From 57ad3591a15303cbfee6c9424ad95ea4f57672c2 Mon Sep 17 00:00:00 2001 From: Gabi Simons Date: Sun, 19 Apr 2026 12:46:34 +0000 Subject: [PATCH] docs(add-github): document bot account, userName, sender policy, and wiring Update SKILL.md with tested setup: dedicated bot account prerequisite, GITHUB_BOT_USERNAME env var for @-mention detection, private vs public repo sender policy guidance, member registration for strict mode, per-thread session mode, and wiring example. Co-Authored-By: Claude Opus 4.6 (1M context) --- .claude/skills/add-github/SKILL.md | 86 ++++++++++++++++++++++++------ 1 file changed, 70 insertions(+), 16 deletions(-) diff --git a/.claude/skills/add-github/SKILL.md b/.claude/skills/add-github/SKILL.md index e60e562..78366f3 100644 --- a/.claude/skills/add-github/SKILL.md +++ b/.claude/skills/add-github/SKILL.md @@ -7,6 +7,10 @@ description: Add GitHub channel integration via Chat SDK. PR and issue comment t Adds GitHub support via the Chat SDK bridge. The agent participates in PR and issue comment threads. +## Prerequisites + +You need a **dedicated GitHub bot account** (not your personal account). The adapter uses this account to post replies and filters out its own messages to avoid loops. Create a free GitHub account for your bot (e.g. `my-org-bot`), then invite it as a collaborator with write access to the repos you want monitored. + ## Install NanoClaw doesn't ship channels in trunk. This skill copies the GitHub adapter in from the `channels` branch. @@ -55,40 +59,90 @@ pnpm run build ## Credentials -> 1. Go to [GitHub Settings > Developer Settings > Personal Access Tokens](https://github.com/settings/tokens) -> 2. Create a **Fine-grained token** with: -> - Repository access: select the repos you want the bot to monitor -> - Permissions: **Pull requests** (Read & Write), **Issues** (Read & Write) -> 3. Copy the token -> 4. Set up a webhook on your repo(s): -> - Go to **Settings** > **Webhooks** > **Add webhook** -> - Payload URL: `https://your-domain/webhook/github` -> - Content type: `application/json` -> - Secret: generate a random string -> - Events: select **Issue comments**, **Pull request review comments** +### 1. Create a Personal Access Token for the bot account -### Configure environment +Log in as your **bot account**, then: + +1. Go to [Settings > Developer Settings > Personal Access Tokens](https://github.com/settings/tokens) +2. Create a **Fine-grained token** with: + - Repository access: select the repos you want the bot to monitor + - Permissions: **Pull requests** (Read & Write), **Issues** (Read & Write) +3. Copy the token + +### 2. Set up a webhook on each repo + +On each repo (logged in as the repo owner/admin): + +1. Go to **Settings** > **Webhooks** > **Add webhook** +2. Payload URL: `https://your-domain/webhook/github` (the shared webhook server, default port 3000) +3. Content type: `application/json` +4. Secret: generate a random string (e.g. `openssl rand -hex 20`) +5. Events: select **Issue comments** and **Pull request review comments** + +### 3. Configure environment Add to `.env`: ```bash GITHUB_TOKEN=github_pat_... GITHUB_WEBHOOK_SECRET=your-webhook-secret +GITHUB_BOT_USERNAME=your-bot-username ``` +`GITHUB_BOT_USERNAME` must match the bot account's GitHub username exactly. This is used for @-mention detection — the agent responds when someone writes `@your-bot-username` in a PR or issue comment. + Sync to container: `mkdir -p data/env && cp .env data/env/env` +## Wiring + +Ask the user: **Is this a private or public repo?** + +- **Private repo** — use `unknown_sender_policy: 'public'`. Only collaborators can comment anyway, so it's safe to let all comments through. +- **Public repo** — use `unknown_sender_policy: 'strict'`. Only registered members can trigger the agent, preventing strangers from consuming agent resources. Add trusted collaborators as members (see below). + +Run `/manage-channels` to wire the GitHub channel to an agent group, or insert manually: + +```sql +-- Create messaging group (one per repo) +INSERT INTO messaging_groups (id, channel_type, platform_id, name, is_group, unknown_sender_policy, created_at) +VALUES ('mg-github-myrepo', 'github', 'github:owner/repo', 'owner/repo', 1, '', datetime('now')); + +-- Wire to agent group +INSERT INTO messaging_group_agents (id, messaging_group_id, agent_group_id, trigger_rules, response_scope, session_mode, priority, created_at) +VALUES ('mga-github-myrepo', 'mg-github-myrepo', '', '', 'all', 'per-thread', 10, datetime('now')); +``` + +Replace `` with `public` or `strict` based on the user's choice above. + +### Adding members (for strict mode) + +When using `strict`, add each GitHub user who should be able to trigger the agent: + +```sql +-- Add user (kind = 'github', id = 'github:') +INSERT OR IGNORE INTO users (id, kind, display_name, created_at) +VALUES ('github:', 'github', '', datetime('now')); + +-- Grant membership to the agent group +INSERT OR IGNORE INTO agent_group_members (user_id, agent_group_id) +VALUES ('github:', ''); +``` + +To find a GitHub user's numeric ID: `gh api users/ --jq .id` + +Use `per-thread` session mode so each PR/issue gets its own agent session. + ## Next Steps If you're in the middle of `/setup`, return to the setup flow now. -Otherwise, run `/manage-channels` to wire this channel to an agent group. +Otherwise, restart the service (`systemctl --user restart nanoclaw` or `launchctl kickstart -k gui/$(id -u)/com.nanoclaw`) to pick up the new channel. ## Channel Info - **type**: `github` - **terminology**: GitHub has "repositories" containing "pull requests" and "issues." Each PR or issue comment thread is a separate conversation. -- **how-to-find-id**: The platform ID is `owner/repo` (e.g. `acme/backend`). Each PR/issue becomes its own thread automatically. +- **how-to-find-id**: The platform ID is `github:owner/repo` (e.g. `github:acme/backend`). Each PR/issue becomes its own thread automatically. - **supports-threads**: yes (PR and issue comment threads are native conversations) -- **typical-use**: Webhook/notification — the agent receives PR and issue events and responds in comment threads -- **default-isolation**: Typically shares a session with a chat channel (e.g. Slack) so the agent can summarize PRs and respond to reviews in the same context. Use a separate agent group if the repo contains sensitive code that other channels shouldn't access. +- **typical-use**: Webhook-driven — the agent receives PR and issue comment events and responds in comment threads when @-mentioned. After the first mention, the thread is subscribed and the agent responds to all follow-up comments. +- **default-isolation**: Use `per-thread` session mode. Each PR or issue gets its own isolated agent session. Typically wire to a dedicated agent group if the repo contains sensitive code.