nanoclaw

wangjunxiao/nanoclaw

Fork 0

Commit Graph

Author	SHA1	Message	Date
glifocat	2b51a4e707	fix(workflows): label PRs from forks that follow the contributing template On a fork PR, GITHUB_TOKEN is demoted to read-only regardless of the workflow's permissions: block, so issues.addLabels() returns 403. The label workflow silently works for PRs that skip the template (no checkboxes ticked → no API call) and fails for PRs that actually follow it — a hostile incentive against contributors who do the right thing. pull_request_target runs in the context of the base branch with full declared permissions, which is the documented fix for this case. Safe here because the workflow is metadata-only: it reads context.payload.pull_request.body and calls addLabels. No checkout, no PR-supplied code executes. A SECURITY comment is added above the trigger to keep it that way. Refs: - https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target - https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 12:50:25 +02:00
gavrielc	ec1b14504b	docs: update contributing guidelines and skill type taxonomy - Rewrite CONTRIBUTING.md with four skill types (feature, utility, operational, container), PR requirements, pre-submission checklist - Update PR template with skill type checkboxes and docs option - Add label-pr workflow to auto-label PRs from template checkboxes - Add hidden template version marker (v1) for follows-guidelines label - Update CLAUDE.md with skill types overview and contributing instruction - Update skills-as-branches.md to reference full taxonomy - Remove /clear from README RFS (already exists as /add-compact) - Delete obsolete docs (nanorepo-architecture.md, nanoclaw-architecture-final.md) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-21 13:08:42 +02:00

Author

SHA1

Message

Date

glifocat

2b51a4e707

fix(workflows): label PRs from forks that follow the contributing template

On a fork PR, GITHUB_TOKEN is demoted to read-only regardless of the
workflow's permissions: block, so issues.addLabels() returns 403. The
label workflow silently works for PRs that skip the template (no
checkboxes ticked → no API call) and fails for PRs that actually
follow it — a hostile incentive against contributors who do the right
thing.

pull_request_target runs in the context of the base branch with full
declared permissions, which is the documented fix for this case. Safe
here because the workflow is metadata-only: it reads
context.payload.pull_request.body and calls addLabels. No checkout,
no PR-supplied code executes. A SECURITY comment is added above the
trigger to keep it that way.

Refs:
- https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
- https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-24 12:50:25 +02:00

gavrielc

ec1b14504b

docs: update contributing guidelines and skill type taxonomy

- Rewrite CONTRIBUTING.md with four skill types (feature, utility,
  operational, container), PR requirements, pre-submission checklist
- Update PR template with skill type checkboxes and docs option
- Add label-pr workflow to auto-label PRs from template checkboxes
- Add hidden template version marker (v1) for follows-guidelines label
- Update CLAUDE.md with skill types overview and contributing instruction
- Update skills-as-branches.md to reference full taxonomy
- Remove /clear from README RFS (already exists as /add-compact)
- Delete obsolete docs (nanorepo-architecture.md, nanoclaw-architecture-final.md)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-21 13:08:42 +02:00

2 Commits