Skip to content

ci: auto-publish changed skills to ClawHub on push to main#1835

Open
WaterrrForever wants to merge 2 commits into
mainfrom
ci/sync-skills-to-clawhub
Open

ci: auto-publish changed skills to ClawHub on push to main#1835
WaterrrForever wants to merge 2 commits into
mainfrom
ci/sync-skills-to-clawhub

Conversation

@WaterrrForever

Copy link
Copy Markdown
Collaborator

What

Add a GitHub Actions workflow (.github/workflows/sync-skills-to-clawhub.yml) that mirrors this repo's skills to the ClawHub registry. On every push to main that touches skills/**, it runs clawhub sync, which publishes only the skills whose content changed vs. the registry and auto-bumps their patch version. Unchanged skills are a no-op, so the job is safe to run on every push. Also dispatchable manually with a dry_run toggle.

Why

The 19 skills under skills/ are published to ClawHub under the heygen-com publisher, but until now that had to be done by hand from a maintainer's machine after each change — easy to forget, and the registry drifts behind main. This closes the loop so the published catalog tracks main automatically.

How it works

Aspect Choice
Trigger push to main filtered to paths: ["skills/**"], plus workflow_dispatch
Publish engine clawhub sync --all --owner heygen-com — diffs local skills against the registry, publishes only changed ones
Versioning --bump patch (skills carry no version field in frontmatter; ClawHub tracks semver and auto-increments)
Provenance --source-repo / --source-commit / --source-ref stamp each release with its GitHub origin
Concurrency concurrency: clawhub-sync (no cancel) serializes runs so two pushes can't race the same version
Auth clawhub login --token "$CLAWHUB_TOKEN" from the CLAWHUB_TOKEN repo secret

Supply-chain hygiene consistent with the rest of .github/workflows: actions/checkout + actions/setup-node pinned to the same SHAs used by publish.yml, and clawhub pinned to @0.23.1.

Prerequisite (done)

  • CLAWHUB_TOKEN repo secret is set (a ClawHub API token with publish rights to the heygen-com publisher).

Test plan

  • Dry-run verified locally against the current tree: clawhub sync --all --owner heygen-com --dry-run detects all 19 skills, reports them already synced at their current versions, and correctly reports "Nothing to sync" with no changes — confirming the changed-only detection.
  • permissions: contents: read only; the token is the sole write credential and lives in a secret.
  • After merge: manually dispatch with dry_run: true from the Actions tab to confirm the CI environment authenticates and previews correctly before the first real publish.

Notes

  • The token used to seed the secret was rotated separately; the secret holds the live credential.
  • Default bump is patch. If a skill needs a minor/major release, run workflow_dispatch semantics can be extended later, or publish that skill manually with the desired --bump.

🤖 Generated with Claude Code

Add a GitHub Actions workflow that runs `clawhub sync` whenever skills/**
changes on main, publishing only changed skills to ClawHub
(https://clawhub.ai/heygen-com) under the heygen-com publisher and
auto-bumping the patch version. Unchanged skills are a no-op, so it is
safe to run on every push. Requires the CLAWHUB_TOKEN repo secret.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@miga-heygen miga-heygen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: ci: auto-publish changed skills to ClawHub on push to main

Summary: Clean, well-scoped CI workflow to auto-sync skills to ClawHub on main pushes. One issue to fix.

Findings:

# Location Severity Note
1 sync-skills-to-clawhub.yml:43 concern node-version: 24 — rest of the repo standardizes on 22 (every job in ci.yml, publish.yml, etc.). Node 24 is current/latest (not LTS), could introduce subtle behavioral differences. Should be 22 for consistency.
2 sync-skills-to-clawhub.yml:55 nit When triggered by push, github.event.inputs.dry_run is empty/unset, not "false". The if [ "$DRY_RUN" = "true" ] check handles this correctly — but a comment would help future readers.

Security: Clean — CLAWHUB_TOKEN stored as secret, never echoed, passed via env var. Minimal contents: read permissions. Action SHAs pinned to repo-wide commits. clawhub@0.23.1 version-pinned. No user input reaches shell expansion unsafely.

Ponytail: Lean already. Ship. One job, six steps, no matrix, no custom actions. Concurrency guard and dry-run toggle are the right amount of operability.

Verdict: CHANGES_REQUESTED — Fix node-version: 2422 to match the rest of the CI fleet. Everything else is solid.

— Miga

@jrusso1020 jrusso1020 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed (review-only — external author, so the stamp routes to James). Layering on Miga, not echoing:

  • +1 on her node-version: 2422 blocker — good catch; the rest of the fleet (ci.yml, publish.yml) is on 22/LTS, and Node 24 is current-not-LTS, so it risks subtle drift.
  • Concur with her security read (token-as-secret, contents: read, SHA-pinned actions). One detail to reinforce it: the handling is specifically injection-safeCLAWHUB_TOKEN is referenced as "$CLAWHUB_TOKEN" via env (not ${{ secrets.* }} interpolated into the shell), and dry_run is a typed boolean via $DRY_RUN — so no script-injection vector.

Two additional non-blocking notes (not in Miga's pass):

  1. This needs the CLAWHUB_TOKEN repo secret configured — the Authenticate step red-fails at clawhub login without it on the first live main push touching skills/**. Worth confirming it's set.
  2. The "unchanged skills = no-op, safe on every push" guarantee rests entirely on clawhub sync --all --bump patch correctly diffing content vs the registry (not spuriously patch-bumping unchanged skills). Recommend a first workflow_dispatch with dry_run: true to confirm it reports only the actually-changed skills before letting it run live on push.

Once the Node version's fixed (and ideally those two confirmed), it's clean.

Rames Jusso

Address review on #1835 (Miga): the rest of the CI fleet (ci.yml,
windows-render, player-perf, preview-regression, docs, catalog-previews)
pins setup-node to Node 22 LTS. Node 24 is current, not LTS, and could
introduce subtle differences. Align this workflow to 22.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@miga-heygen miga-heygen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-review: ci: auto-publish changed skills to ClawHub on push to main

Node version fixed to 22 in latest commit. Previous concern resolved. No other changes needed.

Verdict: LGTM — Ship it.

— Miga

@miguel-heygen miguel-heygen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code re-review after 073fea9b: the Node runtime concern is resolved (node-version: 22), the workflow stays least-privilege (contents: read plus ClawHub token secret), and CI is green. I concur with Miga/Rames on the implementation.

blocker: PR metadata still violates the repo convention gate: the PR body still has the Generated with [Claude Code] footer, and both commits (e650f29e, 073fea9b) still carry Co-Authored-By: Claude Opus 4.8 trailers. Please strip the PR-body footer and amend/rebase the commit messages to remove the generated-tool co-author trailers, then re-push.

Verdict: REQUEST CHANGES
Reasoning: Code is ready after the Node 22 fix, but the generated-tool attribution remains in PR/commit metadata and needs cleanup before approval.

— Magi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants