Skip to content

chore: add maintainer setup baseline#14

Closed
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522
Closed

chore: add maintainer setup baseline#14
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522

Conversation

@vincentkoc

Copy link
Copy Markdown
Member

Summary

  • add maintainer setup baseline files for this repository\n- add CODEOWNERS, Dependabot, SECURITY.md, CodeQL, stale automation, and Crabbox/autoreview support

Verification

  • git diff --check
  • ruby YAML.load_file for added/changed YAML files
  • actionlint for added/changed workflow files
  • private-data scan for added/changed non-skill setup files
  • verified Crabbox skill SHA-256 matches openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43

Runtime tests were not run; this is setup, policy, and workflow metadata only.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 10:23 UTC / May 22, 2026, 6:23 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The branch adds maintainer setup files: CODEOWNERS, Dependabot, SECURITY.md, CodeQL, stale automation, Crabbox configuration, and Crabbox/autoreview agent skills.

Reproducibility: not applicable. this is a setup and workflow-administration PR rather than a bug report. The review path is source/diff inspection of the added automation and current-main workflow conventions.

PR rating
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Summary: The setup is useful in scope but not quality-ready because the added workflows introduce a concrete supply-chain and automation risk.

Rank-up moves:

  • Pin every newly added workflow action ref to a full audited SHA.
  • Have maintainers confirm the stale, CODEOWNERS, and Crabbox policy choices before marking the draft ready.
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The author association is MEMBER and the PR is repository setup metadata, so the external contributor real-behavior proof gate does not apply.

Risk before merge

  • Merging as-is would introduce mutable GitHub Action refs in workflows, including scheduled issue/PR-writing automation, which is a supply-chain and repository-automation risk not covered by normal CI success.
  • The stale workflow, CODEOWNERS team, and Crabbox validation baseline are repository policy choices that need maintainer approval before the draft is made ready.

Maintainer options:

  1. Pin workflow actions first (recommended)
    Update every action reference introduced by this PR to a full audited commit SHA before considering the repository automation safe to merge.
  2. Accept floating major tags
    Maintainers could explicitly accept mutable major tags for these setup workflows, but that would be a deliberate repository security-policy exception.
  3. Pause the baseline rollout
    If the CODEOWNERS, stale automation, or Crabbox policy is not settled, keep the draft paused rather than landing partial automation.

Next step before merge
This is a security-sensitive maintainer setup PR with repository policy choices; maintainers should review it after the action refs are pinned.

Security
Needs attention: The diff introduces new workflow code-execution paths with mutable action refs, including a stale workflow with issue and pull-request write permissions.

Review findings

  • [P1] Pin write-capable workflow actions to SHAs — .github/workflows/stale.yml:18
Review details

Best possible solution:

Pin every added workflow action to audited full SHAs, then have maintainers explicitly approve the CODEOWNERS, stale, and Crabbox baseline before merge.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a setup and workflow-administration PR rather than a bug report. The review path is source/diff inspection of the added automation and current-main workflow conventions.

Is this the best way to solve the issue?

No, not yet: the setup direction is plausible, but the workflows should follow the current SHA-pinning pattern before merge. Maintainers also need to approve the repository automation and ownership policy choices.

Label changes:

  • add P2: This is a normal-priority maintainer setup PR with security-sensitive automation, not an urgent runtime regression.
  • add merge-risk: 🚨 security-boundary: The PR adds CI/workflow execution paths with mutable action refs, including actions that run with repository write-related permissions.
  • add merge-risk: 🚨 automation: The PR adds stale automation that can label and close issues or pull requests after merge.
  • add rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The setup is useful in scope but not quality-ready because the added workflows introduce a concrete supply-chain and automation risk.
  • add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author association is MEMBER and the PR is repository setup metadata, so the external contributor real-behavior proof gate does not apply.

Label justifications:

  • P2: This is a normal-priority maintainer setup PR with security-sensitive automation, not an urgent runtime regression.
  • merge-risk: 🚨 security-boundary: The PR adds CI/workflow execution paths with mutable action refs, including actions that run with repository write-related permissions.
  • merge-risk: 🚨 automation: The PR adds stale automation that can label and close issues or pull requests after merge.
  • rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The setup is useful in scope but not quality-ready because the added workflows introduce a concrete supply-chain and automation risk.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author association is MEMBER and the PR is repository setup metadata, so the external contributor real-behavior proof gate does not apply.

Full review comments:

  • [P1] Pin write-capable workflow actions to SHAs — .github/workflows/stale.yml:18
    This adds scheduled issue/PR-writing automation but runs actions/stale from the mutable v10 tag, while the current workflows pin action refs to full SHAs. A tag move or compromised upstream release path would execute with issues and pull-requests write permissions, so pin this and the other newly added workflow actions to audited SHAs before merge.
    Confidence: 0.87

Overall correctness: patch is incorrect
Overall confidence: 0.86

Security concerns:

  • [medium] Mutable workflow action refs — .github/workflows/stale.yml:18
    The new stale workflow uses actions/stale@v10 while holding issues and pull-requests write permissions, diverging from current main's full-SHA action pinning pattern and increasing supply-chain exposure.
    Confidence: 0.87

What I checked:

  • PR metadata: GitHub context marks this PR as draft and authorAssociation MEMBER, so this cleanup workflow should not auto-close it even if some setup is desirable. (0bbfaea070ad)
  • Mutable write-capable action ref: The added stale workflow grants issues and pull-requests write permissions, then runs actions/stale from the mutable v10 tag. (.github/workflows/stale.yml:18, 0bbfaea070ad)
  • Current workflow pinning pattern: Current main pins existing workflow actions to full commit SHAs, including checkout, setup-go, pnpm/action-setup, and setup-node in CI. (.github/workflows/ci.yml:31, 2728032d8dcf)
  • Workflow history: The existing workflow area on current main is recent and concentrated in Peter Steinberger commits, including the initial workflow baseline and later coverage-gate change. (.github/workflows/ci.yml:31, 2728032d8dcf)
  • Main lacks the setup files: Current main only has ci.yml, pages.yml, release.yml, and AGENTS.md in the inspected setup paths; CODEOWNERS, Dependabot, SECURITY.md, .crabbox.yaml, and .agents skills are not already present. (2728032d8dcf)

Likely related people:

  • Peter Steinberger: Git history and blame show Peter authored the current workflow baseline and the latest CI workflow change, so he is the best current-main routing candidate for workflow policy and action-pinning consistency. (role: recent workflow contributor; confidence: high; commits: 42ebb1da24e7, 2728032d8dcf; files: .github/workflows/ci.yml, .github/workflows/pages.yml, .github/workflows/release.yml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2728032d8dcf.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels May 22, 2026
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.
What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@steipete

Copy link
Copy Markdown
Contributor

Closing this in favor of the shared public skill source at https://github.com/openclaw/agent-skills.

We do not want to vendor the same maintainer skills into every repo. Repos that need zero-setup guidance should add a small pointer to openclaw/agent-skills; shared skill content should be updated there first and synced only where a vendored snapshot is intentionally required.

@steipete steipete closed this May 22, 2026
@shakkernerd shakkernerd deleted the chore/setup-baseline-20260522 branch May 22, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants