feat: add GitHub Actions workflow for automatic spam list updates

[MonaaEid]

This pull request introduces an automated system for maintaining a spam user list in the repository.

Automated Spam List Management

• Added .github/scripts/update-spam-list.js, a script that:
  • Identifies spam users from closed, unmerged PRs labeled as 'spam' and rehabilitated users from merged PRs labeled as 'Good First Issue'.
  • Updates .github/spam-list.txt by adding or removing users based on their most recent activity.
  • Updates CHANGELOG.md with an entry describing the spam list update.
  • Generates a summary for the PR title and body describing the changes.

Related issue(s):

Fixes #1303

Checklist

• Documented
• Tested

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main    #1359   +/-   ##
=======================================
  Coverage   92.44%   92.44%           
=======================================
  Files         139      139           
  Lines        8528     8528           
=======================================
  Hits         7884     7884           
  Misses        644      644           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Hi, this is MergeConflictBot.
Your pull request cannot be merged because it contains merge conflicts.

Please resolve these conflicts locally and push the changes.

To assist you, please read:

• Resolving Merge Conflicts
• Rebasing Guide

Thank you for contributing!

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a monthly/manual GitHub Actions workflow and a new helper script that scans closed PRs labeled spam and merged Good First Issue PRs, computes timeline-based additions/removals to .github/spam-list.txt, and opens an automated PR with the updates when changes are detected.

Changes

Cohort / File(s)	Summary
GitHub Actions Script .github/scripts/update-spam-list.js	New script that lists closed PRs labeled spam and merged PRs labeled Good First Issue, captures latest dates per user, computes additions/removals, reads existing .github/spam-list.txt, supports DRY_RUN, writes updates (when not dry-run), and emits outputs: has-changes, pr-title, pr-body, branch-name.
GitHub Actions Workflow .github/workflows/cron-update-spam-list.yml	New scheduled (monthly) + manual workflow that sets permissions, exposes DRY_RUN input, runs the script via actions/github-script with GITHUB_TOKEN, captures outputs, and conditionally uses peter-evans/create-pull-request to create a PR (labels: automated, spam-management) when changes exist and not dry-run.
Changelog CHANGELOG.md	Adds entry documenting the new automated spam list update workflow and helper script.

Sequence Diagram

sequenceDiagram
    actor Scheduler as Monthly Scheduler
    participant Workflow as GitHub Actions Workflow
    participant Script as update-spam-list.js
    participant API as GitHub API
    participant FS as Repo FS (.github/spam-list.txt)
    participant PR as PR Service

    Scheduler->>Workflow: trigger (cron / manual)
    Workflow->>Workflow: checkout repo, set env (DRY_RUN, GITHUB_TOKEN)
    Workflow->>Script: run with github, context, core

    Script->>API: list closed PRs labeled "spam"
    API-->>Script: spam PRs
    Script->>Script: determine latest spam date per user

    Script->>API: list merged PRs labeled "Good First Issue"
    API-->>Script: merged PRs
    Script->>Script: determine latest rehab date per user

    Script->>Script: compute additions / removals by comparing timelines

    Script->>FS: read `.github/spam-list.txt`
    FS-->>Script: current list
    Script->>Script: produce updated list, prepare pr-title/pr-body/branch-name

    rect rgb(200,230,200)
    Script-->>Workflow: outputs: has-changes, pr-title, pr-body, branch-name
    end

    alt has-changes AND NOT DRY_RUN
        Workflow->>FS: write updated `.github/spam-list.txt` on branch
        FS-->>Workflow: file updated
        Workflow->>PR: create pull request with title/body/labels
        PR-->>Workflow: PR created
    else
        Workflow->>Workflow: no PR created (dry-run or no changes)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a GitHub Actions workflow for automatic spam list updates, which is the primary objective of the PR.
Description check	✅ Passed	The description clearly explains the automated spam list management system introduced by the PR, detailing the script's functionality and linking to issue #1303.
Linked Issues check	✅ Passed	The PR implements all core requirements from issue #1303: parsing closed spam-labeled PRs, identifying rehabilitated users from merged Good First Issues, updating spam-list.txt, and creating automated PRs with net changes.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the spam list automation system. The additions to .github/scripts, .github/workflows, and CHANGELOG.md are all in scope for issue #1303.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86ce204 and 8bc8c6e.

📒 Files selected for processing (1)

• CHANGELOG.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Agent
• GitHub Check: Codacy Static Code Analysis
• GitHub Check: build-and-test (3.12)
• GitHub Check: build-and-test (3.13)
• GitHub Check: build-and-test (3.10)
• GitHub Check: build-and-test (3.11)
• GitHub Check: run-examples
• GitHub Check: StepSecurity Harden-Runner

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f4767a and 7835d31.

📒 Files selected for processing (3)

• .github/scripts/update-spam-list.js
• .github/workflows/cron-update-spam-list.yml
• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (2)

.github/scripts/**/*.js

⚙️ CodeRabbit configuration file

.github/scripts/**/*.js: Review JavaScript scripts as long-lived automation code.

Scripts must remain:

• Focused

• Readable

• Purpose-built

• All context.payload fields MUST be validated

• Free-form text MUST NOT be trusted

• Dynamic code execution is prohibited

• Avoid child_process.exec; prefer execFile if needed

• All async operations MUST be wrapped in try/catch

• Errors MUST include contextual metadata

• Duplicate API calls MUST be avoided

• Marker-based deduplication is required

• Scripts MUST NOT assume write access

• Permission failures MUST be handled gracefully

Files:

• .github/scripts/update-spam-list.js

.github/workflows/**/*

⚙️ CodeRabbit configuration file

.github/workflows/**/*: Review workflows as security-sensitive infrastructure.

A good workflow is small, focused, and boring.
If a workflow is clever, generic, or overly flexible, it is a risk.

---

PRIORITY 0 — ABSOLUTE REQUIREMENTS

• All third-party actions MUST be pinned to full commit SHAs, similar to other workflows.
• permissions: MUST be explicitly declared and minimally scoped.
• Workflows MUST behave safely when executed from forks.
• YAML MUST orchestrate steps, not implement business logic.
• Any workflow that mutates GitHub state MUST support dry-run mode.
• Dry-run behavior must be explicit and visible in logs.
• Workflows MUST NOT modify repository source code outside .github/.

---

PRIORITY 1 — SCOPE, FOCUS & RESTRAINT

• The title of each workflow must be relevant, match similar naming schemes, and match its script filename.
• Each workflow MUST have a single, clearly defined objective and SHOULD document this in a top-level comment.
• Flag workflows that:
  • Attempt to be generic “frameworks”
  • Include speculative or future-facing logic
  • Perform actions unrelated to the stated goal
• Over-abstraction and excess flexibility are maintenance risks.

---

PRIORITY 2 — INPUT HARDENING

• Treat ALL GitHub event data as potentially hostile input, including:
  • issue titles, bodies, and comments
  • labels, usernames, branch names
• Free-form user input MUST NOT be passed directly into:
  • shell commands
  • gh CLI arguments
  • Node.js exec / spawn calls
• Require strict allowlists or exact string matches.
• Flag any use of:
  • eval or bash -c
  • backticks or $(...) with user-controlled input

------------------...

Files:

• .github/workflows/cron-update-spam-list.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Agent
• GitHub Check: Codacy Static Code Analysis
• GitHub Check: build-and-test (3.12)
• GitHub Check: build-and-test (3.11)
• GitHub Check: build-and-test (3.13)
• GitHub Check: build-and-test (3.10)
• GitHub Check: run-examples
• GitHub Check: StepSecurity Harden-Runner

🔇 Additional comments (7)

CHANGELOG.md (1)

90-90: LGTM!

The changelog entry is concise and accurately describes the new feature. Consider adding an issue reference (e.g., (#1303)) for traceability, consistent with many other entries in this file.

.github/scripts/update-spam-list.js (4)

18-73: LGTM!

The computation logic correctly handles the date-based precedence for spam vs rehabilitation, including the edge cases where users may have multiple events. Error handling for missing files is appropriate.

---

76-91: LGTM!

Dry-run mode is properly implemented with clear logging, and the directory creation is a good defensive measure.

---

95-125: LGTM!

The summary generation provides clear, well-formatted output for the automated PR.

---

192-198: This review comment is incorrect—the code is working as intended.

The github.paginate.iterator() yields response objects where data contains the array directly (from other usages in the codebase like coderabbit_plan_trigger.js, which does for await (const { data: page } of iterator) followed by comments.push(...page)). The destructuring { data: items } correctly assigns the array to items, and the subsequent loop for (const pr of items) properly iterates over PR objects. No fix is needed.

.github/workflows/cron-update-spam-list.yml (2)

3-19: LGTM!

Good implementation:

• Monthly schedule is appropriate for spam list maintenance
• Dry-run defaults to true for manual runs (safe)
• Scheduled runs default to false (operational)
• Permissions are minimal and appropriate for the operations

---

48-59: LGTM!

The PR creation step correctly:

• Gates on both has-changes and DRY_RUN
• Scopes the commit to only .github/spam-list.txt via add-paths
• Uses appropriate labels for tracking automated changes

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7835d31 and 438c6d0.

📒 Files selected for processing (1)

• CHANGELOG.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Agent
• GitHub Check: Codacy Static Code Analysis
• GitHub Check: build-and-test (3.10)
• GitHub Check: build-and-test (3.13)
• GitHub Check: build-and-test (3.11)
• GitHub Check: build-and-test (3.12)
• GitHub Check: run-examples
• GitHub Check: StepSecurity Harden-Runner

[aceppaluni]

@MonaaEid This is great work! 👍

Please make sure to adjust the changelog entry.

Thank you!

[exploreriii]

Thank you MonaaEid
This will use quite a few API calls but i think we will be fine for now, in the future we might have to optimise

completed

[MonaaEid]

Thank you MonaaEid
This will use quite a few API calls but i think we will be fine for now, in the future we might have to optimise

I think so too