> F["automation/actions-freshness-tracker"]
  D --> G[".github/actions-freshness-tracker.md"]
  E --> H["Create/Update/Close PR"]

Loading

File Changes

1. scripts/audit-actions-freshness.js ✨ Enhancement +214/-61

Migrate from issue to draft PR tracking system

• Replaced issue management with pull request tracking using dedicated branch and file
• Added new CLI options: --pr-branch, --pr-file-path, --manage-pr (with backward
 compatibility)
• Implemented helper functions: toGitHubRefPath(), toGitHubContentPath(),
 getRepositoryMetadata(), ensureTrackingPullRequestBranch(), upsertTrackingPullRequestFile()
• Refactored tracking logic from findTrackingIssue() to findTrackingPullRequest() with
 branch-based filtering
• Updated PR creation to include draft: true flag and store content in dedicated tracker file

scripts/audit-actions-freshness.js

---

2. .github/workflows/actions-freshness.yml ⚙️ Configuration changes +4/-4

Update workflow permissions and step naming

• Updated workflow permissions from contents: read and issues: write to contents: write and
 pull-requests: write
• Changed step name from "manage tracking issue" to "manage tracking pull request"
• Updated CLI invocation from --manage-issue to --manage-pr

.github/workflows/actions-freshness.yml

---

[sourcery-ai]

Reviewer's Guide

Switches the actions freshness automation from managing an issue to managing a draft tracker pull request, including new CLI options, GitHub API workflow for maintaining a tracker branch and file, and workflow permission updates.

Sequence diagram for managing tracker pull request when findings exist

sequenceDiagram
    actor GitHubActionsRunner
    participant AuditScript as audit_actions_freshness_js
    participant GitHubAPI

    GitHubActionsRunner->>AuditScript: node scripts/audit-actions-freshness.js --manage-pr
    AuditScript->>AuditScript: parseArguments(argv)
    AuditScript->>AuditScript: scanWorkflowsAndBuildReports()
    AuditScript->>AuditScript: writeReportFiles()
    AuditScript->>AuditScript: upsertTrackingPullRequest(token, owner, repository, pullRequestTitle, pullRequestBranch, pullRequestFilePath, staleCount, resolutionErrorCount, reportMarkdown)
    alt existing_open_tracker_pr
        AuditScript->>GitHubAPI: GET /pulls?state=open&head=owner:pullRequestBranch
        GitHubAPI-->>AuditScript: 200 existing_pull_requests
    else no_existing_tracker_pr
        AuditScript->>GitHubAPI: GET /pulls?state=open&head=owner:pullRequestBranch
        GitHubAPI-->>AuditScript: 200 []
    end
    AuditScript->>GitHubAPI: GET /repos/owner/repository
    GitHubAPI-->>AuditScript: 200 { default_branch }
    AuditScript->>GitHubAPI: GET /git/ref/heads/default_branch
    GitHubAPI-->>AuditScript: 200 { sha }
    alt tracking_branch_exists
        AuditScript->>GitHubAPI: GET /git/ref/heads/pullRequestBranch
        GitHubAPI-->>AuditScript: 200 { sha }
    else tracking_branch_missing
        AuditScript->>GitHubAPI: POST /git/refs (ref=refs/heads/pullRequestBranch, sha=default_branch_sha)
        GitHubAPI-->>AuditScript: 201 ref_created
    end
    AuditScript->>GitHubAPI: GET /contents/pullRequestFilePath?ref=pullRequestBranch
    alt file_exists
        GitHubAPI-->>AuditScript: 200 { sha, content }
        AuditScript->>GitHubAPI: PUT /contents/pullRequestFilePath (branch=pullRequestBranch, content=updated_file, sha=existing_sha)
        GitHubAPI-->>AuditScript: 200 file_updated
    else file_missing
        GitHubAPI-->>AuditScript: 404
        AuditScript->>GitHubAPI: PUT /contents/pullRequestFilePath (branch=pullRequestBranch, content=new_file)
        GitHubAPI-->>AuditScript: 201 file_created
    end
    alt tracker_pr_exists
        AuditScript->>GitHubAPI: PATCH /pulls/trackingPullRequestNumber (title=pullRequestTitle, body=marker_plus_report)
        GitHubAPI-->>AuditScript: 200 pull_request_updated
    else tracker_pr_missing
        AuditScript->>GitHubAPI: POST /pulls (title=pullRequestTitle, head=pullRequestBranch, base=default_branch, body=marker_plus_report, draft=true)
        GitHubAPI-->>AuditScript: 201 draft_pull_request_created
    end
    AuditScript-->>GitHubActionsRunner: exit 0 with report paths

Loading

Sequence diagram for closing tracker pull request when repository is clean

sequenceDiagram
    actor GitHubActionsRunner
    participant AuditScript as audit_actions_freshness_js
    participant GitHubAPI

    GitHubActionsRunner->>AuditScript: node scripts/audit-actions-freshness.js --manage-pr
    AuditScript->>AuditScript: parseArguments(argv)
    AuditScript->>AuditScript: scanWorkflowsAndBuildReports()
    AuditScript->>AuditScript: writeReportFiles()
    AuditScript->>AuditScript: upsertTrackingPullRequest(..., staleCount=0, resolutionErrorCount=0, ...)
    AuditScript->>GitHubAPI: GET /pulls?state=open&head=owner:pullRequestBranch
    alt tracker_pr_found
        GitHubAPI-->>AuditScript: 200 [tracking_pull_request]
        AuditScript->>GitHubAPI: PATCH /pulls/trackingPullRequestNumber (state=closed)
        GitHubAPI-->>AuditScript: 200 pull_request_closed
    else no_tracker_pr
        GitHubAPI-->>AuditScript: 200 []
        AuditScript-->>GitHubActionsRunner: no_action_needed
    end
    AuditScript-->>GitHubActionsRunner: exit 0 with report paths

Loading

Class diagram for updated actions freshness tracker script

classDiagram
    class ScriptOptions {
      string reportPath
      string jsonPath
      string workflowDirectory
      boolean failOnStale
      boolean managePullRequest
      string pullRequestTitle
      string pullRequestBranch
      string pullRequestFilePath
    }

    class AuditActionsFreshnessModule {
      +parseArguments(argv)
      +buildMarkdownReport(results)
      +buildJsonReport(results)
      +getRepositoryMetadata(owner, repository, token)
      +ensureTrackingPullRequestBranch(owner, repository, token, defaultBranch, trackingBranch)
      +upsertTrackingPullRequestFile(owner, repository, token, trackingBranch, filePath, content)
      +findTrackingPullRequest(owner, repository, token, trackingBranch)
      +closeTrackingPullRequest(owner, repository, pullRequestNumber, token)
      +upsertTrackingPullRequest(token, owner, repository, pullRequestTitle, pullRequestBranch, pullRequestFilePath, staleCount, resolutionErrorCount, reportMarkdown)
      +run()
    }

    class GitHubAPIHelpers {
      +githubRequest(endpoint, token, method, body)
      +toGitHubRefPath(value)
      +toGitHubContentPath(filePath)
    }

    class Reports {
      number staleCount
      number resolutionErrorCount
      string markdownReport
      string jsonReport
    }

    AuditActionsFreshnessModule --> ScriptOptions : uses
    AuditActionsFreshnessModule --> GitHubAPIHelpers : calls
    AuditActionsFreshnessModule --> Reports : produces
    GitHubAPIHelpers <.. Reports : data sent via githubRequest

Loading

File-Level Changes

Change	Details	Files
Replace tracking issue management with draft tracker pull request management in the actions freshness audit script.	Rename issue-related defaults and options to pull-request equivalents (title, manage flag) and add options for tracker branch and file path. Extend CLI parsing to accept --pr-title/--pr-branch/--pr-file-path/--manage-pr while keeping backwards-compatible aliases for legacy flags like --issue-title/--manage-issue. Validate presence of pull-request-related options (title, branch, file path) in argument parsing and update error messages accordingly.	scripts/audit-actions-freshness.js
Introduce helpers and GitHub API flows to maintain a tracker branch, tracker file, and draft pull request instead of an issue.	Add path encoding helpers for refs and repository contents to safely construct GitHub API URLs. Add repository metadata fetch and ensureTrackingPullRequestBranch to create/update the dedicated automation tracking branch based on the default branch. Add upsertTrackingPullRequestFile to create or update a markdown tracker file in the tracking branch, encoding content via the contents API. Replace issue search/close/upsert with pull request equivalents, including querying by head branch, closing the PR when clean, and creating/updating a draft PR containing the report and a marker. Update tracker logging messages to reference pull requests and the new behavior.	scripts/audit-actions-freshness.js
Wire the new pull request management behavior into the main audit flow and adjust workflow permissions/step invocation.	Update the main run() logic to call upsertTrackingPullRequest when management is enabled, passing token, repo metadata, PR title, branch, file path, and report data. Change error messages in run() to mention tracker pull request management instead of issue management. Update the GitHub Actions workflow to grant contents: write and pull-requests: write permissions instead of issues: write, and to invoke the script with --manage-pr rather than --manage-issue, along with updated step naming.	scripts/audit-actions-freshness.js .github/workflows/actions-freshness.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces issue-based tracking with pull-request-based tracking for the actions-freshness audit: workflow permissions updated for PR creation, CLI flag switched from --manage-issue to --manage-pr, and the audit script was refactored to manage tracking branches, files, and PR lifecycle via new PR-focused helpers and error handling.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/actions-freshness.yml	Expanded permissions to contents: write and pull-requests: write; step renamed and script argument changed from --manage-issue to --manage-pr.
Audit Script — PR Tracking Refactor scripts/audit-actions-freshness.js	Full migration from issue to pull-request tracking: CLI options replaced (manageIssue → managePullRequest, issueTitle → pullRequestTitle, plus branch/file flags); added PR lifecycle helpers (ensureTrackingPullRequestBranch, findTrackingPullRequest, upsertTrackingPullRequest, upsertTrackingPullRequestFile, closeTrackingPullRequest), repository/Path utilities (getRepositoryMetadata, toGitHubRefPath, toGitHubContentPath), step-summary warning utils, and PR-permission error handling; replaced all issue-related logic/messages with PR equivalents.
Misc / Public API Surface scripts/audit-actions-freshness.js (exports)	Function signatures and exported names updated to reflect PR-based flow (new exports listed; old issue-based exports removed/renamed).

Sequence Diagram(s)

sequenceDiagram
    participant Action as GitHub Action
    participant Script as audit-actions-freshness.js
    participant GHAPI as GitHub REST API
    participant Repo as Repository (branches, files, PRs)

    Action->>Script: run with --manage-pr + token
    Script->>GHAPI: getRepositoryMetadata()
    GHAPI-->>Script: default branch, repo info
    Script->>GHAPI: ensureTrackingPullRequestBranch(trackingBranch)
    GHAPI-->>Repo: create/update branch ref
    Script->>GHAPI: findTrackingPullRequest(trackingBranch)
    alt PR exists
        GHAPI-->>Script: pull request found
        Script->>GHAPI: upsertTrackingPullRequestFile(trackingBranch, filePath, content)
        GHAPI-->>Repo: update file in tracking branch
        Script->>GHAPI: upsertTrackingPullRequest(...) 
    else PR missing
        Script->>GHAPI: create tracking branch and file
        GHAPI-->>Repo: branch+file created
        Script->>GHAPI: create pull request from trackingBranch
    end
    GHAPI-->>Script: PR created/updated or permission error
    alt permission error
        Script->>Action: appendStepSummaryWarning()
    end
    Script->>Action: exit with status

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• ci: automate GitHub Actions freshness audits #66: Mirrors this change set—converts audit-actions-freshness tracking from issues to pull requests, adding PR branch/file management and updating workflow permissions.

Poem

🐰 From issues past I spring anew,
I nibble branches, stitch a PR glue,
Tracker file tucked in tidy row,
Hopping commits where fresh winds blow,
sniffs the CI carrot and grins 🌿

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (6 files): ⚔️ .github/workflows/actions-freshness.yml (content) ⚔️ .github/workflows/sonarcloud.yml (content) ⚔️ scripts/audit-actions-freshness.js (content) ⚔️ scripts/lib/sonar-options.js (content) ⚔️ sonar-project.properties (content) ⚔️ tests/unit/scripts/sonar-options.test.js (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: switching the actions freshness tracker from issue-based to pull-request-based management.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/actions-freshness-tracker-pr

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch fix/actions-freshness-tracker-pr
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.16.0)

scripts/audit-actions-freshness.js

┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Mehdi-Bl, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request transitions the automated GitHub Actions freshness tracking mechanism from utilizing GitHub Issues to leveraging draft Pull Requests. This change aims to streamline the process of reporting and resolving stale action references by providing a dedicated, version-controlled artifact (a draft PR with a tracking file) that can be easily updated or closed based on audit findings, offering a more integrated and actionable tracking method within the development workflow.

Highlights

• Transitioned Tracking Mechanism: Switched the CI actions freshness tracker from using GitHub Issues to utilizing draft Pull Requests for managing stale action references.
• Automated Draft PR Management: Implemented logic to automatically create or update a draft tracking pull request when stale actions are detected, and to close it once all issues are resolved.
• Updated Script Configuration: Modified the script's argument parsing and default options to support new pull request specific parameters, including title, branch, and file path for the tracker.
• Enhanced GitHub API Interactions: Introduced new functions for interacting with the GitHub API to manage branches, create/update files within those branches, and find, create, or close pull requests programmatically.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• scripts/audit-actions-freshness.js
  • Replaced issue-related constants and default options with pull request specific ones.
  • Updated command-line argument parsing to support new pull request parameters (--pr-title, --pr-branch, --pr-file-path, --manage-pr).
  • Introduced new functions for GitHub API interactions to manage branches, create/update files, and find/create/close pull requests.
  • Refactored the core logic to use draft pull requests for tracking stale GitHub Actions, ensuring a branch and a tracking file are maintained.
  • Modified the main run function to invoke the new pull request management workflow.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/actions-freshness.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• Consider adding an explicit deprecation path for the old --manage-issue / --issue-title flags (e.g., a warning log when they are used), since they are now silently repurposed for PR management and that may surprise existing consumers of the script.
• The new toGitHubRefPath and toGitHubContentPath helpers currently perform the same transformation; if there is no anticipated divergence in behavior, you could consolidate them into a single utility to reduce duplication.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding an explicit deprecation path for the old `--manage-issue` / `--issue-title` flags (e.g., a warning log when they are used), since they are now silently repurposed for PR management and that may surprise existing consumers of the script.
- The new `toGitHubRefPath` and `toGitHubContentPath` helpers currently perform the same transformation; if there is no anticipated divergence in behavior, you could consolidate them into a single utility to reduce duplication.

## Individual Comments

### Comment 1
<location> `scripts/audit-actions-freshness.js:56-57` </location>
<code_context>

-    if (argument === '--issue-title') {
-      options.issueTitle = argv[index + 1];
+    if (argument === '--issue-title' || argument === '--pr-title') {
+      options.pullRequestTitle = argv[index + 1];
       index += 1;
       continue;
</code_context>

<issue_to_address>
**suggestion:** Flag alias naming and error message can be confusing for users migrating from `--issue-title`.

The parser accepts both `--issue-title` and `--pr-title`, but validation reports `The --pr-title option requires a value.` even when the user passed `--issue-title`. That’s potentially confusing. Either explicitly deprecate `--issue-title` with a targeted message, or adjust the validation error to mention both flags so the message matches the accepted aliases.

Suggested implementation:

```javascript
    if (argument === '--issue-title' || argument === '--pr-title') {
      options.pullRequestTitle = argv[index + 1];
      index += 1;
      continue;
    }

```

```javascript
    throw new Error('The --pr-title/--issue-title option requires a value (both flags are accepted aliases).');

```

I assumed the validation error currently uses the exact string `The --pr-title option requires a value.` in `scripts/audit-actions-freshness.js`. If the wording or location is slightly different, update that specific error message string in the same way so that it mentions both `--pr-title` and `--issue-title` and clarifies that they are aliases. No other behavioral changes are required to satisfy your review comment.
</issue_to_address>

### Comment 2
<location> `scripts/audit-actions-freshness.js:481-490` </location>
<code_context>
+}

+async function findTrackingPullRequest({ owner, repository, token, trackingBranch }) {
+  const pullRequests = await githubRequest({
+    endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/pulls?state=open&head=${encodeURIComponent(`${owner}:${trackingBranch}`)}&per_page=10`,
+    token,
+  });
+
+  if (!Array.isArray(pullRequests) || pullRequests.length === 0) {
+    return null;
+  }
+
+  return (
+    pullRequests.find(
+      (pullRequest) =>
</code_context>

<issue_to_address>
**issue (bug_risk):** `findTrackingPullRequest` falls back to the first open PR even if it’s not a tracker, which can update unrelated PRs.

If an open PR from the tracking branch doesn’t include `TRACKING_PULL_REQUEST_MARKER`, this will still return `pullRequests[0]`, causing `upsertTrackingPullRequest` to overwrite and later close that PR. That can affect manually created PRs on the same branch. Consider only operating on PRs that contain the marker, or treating a missing marker as “no tracking PR” and skipping create/update rather than falling back to the first PR.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request refactors the actions freshness tracker to use draft pull requests instead of issues for reporting. The changes are well-structured, replacing issue-management logic with new functions for handling git branches, files, and pull requests. My review includes a couple of suggestions to enhance the robustness and user-friendliness of the new implementation, bringing it in line with the helpful features of the previous issue-based system.

[gemini-code-assist]

The fallback to pullRequests[0] is too lenient and could lead to updating an incorrect pull request if multiple PRs are open from the automation branch and none have the tracking marker. It's safer to only consider PRs that explicitly contain the TRACKING_PULL_REQUEST_MARKER. If no matching PR is found, this function will return undefined, and the upsertTrackingPullRequest function will correctly create a new one.

  return pullRequests.find(
    (pullRequest) =>
      typeof pullRequest.body === 'string' &&
      pullRequest.body.includes(TRACKING_PULL_REQUEST_MARKER)
  );

[gemini-code-assist]

The previous implementation for closing tracker issues added a comment to provide context for the closure. This is a helpful practice that should be retained for pull requests. You can add a comment to a pull request via the issues API, using the pull request number.

async function closeTrackingPullRequest({ owner, repository, pullRequestNumber, token }) {
  await githubRequest({
    endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/issues/${pullRequestNumber}/comments`,
    token,
    method: 'POST',
    body: {
      body: 'Automated actions freshness audit is clean. Closing this tracker pull request.',
    },
  });

  await githubRequest({
    endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/pulls/${pullRequestNumber}`,
    token,
    method: 'PATCH',
    body: {
      state: 'closed',
    },
  });
}

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (3) 📎 Requirement gaps (0)

1. Tracker branch can drift 🐞 Bug ⛯ Reliability

Description

The tracking branch is only created when missing and is never fast-forwarded/reset to the current
default-branch tip. Over time, the tracker PR will accumulate unrelated diffs/commits from the
default branch, making it noisy and potentially unreviewable.

Code

scripts/audit-actions-freshness.js[R398-435]

+async function ensureTrackingPullRequestBranch({
+  owner,
+  repository,
+  token,
+  defaultBranch,
+  trackingBranch,
+}) {
+  const defaultBranchRef = await githubRequest({
+    endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/git/ref/heads/${toGitHubRefPath(defaultBranch)}`,
+    token,
+  });
+  const defaultBranchSha = defaultBranchRef && defaultBranchRef.object ? defaultBranchRef.object.sha : '';
+  if (!defaultBranchSha) {
+    throw new Error(`Could not resolve latest commit on ${defaultBranch}.`);
+  }
+
+  try {
+    await githubRequest({
+      endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/git/ref/heads/${toGitHubRefPath(trackingBranch)}`,
   token,
 });
-
-    if (!Array.isArray(issues) || issues.length === 0) {
-      return null;
+  } catch (error) {
+    if (error.status !== 404) {
+      throw error;
 }
-    const trackingIssue = issues.find(
-      (issue) =>
-        !issue.pull_request &&
-        issue.title === issueTitle &&
-        typeof issue.body === 'string' &&
-        issue.body.includes(TRACKING_ISSUE_MARKER)
-    );
+    await githubRequest({
+      endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/git/refs`,
+      token,
+      method: 'POST',
+      body: {
+        ref: `refs/heads/${trackingBranch}`,
+        sha: defaultBranchSha,
+      },
+    });
+    console.log(`[actions-freshness] Created branch ${trackingBranch}`);
+  }
+}

Evidence

ensureTrackingPullRequestBranch fetches the default branch SHA, then merely checks whether the
tracking branch ref exists; if it exists, it does nothing (no update/reset).
upsertTrackingPullRequest then commits the tracker file onto that potentially stale branch and uses
it as the PR head.

scripts/audit-actions-freshness.js[398-435]
scripts/audit-actions-freshness.js[551-577]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The tracker branch (`automation/actions-freshness-tracker`) is only created once and never updated afterwards. This causes the tracker PR to gradually include unrelated diffs from the default branch.
### Issue Context
`ensureTrackingPullRequestBranch` checks for the branch ref and only creates it on 404. If it exists, it does not move it to the latest default-branch commit.
### Fix Focus Areas
- scripts/audit-actions-freshness.js[398-435]
- scripts/audit-actions-freshness.js[551-577]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

✅ 2. Closed PR never reused 🐞 Bug ⛯ Reliability

Description

The tracker PR lookup only searches open PRs; once the workflow closes the tracker PR on a clean
run, a later stale run will not find it and will attempt to create a new PR from the same branch.
This can lead to repeated tracker PRs (PR spam) or API errors depending on GitHub behavior.

Code

scripts/audit-actions-freshness.js[R480-488]

+async function findTrackingPullRequest({ owner, repository, token, trackingBranch }) {
+  const pullRequests = await githubRequest({
+    endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/pulls?state=open&head=${encodeURIComponent(`${owner}:${trackingBranch}`)}&per_page=10`,
+    token,
+  });
+
+  if (!Array.isArray(pullRequests) || pullRequests.length === 0) {
+    return null;
+  }

Evidence

findTrackingPullRequest queries state=open only. upsertTrackingPullRequest creates a PR whenever
that returns null. Since closeTrackingPullRequest explicitly closes the PR, subsequent runs won’t
find it.

scripts/audit-actions-freshness.js[480-488]
scripts/audit-actions-freshness.js[499-508]
scripts/audit-actions-freshness.js[579-605]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The script closes the tracker PR when clean, but later runs only search open PRs. This causes new PR creation attempts instead of reopening/updating the existing tracker PR.
### Issue Context
`findTrackingPullRequest` uses `state=open` and `upsertTrackingPullRequest` creates a new PR whenever lookup returns null.
### Fix Focus Areas
- scripts/audit-actions-freshness.js[480-497]
- scripts/audit-actions-freshness.js[510-606]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Tracker logs missing actor/time 📘 Rule violation ✓ Correctness

Description

New logs for branch/PR operations do not include GITHUB_ACTOR (user identity) or a timestamp,
reducing auditability of critical automated changes. This violates the audit trail requirement for
actor and time context.

Code

scripts/audit-actions-freshness.js[433]

+    console.log(`[actions-freshness] Created branch ${trackingBranch}`);

Evidence

The compliance rule requires audit logs to include user identity and timestamp; the new tracker
operation logs only include a generic message and a branch/PR number, without actor or timestamp
fields.

Rule 1: Generic: Comprehensive Audit Trails
scripts/audit-actions-freshness.js[433-433]
scripts/audit-actions-freshness.js[541-541]
scripts/audit-actions-freshness.js[589-589]
scripts/audit-actions-freshness.js[605-605]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Audit trail logs for tracker branch/PR operations do not capture who initiated the change (actor) or when it occurred (timestamp).
## Issue Context
These operations modify repository state (branch creation, file upsert, PR creation/updates/closure). Audit requirements call for user identity and timestamp on critical actions.
## Fix Focus Areas
- scripts/audit-actions-freshness.js[424-434]
- scripts/audit-actions-freshness.js[535-542]
- scripts/audit-actions-freshness.js[580-590]
- scripts/audit-actions-freshness.js[593-606]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. --issue-title sets PR title 📘 Rule violation ✓ Correctness

Description

The CLI flag --issue-title now updates pullRequestTitle, which is misleading and not
self-documenting. This can cause incorrect usage and configuration mistakes.

Code

scripts/audit-actions-freshness.js[R56-58]

+    if (argument === '--issue-title' || argument === '--pr-title') {
+      options.pullRequestTitle = argv[index + 1];
   index += 1;

Evidence

The naming rule requires identifiers/flags to match their behavior; accepting --issue-title but
applying it to pullRequestTitle is misleading.

Rule 2: Generic: Meaningful Naming and Self-Documenting Code
scripts/audit-actions-freshness.js[56-58]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`--issue-title` is accepted but actually sets the pull request title, which is misleading.
## Issue Context
This looks like backward compatibility for the previous issue-tracker approach, but it reduces clarity and violates self-documenting naming expectations.
## Fix Focus Areas
- scripts/audit-actions-freshness.js[56-60]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. --pr-branch lacks validation 📘 Rule violation ⛨ Security

Description

pullRequestBranch is taken directly from CLI args and then used to create a Git ref
(refs/heads/${trackingBranch}) without validation/sanitization. Invalid or malicious values can
cause unexpected behavior or failed API operations.

Code

scripts/audit-actions-freshness.js[R424-431]

+    await githubRequest({
+      endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/git/refs`,
+      token,
+      method: 'POST',
+      body: {
+        ref: `refs/heads/${trackingBranch}`,
+        sha: defaultBranchSha,
+      },

Evidence

The input-validation rule requires external inputs (like CLI args) to be validated; the code accepts
any --pr-branch value and interpolates it directly into a ref string for repository writes.

Rule 6: Generic: Security-First Input Validation and Data Handling
scripts/audit-actions-freshness.js[67-70]
scripts/audit-actions-freshness.js[424-432]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`--pr-branch` input is not validated before being used to create a git ref and to identify the PR head.
## Issue Context
The branch name is an external input (CLI arg) and is interpolated into `refs/heads/...` for a repo write via the GitHub API. Validation/normalization should happen before use.
## Fix Focus Areas
- scripts/audit-actions-freshness.js[67-71]
- scripts/audit-actions-freshness.js[398-435]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

View more (1)

✅ 6. Unsafe PR fallback 🐞 Bug ✓ Correctness

Description

If no PR body contains the tracker marker, the lookup falls back to returning the first PR from that
branch. This can cause the script to update/close an unintended PR if someone opens a PR from the
same branch without the marker.

Code

scripts/audit-actions-freshness.js[R490-496]

+  return (
+    pullRequests.find(
+      (pullRequest) =>
+        typeof pullRequest.body === 'string' &&
+        pullRequest.body.includes(TRACKING_PULL_REQUEST_MARKER)
+    ) || pullRequests[0]
+  );

Evidence

The function explicitly returns pullRequests[0] when it fails to find the marker, which is a guess
and may target the wrong PR.

scripts/audit-actions-freshness.js[490-496]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The tracker PR lookup returns the first PR from the branch even when the marker is missing, risking updating/closing the wrong PR.
### Issue Context
The marker is intended to uniquely identify the tracker PR, but the current logic guesses when it cannot find it.
### Fix Focus Areas
- scripts/audit-actions-freshness.js[490-496]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. Tracker branch can drift 🐞 Bug ⛯ Reliability

The tracking branch is only created when missing and is never fast-forwarded/reset to the current
default-branch tip. Over time, the tracker PR will accumulate unrelated diffs/commits from the
default branch, making it noisy and potentially unreviewable.

Agent Prompt

### Issue description
The tracker branch (`automation/actions-freshness-tracker`) is only created once and never updated afterwards. This causes the tracker PR to gradually include unrelated diffs from the default branch.

### Issue Context
`ensureTrackingPullRequestBranch` checks for the branch ref and only creates it on 404. If it exists, it does not move it to the latest default-branch commit.

### Fix Focus Areas
- scripts/audit-actions-freshness.js[398-435]
- scripts/audit-actions-freshness.js[551-577]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Closed pr never reused 🐞 Bug ⛯ Reliability

The tracker PR lookup only searches open PRs; once the workflow closes the tracker PR on a clean
run, a later stale run will not find it and will attempt to create a new PR from the same branch.
This can lead to repeated tracker PRs (PR spam) or API errors depending on GitHub behavior.

Agent Prompt

### Issue description
The script closes the tracker PR when clean, but later runs only search open PRs. This causes new PR creation attempts instead of reopening/updating the existing tracker PR.

### Issue Context
`findTrackingPullRequest` uses `state=open` and `upsertTrackingPullRequest` creates a new PR whenever lookup returns null.

### Fix Focus Areas
- scripts/audit-actions-freshness.js[480-497]
- scripts/audit-actions-freshness.js[510-606]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@scripts/audit-actions-freshness.js`:
- Around line 414-434: The current try/catch that checks for the tracking branch
using githubRequest(...) and then POSTs to create it can race and get a 422 if
another run created the ref; update the error handling around the POST to treat
a 422 as non-fatal: after the initial try where you call githubRequest(...) with
endpoint `/git/ref/heads/${toGitHubRefPath(trackingBranch)}`, keep the existing
404 handling but when performing the POST to `/git/refs` catch errors from
githubRequest and if the error.status === 422 then re-check the branch exists by
calling the same GET (`/git/ref/heads/${toGitHubRefPath(trackingBranch)}`) and
only throw if that re-check also fails; reference the existing symbols
githubRequest, toGitHubRefPath, trackingBranch and defaultBranchSha when
implementing this retry/check logic.

🧹 Nitpick comments (3)

scripts/audit-actions-freshness.js (3)

375-389: toGitHubRefPath and toGitHubContentPath are identical implementations.

These two functions have the exact same body. Consider extracting a single shared helper (e.g., encodePathSegments) and aliasing if distinct names are desired for readability.

♻️ Suggested deduplication

-function toGitHubRefPath(value) {
-  return value
-    .split('/')
-    .filter((segment) => segment.length > 0)
-    .map((segment) => encodeURIComponent(segment))
-    .join('/');
-}
-
-function toGitHubContentPath(filePath) {
-  return filePath
-    .split('/')
-    .filter((segment) => segment.length > 0)
-    .map((segment) => encodeURIComponent(segment))
-    .join('/');
-}
+function encodePathSegments(value) {
+  return value
+    .split('/')
+    .filter((segment) => segment.length > 0)
+    .map((segment) => encodeURIComponent(segment))
+    .join('/');
+}
+
+const toGitHubRefPath = encodePathSegments;
+const toGitHubContentPath = encodePathSegments;

---

510-606: Well-structured PR lifecycle management.

The flow correctly handles all states: no findings with no existing PR (no-op), no findings with existing PR (close), findings with existing PR (update), and findings without PR (create draft).

One minor note: when closing the PR on a clean audit, the tracking branch (pullRequestBranch) is left behind. Consider deleting it to keep the repository tidy, though this is optional.

---

638-647: Permission error detection relies on a specific GitHub error message string.

This is the pragmatic approach, but be aware that if GitHub changes the wording, the detection will silently stop matching and the error will propagate as unhandled. Consider also matching on a broader substring or adding a fallback log.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Potential 422 error if concurrent runs race to create the branch.

If two workflow runs hit the 404 simultaneously, the second POST .../git/refs will fail with a 422 ("Reference already exists") that isn't caught here. Consider also treating 422 as a non-fatal condition (re-check the branch exists).

🛡️ Proposed fix

   } catch (error) {
-    if (error.status !== 404) {
+    if (error.status !== 404) {
       throw error;
     }
 
-    await githubRequest({
-      endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/git/refs`,
-      token,
-      method: 'POST',
-      body: {
-        ref: `refs/heads/${trackingBranch}`,
-        sha: defaultBranchSha,
-      },
-    });
-    console.log(`[actions-freshness] Created branch ${trackingBranch}`);
+    try {
+      await githubRequest({
+        endpoint: `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repository)}/git/refs`,
+        token,
+        method: 'POST',
+        body: {
+          ref: `refs/heads/${trackingBranch}`,
+          sha: defaultBranchSha,
+        },
+      });
+      console.log(`[actions-freshness] Created branch ${trackingBranch}`);
+    } catch (createError) {
+      if (createError.status !== 422) {
+        throw createError;
+      }
+      console.log(`[actions-freshness] Branch ${trackingBranch} was created concurrently`);
+    }
   }

🤖 Prompt for AI Agents

In `@scripts/audit-actions-freshness.js` around lines 414 - 434, The current
try/catch that checks for the tracking branch using githubRequest(...) and then
POSTs to create it can race and get a 422 if another run created the ref; update
the error handling around the POST to treat a 422 as non-fatal: after the
initial try where you call githubRequest(...) with endpoint
`/git/ref/heads/${toGitHubRefPath(trackingBranch)}`, keep the existing 404
handling but when performing the POST to `/git/refs` catch errors from
githubRequest and if the error.status === 422 then re-check the branch exists by
calling the same GET (`/git/ref/heads/${toGitHubRefPath(trackingBranch)}`) and
only throw if that re-check also fails; reference the existing symbols
githubRequest, toGitHubRefPath, trackingBranch and defaultBranchSha when
implementing this retry/check logic.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud