From 500a02bd88ba9488cebbdf6bca2d454fae8a8dca Mon Sep 17 00:00:00 2001
From: Arvin Xu <arvinx@foxmail.com>
Date: Tue, 19 May 2026 11:42:01 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20chore:=20remove=20compromised=20?=
 =?UTF-8?q?actions-cool/issues-helper@v3=20(#14956)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: remove compromised actions-cool/issues-helper@v3

* fix: remove actions-cool/issues-helper

* fix: pin actions-cool/issues-helper to safe commit SHA in sync.yml
---
 .github/workflows/issue-auto-comments.yml | 15 ++----
 .github/workflows/issue-close-require.yml | 63 -----------------------
 .github/workflows/sync.yml                |  4 +-
 3 files changed, 6 insertions(+), 76 deletions(-)
 delete mode 100644 .github/workflows/issue-close-require.yml

diff --git a/.github/workflows/issue-auto-comments.yml b/.github/workflows/issue-auto-comments.yml
index c6cac85dad..a1bed8f204 100644
--- a/.github/workflows/issue-auto-comments.yml
+++ b/.github/workflows/issue-auto-comments.yml
@@ -16,14 +16,14 @@ permissions:
 jobs:
   run:
     permissions:
-      issues: write # for actions-cool/issues-helper to update issues
-      pull-requests: write # for actions-cool/issues-helper to update PRs
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Auto Comment on Issues Closed
         uses: wow-actions/auto-comment@v1
         with:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN}}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
           issuesClosed: |
             ✅ @{{ author }}
 
@@ -51,11 +51,4 @@ jobs:
             The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our [discord](https://discord.com/invite/AYFPHvv2jT) and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world.
           emoji: 'hooray'
           pr-emoji: '+1, heart'
-      - name: Remove inactive
-        if: github.event.issue.state == 'open' && github.actor == github.event.issue.user.login
-        uses: actions-cool/issues-helper@v3
-        with:
-          actions: 'remove-labels'
-          token: ${{ secrets.GH_TOKEN }}
-          issue-number: ${{ github.event.issue.number }}
-          labels: 'Inactive'
+
diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml
deleted file mode 100644
index a3bbce8f16..0000000000
--- a/.github/workflows/issue-close-require.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-name: Issue Close Require
-
-on:
-  schedule:
-    - cron: '0 0 * * *'
-
-permissions:
-  contents: read
-
-jobs:
-  issue-check-inactive:
-    permissions:
-      issues: write # for actions-cool/issues-helper to update issues
-      pull-requests: write # for actions-cool/issues-helper to update PRs
-    runs-on: ubuntu-latest
-    steps:
-      - name: check-inactive
-        uses: actions-cool/issues-helper@v3
-        with:
-          actions: 'check-inactive'
-          token: ${{ secrets.GH_TOKEN }}
-          inactive-label: 'Inactive'
-          inactive-day: 60
-
-  issue-close-require:
-    permissions:
-      issues: write # for actions-cool/issues-helper to update issues
-      pull-requests: write # for actions-cool/issues-helper to update PRs
-    runs-on: ubuntu-latest
-    steps:
-      - name: need reproduce
-        uses: actions-cool/issues-helper@v3
-        with:
-          actions: 'close-issues'
-          token: ${{ secrets.GH_TOKEN }}
-          labels: '✅ Fixed'
-          inactive-day: 3
-          body: |
-            👋 @{{ author }}
-            <br/>
-            Since the issue was labeled with `✅ Fixed`, but no response in 3 days. This issue will be closed. If you have any questions, you can comment and reply.
-      - name: need reproduce
-        uses: actions-cool/issues-helper@v3
-        with:
-          actions: 'close-issues'
-          token: ${{ secrets.GH_TOKEN }}
-          labels: '🤔 Need Reproduce'
-          inactive-day: 3
-          body: |
-            👋 @{{ author }}
-            <br/>
-            Since the issue was labeled with `🤔 Need Reproduce`, but no response in 3 days. This issue will be closed. If you have any questions, you can comment and reply.
-      - name: need reproduce
-        uses: actions-cool/issues-helper@v3
-        with:
-          actions: 'close-issues'
-          token: ${{ secrets.GH_TOKEN }}
-          labels: "🙅🏻‍♀️ WON'T DO"
-          inactive-day: 3
-          body: |
-            👋 @{{ github.event.issue.user.login }}
-            <br/>
-            Since the issue was labeled with `🙅🏻‍♀️ WON'T DO`, and no response in 3 days. This issue will be closed. If you have any questions, you can comment and reply.
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
index ae81e8affc..f4ef6930b8 100644
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Clean issue notice
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@e361abf610221f09495ad510cb1e69328d839e1c # v3.7.6
         with:
           actions: 'close-issues'
           labels: '🚨 Sync Fail'
@@ -37,7 +37,7 @@ jobs:
 
       - name: Sync check
         if: failure()
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@e361abf610221f09495ad510cb1e69328d839e1c # v3.7.6
         with:
           actions: 'create-issue'
           title: '🚨 同步失败 | Sync Fail'