From cd5e88464bed3f1e6442d7753923ea056080c5c3 Mon Sep 17 00:00:00 2001 From: ds4psb-ai Date: Sat, 9 May 2026 01:50:55 +0900 Subject: [PATCH 1/3] ci: add timeout-minutes to disabled-target echo jobs Three workflows have echo-only "disabled-target" jobs that fall back to GitHub's 360-minute job default. Even trivial echo jobs deserve an explicit small timeout to bound runner exposure on stalled steps. --- .github/workflows/commit-review.yml | 1 + .github/workflows/repair-commit-finding-intake.yml | 1 + .github/workflows/sweep.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/commit-review.yml b/.github/workflows/commit-review.yml index 12b2edb43d..727f920114 100644 --- a/.github/workflows/commit-review.yml +++ b/.github/workflows/commit-review.yml @@ -52,6 +52,7 @@ jobs: name: Skip disabled target commit review if: ${{ github.event_name == 'repository_dispatch' && github.event.client_payload.target_repo == 'openclaw/clawhub' && vars.CLAWSWEEPER_ENABLE_CLAWHUB != '1' }} runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Explain skipped commit review run: | diff --git a/.github/workflows/repair-commit-finding-intake.yml b/.github/workflows/repair-commit-finding-intake.yml index 658bc7f936..6da66733ec 100644 --- a/.github/workflows/repair-commit-finding-intake.yml +++ b/.github/workflows/repair-commit-finding-intake.yml @@ -74,6 +74,7 @@ jobs: name: Skip disabled target commit finding if: ${{ github.event_name == 'repository_dispatch' && github.event.client_payload.target_repo == 'openclaw/clawhub' && vars.CLAWSWEEPER_ENABLE_CLAWHUB != '1' }} runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Explain skipped commit finding run: | diff --git a/.github/workflows/sweep.yml b/.github/workflows/sweep.yml index 843648ece0..027d054aed 100644 --- a/.github/workflows/sweep.yml +++ b/.github/workflows/sweep.yml @@ -141,6 +141,7 @@ jobs: name: Skip disabled target event if: ${{ github.event_name == 'repository_dispatch' && github.event.client_payload.target_repo == 'openclaw/clawhub' && vars.CLAWSWEEPER_ENABLE_CLAWHUB != '1' }} runs-on: ubuntu-latest + timeout-minutes: 5 steps: - name: Explain skipped event run: | From 7606340da46d7fb298f0b113acd88935224c02dc Mon Sep 17 00:00:00 2001 From: ds4psb-ai Date: Sat, 9 May 2026 01:53:15 +0900 Subject: [PATCH 2/3] ci: add concurrency groups to write-side repair workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three write-side workflows lacked a top-level concurrency: block: - repair-comment-router.yml (cron */5min + repository_dispatch) - repair-self-heal.yml (cron 17,47 hourly) - repair-finalize-open-prs.yml (workflow_dispatch only) Without a group, overlapping cron/dispatch runs can race each other on git push (rebase-strategy=theirs ledger commits) and dispatch worker slots. comment-router uses a per-target dynamic group to keep parallel target-repo runs separate; self-heal and finalize-open-prs use static singleton groups since they operate fleet-wide. cancel-in-progress is false everywhere — these workflows write ledger state and should not be interrupted mid-publish. --- .github/workflows/repair-comment-router.yml | 4 ++++ .github/workflows/repair-finalize-open-prs.yml | 4 ++++ .github/workflows/repair-self-heal.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/repair-comment-router.yml b/.github/workflows/repair-comment-router.yml index 965fbd9c29..33c6893c64 100644 --- a/.github/workflows/repair-comment-router.yml +++ b/.github/workflows/repair-comment-router.yml @@ -68,6 +68,10 @@ env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093 +concurrency: + group: repair-comment-router-${{ github.event.inputs.target_repo || github.event.client_payload.target_repo || 'openclaw/openclaw' }} + cancel-in-progress: false + jobs: route-comments: runs-on: ubuntu-latest diff --git a/.github/workflows/repair-finalize-open-prs.yml b/.github/workflows/repair-finalize-open-prs.yml index 5e84e3d80d..8e2e8b8ec3 100644 --- a/.github/workflows/repair-finalize-open-prs.yml +++ b/.github/workflows/repair-finalize-open-prs.yml @@ -33,6 +33,10 @@ env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093 +concurrency: + group: clawsweeper-repair-finalize-open-prs + cancel-in-progress: false + jobs: finalize: runs-on: ${{ inputs.runner }} diff --git a/.github/workflows/repair-self-heal.yml b/.github/workflows/repair-self-heal.yml index 180861839f..73a759d7f4 100644 --- a/.github/workflows/repair-self-heal.yml +++ b/.github/workflows/repair-self-heal.yml @@ -39,6 +39,10 @@ env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" CLAWSWEEPER_APP_CLIENT_ID: Iv23liOECG0slfuhz093 +concurrency: + group: clawsweeper-repair-self-heal + cancel-in-progress: false + jobs: self-heal: runs-on: ${{ github.event_name == 'workflow_dispatch' && inputs.runner || vars.CLAWSWEEPER_WORKER_RUNNER || 'blacksmith-4vcpu-ubuntu-2404' }} From 4237d2fb3d9285f6b876289a950ea6ef22fa9f0c Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 9 May 2026 13:55:10 +0100 Subject: [PATCH 3/3] docs: credit workflow hardening --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9337c3bf49..81876b195b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,8 @@ checkpoint, and status-only commits are intentionally omitted. - Suppressed changelog-only OpenClaw PR review findings after model output so contributor PRs do not get needs-changes or fix-required markers solely for maintainer-owned release notes. Thanks @rubencu. +- Added explicit timeouts for disabled-target workflow guard jobs and + concurrency groups for write-side repair workflows. Thanks @ds4psb-ai. - Gave manual exact-item review dispatches their own concurrency group so targeted maintainer reviews no longer wait behind broad normal backfill runs. - Downgraded screenshot-only browser runtime proof so ClawSweeper no longer accepts "no visible console/CSP violation" screenshots as sufficient real behavior proof. Thanks @BunsDev.