chore: udpate stale github workflow

* fix: arm64: collapse per-core CPU info lists to a single line (#576)

 built from commit 7d9345a32f
 dated 2026-06-02 17:21:31 +0000
 by Stéphane Lesimple (speed47_github@speed47.net)

 Store the per-core implementer/part/arch/variant/revision lists
space-separated (no embedded newlines, which also cleans up JSON and
prometheus output) and dedup them for the human-readable display, so
homogeneous systems show e.g. "0x41" instead of repeating it per core.

.github/workflows/autoupdate.yml

@@ -13,7 +13,7 @@ jobs:
   autoupdate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: source
       - name: Install prerequisites

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ on:
       action:
         description: "dry-run"
         required: true
-        default: "dryrun"
+        default: "apply"
         type: choice
         options:
           - dryrun
@@ -30,4 +30,7 @@ jobs:
           days-before-close: 7
           stale-issue-label: stale
           remove-stale-when-updated: true
+          close-issue-reason: completed
+          stale-issue-message: "If there are no further comments or activity on this issue, it'll be closed automatically in 7 days."
+          close-issue-message: "Automatically closing this issue due to inactivity, don't hesitate to open a new issue if needed."
           debug-only: ${{ case(inputs.action == 'dryrun', true, false) }}

.github/workflows/vuln-watch.yml

@@ -45,14 +45,14 @@ jobs:
       # workflow file itself MUST stay on the default branch, as GitHub only
       # honors `schedule:` triggers on the default branch.
       - name: Checkout vuln-watch branch (scripts + prompt)
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: vuln-watch
           fetch-depth: 1
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 
@@ -84,7 +84,7 @@ jobs:
 
       - name: Download previous state artifact
         if: steps.prev.outputs.run_id != ''
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v8
         continue-on-error: true   # tolerate retention expiry
         with:
           name: vuln-watch-state
@@ -115,7 +115,7 @@ jobs:
       # implemented?". Only fetched on days with something to classify.
       - name: Checkout checker code (test branch) for coverage grep
         if: steps.diff.outputs.new_count != '0' || steps.diff.outputs.reconsider_count != '0'
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: test
           path: checker
@@ -150,7 +150,7 @@ jobs:
 
       - name: Upload Claude execution log
         if: ${{ always() && steps.classify.outputs.execution_file != '' }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: claude-execution-log-${{ github.run_id }}
           path: ${{ steps.classify.outputs.execution_file }}
@@ -168,7 +168,7 @@ jobs:
 
       - name: Upload new state artifact
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: vuln-watch-state
           path: state/seen.json
@@ -177,7 +177,7 @@ jobs:
 
       - name: Upload daily report
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: vuln-watch-report-${{ github.run_id }}
           path: |

spectre-meltdown-checker.sh

@@ -13,7 +13,7 @@
 #
 # Stephane Lesimple
 #
-VERSION='26.36.0601873'
+VERSION='26.36.0602723'
 
 # --- Common paths and basedirs ---
 readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
@@ -3936,11 +3936,18 @@ parse_cpu_details() {
         # cpu_variant_list and cpu_revision_list are consumed by ARM64 errata affection checks
         # that need to match a specific revision range.
         if grep -q 'CPU implementer' "$g_procfs/cpuinfo"; then
-            cpu_impl_list=$(awk '/CPU implementer/ {print $4}' "$g_procfs/cpuinfo")
+            # keep these single-line (space-separated) so consumers and outputs (JSON, prometheus)
-            cpu_part_list=$(awk '/CPU part/         {print $4}' "$g_procfs/cpuinfo")
+            # don't end up with embedded newlines; per-core order is preserved for the errata checks
-            cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$g_procfs/cpuinfo")
+            cpu_impl_list=$(awk '/CPU implementer/ {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
-            cpu_variant_list=$(awk '/CPU variant/   {print $4}' "$g_procfs/cpuinfo")
+            cpu_impl_list=${cpu_impl_list% }
-            cpu_revision_list=$(awk '/CPU revision/ {print $4}' "$g_procfs/cpuinfo")
+            cpu_part_list=$(awk '/CPU part/         {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
+            cpu_part_list=${cpu_part_list% }
+            cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$g_procfs/cpuinfo" | tr '\n' ' ')
+            cpu_arch_list=${cpu_arch_list% }
+            cpu_variant_list=$(awk '/CPU variant/   {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
+            cpu_variant_list=${cpu_variant_list% }
+            cpu_revision_list=$(awk '/CPU revision/ {print $4}' "$g_procfs/cpuinfo" | tr '\n' ' ')
+            cpu_revision_list=${cpu_revision_list% }
         fi
         # Map first-seen implementer to cpu_vendor; note that heterogeneous systems
         # (e.g. DynamIQ with ARM+Kryo cores) would all map to one vendor here, but
@@ -5051,6 +5058,12 @@ check_kernel_info() {
     fi
 }
 
+# Collapse a whitespace-separated list to its unique values, preserving first-seen order.
+# Used to prettify the per-core ARM lists for display (e.g. "0x41 0x41 0x41 0x41" -> "0x41").
+_uniq_list() {
+    echo "$1" | awk '{ for (i = 1; i <= NF; i++) if (!seen[$i]++) printf "%s%s", (n++ ? " " : ""), $i }'
+}
+
 # Display hardware-level CPU mitigation support (microcode features, ARCH_CAPABILITIES, etc.)
 check_cpu() {
     local capabilities ret spec_ctrl_msr codename ucode_str
@@ -5060,13 +5073,13 @@ check_cpu() {
         pr_info "  * Vendor: $cpu_vendor"
         pr_info "  * Model name: $cpu_friendly_name"
         if [ -n "${cpu_impl_list:-}" ]; then
-            pr_info "  * Implementer(s): $cpu_impl_list"
+            pr_info "  * Implementer(s): $(_uniq_list "$cpu_impl_list")"
         fi
         if [ -n "${cpu_part_list:-}" ]; then
-            pr_info "  * Part(s): $cpu_part_list"
+            pr_info "  * Part(s): $(_uniq_list "$cpu_part_list")"
         fi
         if [ -n "${cpu_arch_list:-}" ]; then
-            pr_info "  * Architecture(s): $cpu_arch_list"
+            pr_info "  * Architecture(s): $(_uniq_list "$cpu_arch_list")"
         fi
         if has_runtime; then
             pr_info_nol "  * Running as VM guest: "