1# Stale PR Review Reminder
2#
3# Runs daily on weekdays (second run at 8 PM UTC disabled during rollout) and posts a Slack summary of open PRs that
4# have been awaiting review for more than 72 hours. Team-level signal only —
5# no individual shaming.
6#
7# Security note: No untrusted input is interpolated into shell commands.
8# All PR metadata is read via gh API + jq.
9#
10# Required secrets:
11# SLACK_WEBHOOK_PR_REVIEW_BOT - Incoming webhook URL for the #pr-review-ops channel
12
13name: Stale PR Review Reminder
14
15on:
16 schedule:
17 - cron: "0 14 * * 1-5" # 2 PM UTC weekdays
18 # - cron: "0 20 * * 1-5" # 8 PM UTC weekdays — enable after initial rollout
19 workflow_dispatch: {}
20
21permissions:
22 contents: read
23 pull-requests: read
24
25jobs:
26 check-stale-prs:
27 if: github.repository_owner == 'zed-industries'
28 runs-on: ubuntu-latest
29 timeout-minutes: 5
30 env:
31 REPO: ${{ github.repository }}
32 # Only surface PRs created on or after this date. Update this if the
33 # review process enforcement date changes.
34 PROCESS_START_DATE: "2026-03-19T00:00:00Z"
35 steps:
36 - name: Find PRs awaiting review longer than 72h
37 id: stale
38 env:
39 GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
40 run: |
41 CUTOFF=$(date -u -v-72H +%Y-%m-%dT%H:%M:%SZ 2>/dev/null \
42 || date -u -d '72 hours ago' +%Y-%m-%dT%H:%M:%SZ)
43
44 # Get open, non-draft PRs with pending review requests, created before cutoff
45 # but after the review process start date (to exclude pre-existing backlog)
46 gh api --paginate \
47 "repos/${REPO}/pulls?state=open&sort=updated&direction=asc&per_page=100" \
48 --jq "[
49 .[] |
50 select(.draft == false) |
51 select(.created_at > \"$PROCESS_START_DATE\") |
52 select(.created_at < \"$CUTOFF\") |
53 select((.requested_reviewers | length > 0) or (.requested_teams | length > 0))
54 ]" > /tmp/candidates.json
55
56 # Filter to PRs with zero approving reviews
57 jq -r '.[].number' /tmp/candidates.json | while read -r PR_NUMBER; do
58 APPROVALS=$(gh api \
59 "repos/${REPO}/pulls/${PR_NUMBER}/reviews" \
60 --jq "[.[] | select(.state == \"APPROVED\")] | length" 2>/dev/null || echo "0")
61
62 if [ "$APPROVALS" -eq 0 ]; then
63 jq ".[] | select(.number == ${PR_NUMBER}) | {number, title, author: .user.login, created_at}" \
64 /tmp/candidates.json
65 fi
66 done | jq -s '.' > /tmp/awaiting.json
67
68 COUNT=$(jq 'length' /tmp/awaiting.json)
69 echo "count=$COUNT" >> "$GITHUB_OUTPUT"
70
71 - name: Notify Slack
72 if: steps.stale.outputs.count != '0'
73 env:
74 SLACK_WEBHOOK_PR_REVIEW_BOT: ${{ secrets.SLACK_WEBHOOK_PR_REVIEW_BOT }}
75 COUNT: ${{ steps.stale.outputs.count }}
76 run: |
77 # Build Block Kit payload from JSON — no shell interpolation of PR titles.
78 # Why jq? PR titles are attacker-controllable input. By reading them
79 # through jq -r from the JSON file and passing the result to jq --arg,
80 # the content stays safely JSON-encoded in the final payload.
81 PRS=$(jq -r '.[] | "• <https://github.com/'"${REPO}"'/pull/\(.number)|#\(.number)> — \(.title) (by \(.author), opened \(.created_at | split("T")[0]))"' /tmp/awaiting.json)
82
83 jq -n \
84 --arg count "$COUNT" \
85 --arg prs "$PRS" \
86 '{
87 text: ($count + " PR(s) awaiting review for >72 hours"),
88 blocks: [
89 {
90 type: "section",
91 text: {
92 type: "mrkdwn",
93 text: (":hourglass_flowing_sand: *" + $count + " PR(s) Awaiting Review >72 Hours*")
94 }
95 },
96 {
97 type: "section",
98 text: { type: "mrkdwn", text: $prs }
99 },
100 { type: "divider" },
101 {
102 type: "context",
103 elements: [{
104 type: "mrkdwn",
105 text: "PRs awaiting review are surfaced daily. Reviewers: pick one up or reassign."
106 }]
107 }
108 ]
109 }' | \
110 curl -s -X POST "$SLACK_WEBHOOK_PR_REVIEW_BOT" \
111 -H 'Content-Type: application/json' \
112 -d @-
113defaults:
114 run:
115 shell: bash -euxo pipefail {0}