Skip to content

Docs: harden maintainer flow and security advisory process#16173

Merged
mbelinky merged 1 commit intomainfrom
chore/security-workflow-hardening
Feb 14, 2026
Merged

Docs: harden maintainer flow and security advisory process#16173
mbelinky merged 1 commit intomainfrom
chore/security-workflow-hardening

Conversation

@mbelinky
Copy link
Copy Markdown
Contributor

@mbelinky mbelinky commented Feb 14, 2026
edited by greptile-apps bot
Loading

  • adds explicit local-first / no-remote-write-until-approved policy
  • adds GHSA companion flow (publisher handoff, manual advisory comments, version-field rules)
  • updates review/prepare/merge skills to require explicit go-ahead before GH write actions
  • adds anti "chasing main" guidance

Greptile Overview

Greptile Summary

This PR rewrites the maintainer PR workflow and all three skill files (review-pr, prepare-pr, merge-pr) to replace the script-wrapper-based approach with direct gh CLI commands, adds a local-first/no-remote-write-until-approved policy, introduces a GHSA security advisory companion flow, and adds anti "chasing main" guidance.

  • Remote write policy: All three skills now require explicit maintainer approval before any GitHub write action (push, comment, merge, advisory edit). This is a meaningful security hardening.
  • Script removal: Removes all references to scripts/pr-review, scripts/pr-prepare, scripts/pr-merge, and scripts/committer wrappers (note: the scripts still exist in the repo). The new inline shell snippets make the workflow self-contained.
  • --auto merge policy reversal: The previous version explicitly prohibited gh pr merge --auto for maintainer landings (to ensure deterministic attribution). The new merge-pr skill introduces --auto as a fallback when checks are pending. PR_WORKFLOW.md "chasing main" section aligns with this, so this appears intentional.
  • Two bugs found: (1) prepare-pr/SKILL.md uses ~/openclaw for the worktree base path while review-pr and merge-pr use ~/dev/openclaw, breaking the sequential workflow. (2) merge-pr/SKILL.md comment heredoc uses <<'EOF' (single-quoted) which prevents $merge_sha and $contrib variable expansion, resulting in literal $ strings in the PR comment.

Confidence Score: 3/5

  • Documentation-only PR with good intent but contains two concrete bugs that would cause workflow failures at runtime.
  • The PR has a clear goal and the overall direction (local-first policy, advisory flow, chasing-main mitigation) is solid. However, the inconsistent worktree path in prepare-pr would break the sequential three-skill workflow, and the single-quoted heredoc in merge-pr would produce incorrect PR comments. Both are straightforward fixes but need to be addressed before merge.
  • .agents/skills/prepare-pr/SKILL.md (wrong base path) and .agents/skills/merge-pr/SKILL.md (heredoc quoting bug).

Last reviewed commit: 664cbda

@openclaw-barnacle openclaw-barnacle bot added size: L maintainer Maintainer-authored PR labels Feb 14, 2026
@mbelinky mbelinky merged commit 01d2ad2 into main Feb 14, 2026
13 checks passed
@mbelinky mbelinky deleted the chore/security-workflow-hardening branch February 14, 2026 11:59
greptile-apps[bot]
greptile-apps bot reviewed Feb 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

.agents/skills/merge-pr/SKILL.md
Comment on lines +153 to +159
gh pr comment <PR> -F - <<'EOF'
Merged via squash.

4. Manual fallback (only if wrapper is unavailable)
- Merge commit: $merge_sha

Thanks @$contrib!
EOF
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heredoc prevents variable expansion

The heredoc delimiter is single-quoted (<<'EOF'), which suppresses all variable expansion. $merge_sha and $contrib will be printed as literal strings rather than their values. Use an unquoted delimiter (<<EOF) to allow variable interpolation.

Suggested change
gh pr comment <PR> -F - <<'EOF'
Merged via squash.
4. Manual fallback (only if wrapper is unavailable)
- Merge commit: $merge_sha
Thanks @$contrib!
EOF
gh pr comment <PR> -F - <<EOF
Merged via squash.
- Merge commit: $merge_sha
Thanks @$contrib!
EOF
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .agents/skills/merge-pr/SKILL.md
Line: 153:159

Comment:
**Heredoc prevents variable expansion**

The heredoc delimiter is single-quoted (`<<'EOF'`), which suppresses all variable expansion. `$merge_sha` and `$contrib` will be printed as literal strings rather than their values. Use an unquoted delimiter (`<<EOF`) to allow variable interpolation.

```suggestion
gh pr comment <PR> -F - <<EOF
Merged via squash.

- Merge commit: $merge_sha

Thanks @$contrib!
EOF
```

How can I resolve this? If you propose a fix, please make it concise.

.agents/skills/prepare-pr/SKILL.md

5. Push via wrapper (includes pre-push remote verification, one automatic lease-retry path, and post-push API propagation retry).
```sh
cd ~/openclaw
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent base directory path

This uses ~/openclaw while both review-pr/SKILL.md (line 55) and merge-pr/SKILL.md (lines 53, 173) use ~/dev/openclaw. An agent following the three-skill sequence (review-pr -> prepare-pr -> merge-pr) would fail at this step if the repo lives at ~/dev/openclaw.

Suggested change
cd ~/openclaw
cd ~/dev/openclaw
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .agents/skills/prepare-pr/SKILL.md
Line: 57:57

Comment:
**Inconsistent base directory path**

This uses `~/openclaw` while both `review-pr/SKILL.md` (line 55) and `merge-pr/SKILL.md` (lines 53, 173) use `~/dev/openclaw`. An agent following the three-skill sequence (`review-pr` -> `prepare-pr` -> `merge-pr`) would fail at this step if the repo lives at `~/dev/openclaw`.

```suggestion
cd ~/dev/openclaw
```

How can I resolve this? If you propose a fix, please make it concise.

@github-actions github-actions bot mentioned this pull request Feb 14, 2026
Open
@nickytonline nickytonline mentioned this pull request Feb 14, 2026
Closed
hamidzr pushed a commit to hamidzr/openclaw that referenced this pull request Feb 14, 2026
@mbelinky @hamidzr
docs: harden maintainer and advisory workflow (openclaw#16173)
ca391fe
openperf pushed a commit to openperf/moltbot that referenced this pull request Feb 14, 2026
@mbelinky
docs: harden maintainer and advisory workflow (openclaw#16173)
99eec8a
openperf pushed a commit to openperf/moltbot that referenced this pull request Feb 14, 2026
@mbelinky
docs: harden maintainer and advisory workflow (openclaw#16173)
a3cf2ac
BigUncle pushed a commit to BigUncle/openclaw that referenced this pull request Feb 14, 2026
@mbelinky @BigUncle
docs: harden maintainer and advisory workflow (openclaw#16173)
c7a14a8
mverrilli pushed a commit to mverrilli/openclaw that referenced this pull request Feb 14, 2026
@mbelinky @mverrilli
docs: harden maintainer and advisory workflow (openclaw#16173)
90b5f42
GwonHyeok pushed a commit to learners-superpumped/openclaw that referenced this pull request Feb 15, 2026
@mbelinky @GwonHyeok
docs: harden maintainer and advisory workflow (openclaw#16173)
4d50c74
@github-actions github-actions bot mentioned this pull request Mar 1, 2026
Closed
6 tasks
hughdidit pushed a commit to hughdidit/DAISy-Agency that referenced this pull request Mar 1, 2026
@mbelinky @github-actions
docs: harden maintainer and advisory workflow (openclaw#16173)
7d66c24 
(cherry picked from commit 01d2ad2)

# Conflicts:
#	.agents/skills/PR_WORKFLOW.md
#	.agents/skills/merge-pr/SKILL.md
#	.agents/skills/prepare-pr/SKILL.md
#	.agents/skills/review-pr/SKILL.md
hughdidit pushed a commit to hughdidit/DAISy-Agency that referenced this pull request Mar 3, 2026
@mbelinky @github-actions
docs: harden maintainer and advisory workflow (openclaw#16173)
89fe9b7 
(cherry picked from commit 01d2ad2)

# Conflicts:
#	.agents/skills/PR_WORKFLOW.md
#	.agents/skills/merge-pr/SKILL.md
#	.agents/skills/prepare-pr/SKILL.md
#	.agents/skills/review-pr/SKILL.md
zooqueen pushed a commit to hanzoai/bot that referenced this pull request Mar 6, 2026
@mbelinky
docs: harden maintainer and advisory workflow (openclaw#16173)
1362608
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

maintainer Maintainer-authored PR size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbelinky