Skip to content

chore: add maintainer setup baseline#3

Closed
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522
Closed

chore: add maintainer setup baseline#3
vincentkoc wants to merge 1 commit into
mainfrom
chore/setup-baseline-20260522

Conversation

@vincentkoc

Copy link
Copy Markdown
Member

Summary

  • add maintainer setup baseline files for this repository
  • add CODEOWNERS, Dependabot, SECURITY.md, CodeQL, stale automation, and Crabbox/autoreview support
  • add AGENTS.md with repo maintainer defaults
  • configure Swift-aware CodeQL and Crabbox hydrate checks

Verification

  • git diff --check
  • ruby YAML.load_file for added/changed YAML files
  • actionlint for added/changed workflow files
  • private-data scan for added/changed non-skill setup files; PNPM_VERSION hits, where present, were false positives
  • verified Crabbox skill SHA-256 matches openclaw/openclaw: ed512c0b0385fae7f6c5c14a7e9e6236ab68936506687a99ca976873492bdc43

Runtime tests were not run; this is setup, policy, and workflow metadata only.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown

Codex review: found issues before merge.

Latest ClawSweeper review: 2026-05-22 14:44 UTC / May 22, 2026, 10:44 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds repository maintainer setup files, including CODEOWNERS, Dependabot, SECURITY.md, CodeQL/stale/Crabbox workflows, AGENTS.md, and bundled autoreview/Crabbox skills.

Reproducibility: not applicable. as a maintainer setup PR rather than a user bug. Source inspection gives high-confidence review paths for the workflow and CODEOWNERS defects.

PR rating
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Summary: The baseline is useful but not quality-ready because the patch has blocking security-boundary and automation correctness issues.

Rank-up moves:

  • Constrain Crabbox hydrate to fixed trusted runner labels before executing an input ref.
  • Move Swift CodeQL to macOS and keep Linux only for supported languages.
  • Correct CODEOWNERS to protect the uppercase Scripts directory.
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: The author is a repository member and this is maintainer setup metadata, so the external contributor real-behavior proof gate does not apply.

Risk before merge

  • The workflow_dispatch Crabbox job can be aimed at an unintended self-hosted runner label while running code from an input ref, which is a security-boundary risk for repositories with any non-Crabbox self-hosted runners.
  • The Swift CodeQL matrix is likely to fail or produce noisy ineffective scanning because the Swift job is configured on ubuntu-latest instead of macOS.
  • The CODEOWNERS baseline misses the actual uppercase Scripts directory, leaving release/package scripts outside the intended ownership coverage.

Maintainer options:

  1. Tighten setup before merge (recommended)
    Require fixed Crabbox runner labels or a validated lease-label prefix, use macOS for Swift CodeQL, and fix /Scripts/ CODEOWNERS coverage before landing.
  2. Accept maintainer-owned baseline risk
    Maintainers could land as-is only after verifying there are no non-Crabbox self-hosted runners and accepting follow-up churn for CodeQL and CODEOWNERS fixes.
  3. Pause until policy is settled
    Because this is draft maintainer setup, pausing is reasonable if the runner, scanner, and ownership conventions are not finalized yet.

Next step before merge
This draft member-authored automation/security baseline needs maintainer review of the runner, scanner, and ownership policy fixes before merge.

Security
Needs attention: The new Crabbox workflow creates a concrete self-hosted runner selection risk, and the intended CodeQL security scanning is misconfigured for Swift.

Review findings

  • [P1] Constrain Crabbox jobs to Crabbox runners — .github/workflows/crabbox-hydrate.yml:35
  • [P2] Run Swift CodeQL on macOS — .github/workflows/codeql.yml:20
  • [P2] Cover the actual Scripts directory — .github/CODEOWNERS:19
Review details

Best possible solution:

Keep the setup PR open and land it only after constraining Crabbox runner selection, moving Swift CodeQL to macOS with an appropriate build path, and correcting CODEOWNERS casing.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a maintainer setup PR rather than a user bug. Source inspection gives high-confidence review paths for the workflow and CODEOWNERS defects.

Is this the best way to solve the issue?

No, not yet. The baseline direction is maintainable, but the current implementation should tighten runner selection, Swift CodeQL execution, and CODEOWNERS coverage before merge.

Label changes:

  • add P2: This is a normal-priority maintainer setup PR with concrete automation and security-boundary blockers before merge.
  • add merge-risk: 🚨 security-boundary: The new workflow can dispatch code from an input ref onto a self-hosted runner selected by user-provided label.
  • add merge-risk: 🚨 automation: The new CodeQL and CODEOWNERS configuration can fail or miss intended automation coverage after merge.
  • add rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The baseline is useful but not quality-ready because the patch has blocking security-boundary and automation correctness issues.
  • add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author is a repository member and this is maintainer setup metadata, so the external contributor real-behavior proof gate does not apply.

Label justifications:

  • P2: This is a normal-priority maintainer setup PR with concrete automation and security-boundary blockers before merge.
  • merge-risk: 🚨 security-boundary: The new workflow can dispatch code from an input ref onto a self-hosted runner selected by user-provided label.
  • merge-risk: 🚨 automation: The new CodeQL and CODEOWNERS configuration can fail or miss intended automation coverage after merge.
  • rating: 🧂 unranked krab: Current PR rating is 🧂 unranked krab because proof is 🌊 off-meta tidepool, patch quality is 🧂 unranked krab, and The baseline is useful but not quality-ready because the patch has blocking security-boundary and automation correctness issues.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: The author is a repository member and this is maintainer setup metadata, so the external contributor real-behavior proof gate does not apply.

Full review comments:

  • [P1] Constrain Crabbox jobs to Crabbox runners — .github/workflows/crabbox-hydrate.yml:35
    This uses only self-hosted plus the workflow_dispatch label input to select a runner. Since the job then checks out the requested ref and runs swift package resolve, a dispatcher can target any matching self-hosted runner label in the repo/org instead of a Crabbox-only runner; require fixed Crabbox labels or validate a trusted lease-label prefix before running code.
    Confidence: 0.88
  • [P2] Run Swift CodeQL on macOS — .github/workflows/codeql.yml:20
    The matrix includes swift, but the job runs on ubuntu-latest; GitHub's CodeQL Swift documentation says Swift scanning requires macOS runners, so this workflow will fail or skip the intended Swift analysis. Use a macOS runner for the Swift matrix entry and keep Ubuntu only for languages that support it. (docs.github.com)
    Confidence: 0.93
  • [P2] Cover the actual Scripts directory — .github/CODEOWNERS:19
    The repo's package scripts live under Scripts/, but this CODEOWNERS entry protects lowercase /scripts/. GitHub evaluates CODEOWNERS paths case-sensitively, so release/package script changes would not request the intended owners until this is changed to /Scripts/. (docs.github.com)
    Confidence: 0.96

Overall correctness: patch is incorrect
Overall confidence: 0.9

Security concerns:

  • [high] Input-controlled self-hosted runner label — .github/workflows/crabbox-hydrate.yml:35
    The workflow accepts a runner label from workflow_dispatch and combines it only with self-hosted, then checks out an input ref and runs Swift tooling; this should be constrained to fixed Crabbox labels or validated trusted lease labels.
    Confidence: 0.88
  • [low] Swift CodeQL configured on Linux — .github/workflows/codeql.yml:20
    The Swift CodeQL matrix entry runs on ubuntu-latest even though Swift CodeQL requires macOS, so the intended security scanning control will not work as configured. (docs.github.com)
    Confidence: 0.93

Acceptance criteria:

  • Validate the changed workflow YAML with actionlint after edits.
  • Confirm the Swift CodeQL matrix runs on macOS and does not put Swift on ubuntu-latest.
  • Confirm CODEOWNERS requests ownership for Scripts/package_app.sh and Scripts/install_cli.sh.

What I checked:

  • PR status and scope: Provided GitHub context shows this PR is open, draft, authored by a repository MEMBER, and adds 11 setup/automation files with 2,142 insertions. (e0b737e733c9)
  • Added files confirmed locally: The branch adds .agents skills, .crabbox.yaml, CODEOWNERS, Dependabot, CodeQL, Crabbox hydrate, stale automation, AGENTS.md, and SECURITY.md. (e0b737e733c9)
  • Self-hosted runner selector is input-controlled: The Crabbox hydrate workflow runs on self-hosted plus only the workflow_dispatch runner-label input, then checks out the requested ref and runs Swift package resolution, so a dispatcher can target an unintended self-hosted runner label instead of a fixed Crabbox runner class. (.github/workflows/crabbox-hydrate.yml:35, e0b737e733c9)
  • Crabbox config has fixed runner labels that the workflow does not require: .crabbox.yaml declares fixed runner labels crabbox/openclaw/crawlbar, but the workflow's runs-on list does not include those fixed labels. (.crabbox.yaml:19, e0b737e733c9)
  • Swift CodeQL runner mismatch: The CodeQL matrix includes Swift while using ubuntu-latest for the job; GitHub CodeQL documentation says Swift code scanning requires macOS runners. (docs.github.com) (.github/workflows/codeql.yml:20, e0b737e733c9)
  • CODEOWNERS misses the actual Scripts directory: The proposed CODEOWNERS uses lowercase /scripts/, while current main uses uppercase Scripts/package_app.sh and Scripts/install_cli.sh; GitHub documents CODEOWNERS paths as case-sensitive. (docs.github.com) (.github/CODEOWNERS:19, e0b737e733c9)

Likely related people:

  • vincentkoc: Vincent Koc authored the setup PR and most prior CrawlBar history across release/docs/core surfaces, so he is the strongest routing candidate for baseline policy decisions. (role: feature and setup-area owner; confidence: high; commits: e0b737e733c9, ea0708069147, 4d2fa900de95; files: .github/workflows/codeql.yml, .github/workflows/crabbox-hydrate.yml, .github/CODEOWNERS)
  • mbelinky: Mariano authored the latest main commit and currently blames .github/workflows/ci.yml and Package.swift, the closest existing workflow/package surfaces touched by this setup PR. (role: recent area contributor; confidence: medium; commits: b98fb082bc72, 24213abe4c1b; files: .github/workflows/ci.yml, Package.swift, Scripts/package_app.sh)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b98fb082bc72.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P2 Normal priority bug or improvement with limited blast radius. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels May 22, 2026
@clawsweeper

clawsweeper Bot commented May 22, 2026

Copy link
Copy Markdown

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

  • Merged PRs are hatchable.
  • Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
  • Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.
What is this egg doing here?
  • Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
  • The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
  • Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
  • The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
  • Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

@steipete

Copy link
Copy Markdown
Contributor

Closing this in favor of the shared public skill source at https://github.com/openclaw/agent-skills.

We do not want to vendor the same maintainer skills into every repo. Repos that need zero-setup guidance should add a small pointer to openclaw/agent-skills; shared skill content should be updated there first and synced only where a vendored snapshot is intentionally required.

@steipete steipete closed this May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. merge-risk: 🚨 security-boundary 🚨 Merging this PR could weaken sandboxing, authorization, credentials, or sensitive data. P2 Normal priority bug or improvement with limited blast radius. rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants