From dbf87126845c6f220fc524c2b8e27a5c5994bf52 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sun, 17 May 2026 15:37:19 +0000
Subject: [PATCH 1/5] chore(ci): close failing or conflicted PRs sooner

---
 .github/workflows/pr-closer.yml | 47 ++++++++++++++++++++++++---------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/pr-closer.yml b/.github/workflows/pr-closer.yml
index 7c0cc804..f8e2e58a 100644
--- a/.github/workflows/pr-closer.yml
+++ b/.github/workflows/pr-closer.yml
@@ -5,27 +5,50 @@ on:
     - cron: "0 0 * * *" # daily at midnight
   workflow_dispatch:
 
+concurrency:
+  group: pr-closer
+  cancel-in-progress: true
+
 jobs:
   close-stale-prs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+      checks: read
+      statuses: read
     steps:
       - name: Close stale PRs
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
         run: |
-          gh pr list -R "${{ github.repository }}" --state open --json number,author,labels,updatedAt,statusCheckRollup --limit 100 | \
-          jq -r '.[] | select(
-            (.updatedAt | fromdateiso8601) < (now - 30*24*60*60) and
-            .author.login != "jdx" and
-            ([.labels[].name] | index("keep-open") | not)
-          ) | [.number, (if (.statusCheckRollup | length > 0) and (.statusCheckRollup | any(.conclusion == "FAILURE" or .conclusion == "failure")) then "failing" else "passing" end)] | @tsv' | \
-          while read -r pr status; do
-            echo "Closing PR #$pr (checks: $status)"
-            if [ "$status" = "failing" ]; then
-              gh pr close "$pr" -R "${{ github.repository }}" -c "This PR has been open for more than 30 days without activity. Note: CI checks were failing, which may be why it wasn't reviewed. Feel free to reopen or create a new PR if you'd like to continue working on this."
-            else
-              gh pr close "$pr" -R "${{ github.repository }}" -c "This PR has been open for more than 30 days without activity. Feel free to reopen or create a new PR if you'd like to continue working on this."
+          set -o pipefail
+          CUTOFF=$(date -u -d '6 days ago' +%Y-%m-%d)
+          gh pr list -R "$REPO" --state open --search "updated:<$CUTOFF -author:jdx -label:keep-open draft:false" --json number,mergeStateStatus,statusCheckRollup --limit 500 | \
+          jq -r '
+            def failed_check:
+              (.statusCheckRollup | length > 0) and
+              ([.statusCheckRollup // [] | .[] | ((.conclusion // .state // "") | ascii_upcase)] | any(. == "FAILURE" or . == "ERROR" or . == "TIMED_OUT" or . == "ACTION_REQUIRED"));
+
+            .[]
+            | failed_check as $failed
+            | ([.statusCheckRollup // [] | .[] | ((.conclusion // .state // "") | ascii_upcase)] | any(. == "CANCELLED")) as $cancelled
+            | (.mergeStateStatus == "DIRTY") as $conflicted
+            | (.mergeStateStatus == "UNKNOWN") as $unknown
+            | if $failed and $conflicted then [.number, "failing checks and merge conflicts"]
+              elif $failed then [.number, "failing checks"]
+              elif $conflicted then [.number, "merge conflicts"]
+              elif $cancelled then [.number, "cancelled checks", "warn"]
+              elif $unknown then [.number, "unknown merge state", "warn"]
+              else empty
+              end
+            | @tsv
+          ' | \
+          while IFS=$'\t' read -r pr reason action; do
+            if [ "$action" = "warn" ]; then
+              echo "Skipping PR #$pr ($reason)"
+              continue
             fi
+            echo "Closing PR #$pr ($reason)"
+            gh pr close "$pr" -R "$REPO" -c "This PR has been inactive for at least 7 days and currently has $reason. Feel free to reopen or create a new PR if you'd like to continue working on this." || echo "Warning: failed to close PR #$pr, skipping"
           done

From 342ded1fec294e222dbb70137bc0e60812089791 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sun, 17 May 2026 16:28:07 +0000
Subject: [PATCH 2/5] ci: allow reading attestations

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f96c075d..fef5e3ad 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,6 +10,7 @@ on: # rebuild any PRs and main branch changes
 
 permissions:
   contents: read
+  attestations: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}

From 9d51e34c19f7ed956d6b4b8b962ce450ced27bcf Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sun, 17 May 2026 16:30:02 +0000
Subject: [PATCH 3/5] ci: bypass mise cache in build smoke test

---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fef5e3ad..6c666a47 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,6 +24,9 @@ jobs:
         with:
           persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+        with:
+          cache: false
+          cache_save: false
       - run: aube install
       - run: aubr all
   test: # make sure the action works on a clean machine without building

From f285788746d0842f79477744d528e912c5daf6c8 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sun, 17 May 2026 16:43:28 +0000
Subject: [PATCH 4/5] Revert "ci: bypass mise cache in build smoke test"

This reverts commit 9d51e34c19f7ed956d6b4b8b962ce450ced27bcf.
---
 .github/workflows/test.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6c666a47..fef5e3ad 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,9 +24,6 @@ jobs:
         with:
           persist-credentials: false
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
-        with:
-          cache: false
-          cache_save: false
       - run: aube install
       - run: aubr all
   test: # make sure the action works on a clean machine without building

From 34aded28f6a0f4730e8ffc10745b2403549e7122 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Sun, 17 May 2026 16:43:28 +0000
Subject: [PATCH 5/5] Revert "ci: allow reading attestations"

This reverts commit 342ded1fec294e222dbb70137bc0e60812089791.
---
 .github/workflows/test.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fef5e3ad..f96c075d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,6 @@ on: # rebuild any PRs and main branch changes
 
 permissions:
   contents: read
-  attestations: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}