Summary

Automate the SHA staleness check to run weekly and create a tracking issue when stale dependencies are detected.

Background

The Test-SHAStaleness.ps1 script identifies GitHub Actions and tools with outdated SHA pins. Currently this requires manual execution via npm run sha-staleness. Automating this with issue creation ensures stale dependencies don't go unnoticed.

Current State

The sha-staleness-check.yml workflow runs the check but doesn't create actionable follow-up when issues are found. Latest scan found 8 stale items:

• actions/checkout (63 days old)
• github/codeql-action/* (47 days old)
• actions/dependency-review-action (55 days old)
• actions/setup-node (33 days old)
• gitleaks tool (8.18.2 → 8.30.0)

Proposed Solution

Enhance weekly-security-maintenance.yml to:

1. Run Test-SHAStaleness.ps1
2. Parse results for stale items exceeding threshold
3. Create or update a tracking issue with:
   • List of stale dependencies
   • Age and severity
   • Remediation commands

Acceptance Criteria

• Weekly workflow creates issue when stale dependencies exceed 30-day threshold
• Issue includes actionable remediation steps
• Workflow updates existing open issue instead of creating duplicates
• Issue auto-closes when no stale dependencies remain

References

• Script: scripts/security/Test-SHAStaleness.ps1
• Workflow: .github/workflows/weekly-security-maintenance.yml
• Results: logs/sha-staleness-results.json