chore(repo): Use GITHUB_TOKEN in lock-threads workflow

[dominic-clerk]

Description

Both lock-threads and stale actions will read the GITHUB_TOKEN when we don't give one explicitely.

• https://github.com/actions/stale
• https://github.com/dessant/lock-threads

This reduces usage of long-lived tokens and reduces attack surface should those actions be compromised one day.

We already give write permission for both issues and pull-requests in the workflow so that doesn't need to change.

Related to SEC-223

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Chores
  • Simplified authentication in automated workflows by removing explicit credential inputs and relying on default/implicit authentication.
  • Reduced exposed configuration surface in CI processes and standardized credential handling to streamline maintenance and improve security posture.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 65a3365

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Dec 16, 2025 3:30pm

[coderabbitai]

Walkthrough

Removed explicit repo-token/github-token inputs from several steps in the GitHub Actions workflow .github/workflows/lock-threads.yml; those steps now rely on GitHub Actions' default/implicit authentication.

Changes

Cohort / File(s)	Summary
Workflow token input removals \.github/workflows/lock-threads\.yml	Removed repo-token: ${{ secrets.CLERK_COOKIE_PAT }} from three actions/stale@v9 steps and removed github-token: ${{ secrets.CLERK_COOKIE_PAT }} from the dessant/lock-threads@v4 step; actions now use implicit/default auth.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Single workflow file with limited, consistent edits.
• Review focus:
  • Confirm job-level permissions and default token scope are sufficient for actions/stale@v9 and dessant/lock-threads@v4.
  • Ensure no other workflow steps or external tooling expect the removed secret.
  • Validate alignment with SEC-223 objective to remove hardcoded token usage.

Poem

🐇 I nudged the tokens out of sight,
The workflow hums with default light,
No secrets hidden in the stream,
I hop ahead — a cleaner dream. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: replacing custom tokens with GITHUB_TOKEN in the lock-threads workflow.
Linked Issues check	✅ Passed	The PR directly addresses SEC-223 by replacing hardcoded long-lived tokens with the built-in GITHUB_TOKEN, reducing credential exposure and attack surface.
Out of Scope Changes check	✅ Passed	All changes are scoped to the lock-threads workflow and directly support the objective of eliminating hardcoded tokens in favor of short-lived credentials.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dc-lock-github-token

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e2164c3 and 65a3365.

📒 Files selected for processing (1)

• .github/workflows/lock-threads.yml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/lock-threads.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (26)

• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7464

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7464

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7464

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7464

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7464

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7464

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7464

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7464

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7464

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7464

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7464

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7464

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7464

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7464

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7464

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7464

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7464

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7464

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7464

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7464

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7464

commit: 65a3365

[jacekradko]

👍🏼