ci: auto-publish changed skills to ClawHub on push to main#1835
ci: auto-publish changed skills to ClawHub on push to main#1835WaterrrForever wants to merge 2 commits into
Conversation
Add a GitHub Actions workflow that runs `clawhub sync` whenever skills/** changes on main, publishing only changed skills to ClawHub (https://clawhub.ai/heygen-com) under the heygen-com publisher and auto-bumping the patch version. Unchanged skills are a no-op, so it is safe to run on every push. Requires the CLAWHUB_TOKEN repo secret. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
miga-heygen
left a comment
There was a problem hiding this comment.
Review: ci: auto-publish changed skills to ClawHub on push to main
Summary: Clean, well-scoped CI workflow to auto-sync skills to ClawHub on main pushes. One issue to fix.
Findings:
| # | Location | Severity | Note |
|---|---|---|---|
| 1 | sync-skills-to-clawhub.yml:43 |
concern | node-version: 24 — rest of the repo standardizes on 22 (every job in ci.yml, publish.yml, etc.). Node 24 is current/latest (not LTS), could introduce subtle behavioral differences. Should be 22 for consistency. |
| 2 | sync-skills-to-clawhub.yml:55 |
nit | When triggered by push, github.event.inputs.dry_run is empty/unset, not "false". The if [ "$DRY_RUN" = "true" ] check handles this correctly — but a comment would help future readers. |
Security: Clean — CLAWHUB_TOKEN stored as secret, never echoed, passed via env var. Minimal contents: read permissions. Action SHAs pinned to repo-wide commits. clawhub@0.23.1 version-pinned. No user input reaches shell expansion unsafely.
Ponytail: Lean already. Ship. One job, six steps, no matrix, no custom actions. Concurrency guard and dry-run toggle are the right amount of operability.
Verdict: CHANGES_REQUESTED — Fix node-version: 24 → 22 to match the rest of the CI fleet. Everything else is solid.
— Miga
jrusso1020
left a comment
There was a problem hiding this comment.
Reviewed (review-only — external author, so the stamp routes to James). Layering on Miga, not echoing:
- +1 on her
node-version: 24→22blocker — good catch; the rest of the fleet (ci.yml,publish.yml) is on 22/LTS, and Node 24 is current-not-LTS, so it risks subtle drift. - Concur with her security read (token-as-secret,
contents: read, SHA-pinned actions). One detail to reinforce it: the handling is specifically injection-safe —CLAWHUB_TOKENis referenced as"$CLAWHUB_TOKEN"viaenv(not${{ secrets.* }}interpolated into the shell), anddry_runis a typed boolean via$DRY_RUN— so no script-injection vector.
Two additional non-blocking notes (not in Miga's pass):
- This needs the
CLAWHUB_TOKENrepo secret configured — theAuthenticatestep red-fails atclawhub loginwithout it on the first livemainpush touchingskills/**. Worth confirming it's set. - The "unchanged skills = no-op, safe on every push" guarantee rests entirely on
clawhub sync --all --bump patchcorrectly diffing content vs the registry (not spuriously patch-bumping unchanged skills). Recommend a firstworkflow_dispatchwithdry_run: trueto confirm it reports only the actually-changed skills before letting it run live on push.
Once the Node version's fixed (and ideally those two confirmed), it's clean.
— Rames Jusso
Address review on #1835 (Miga): the rest of the CI fleet (ci.yml, windows-render, player-perf, preview-regression, docs, catalog-previews) pins setup-node to Node 22 LTS. Node 24 is current, not LTS, and could introduce subtle differences. Align this workflow to 22. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
miga-heygen
left a comment
There was a problem hiding this comment.
Re-review: ci: auto-publish changed skills to ClawHub on push to main
Node version fixed to 22 in latest commit. Previous concern resolved. No other changes needed.
Verdict: LGTM — Ship it.
— Miga
miguel-heygen
left a comment
There was a problem hiding this comment.
Code re-review after 073fea9b: the Node runtime concern is resolved (node-version: 22), the workflow stays least-privilege (contents: read plus ClawHub token secret), and CI is green. I concur with Miga/Rames on the implementation.
blocker: PR metadata still violates the repo convention gate: the PR body still has the Generated with [Claude Code] footer, and both commits (e650f29e, 073fea9b) still carry Co-Authored-By: Claude Opus 4.8 trailers. Please strip the PR-body footer and amend/rebase the commit messages to remove the generated-tool co-author trailers, then re-push.
Verdict: REQUEST CHANGES
Reasoning: Code is ready after the Node 22 fix, but the generated-tool attribution remains in PR/commit metadata and needs cleanup before approval.
— Magi
What
Add a GitHub Actions workflow (
.github/workflows/sync-skills-to-clawhub.yml) that mirrors this repo's skills to the ClawHub registry. On every push tomainthat touchesskills/**, it runsclawhub sync, which publishes only the skills whose content changed vs. the registry and auto-bumps their patch version. Unchanged skills are a no-op, so the job is safe to run on every push. Also dispatchable manually with adry_runtoggle.Why
The 19 skills under
skills/are published to ClawHub under theheygen-compublisher, but until now that had to be done by hand from a maintainer's machine after each change — easy to forget, and the registry drifts behindmain. This closes the loop so the published catalog tracksmainautomatically.How it works
pushtomainfiltered topaths: ["skills/**"], plusworkflow_dispatchclawhub sync --all --owner heygen-com— diffs local skills against the registry, publishes only changed ones--bump patch(skills carry no version field in frontmatter; ClawHub tracks semver and auto-increments)--source-repo/--source-commit/--source-refstamp each release with its GitHub originconcurrency: clawhub-sync(no cancel) serializes runs so two pushes can't race the same versionclawhub login --token "$CLAWHUB_TOKEN"from theCLAWHUB_TOKENrepo secretSupply-chain hygiene consistent with the rest of
.github/workflows:actions/checkout+actions/setup-nodepinned to the same SHAs used bypublish.yml, andclawhubpinned to@0.23.1.Prerequisite (done)
CLAWHUB_TOKENrepo secret is set (a ClawHub API token with publish rights to theheygen-compublisher).Test plan
clawhub sync --all --owner heygen-com --dry-rundetects all 19 skills, reports them already synced at their current versions, and correctly reports "Nothing to sync" with no changes — confirming the changed-only detection.permissions: contents: readonly; the token is the sole write credential and lives in a secret.dry_run: truefrom the Actions tab to confirm the CI environment authenticates and previews correctly before the first real publish.Notes
patch. If a skill needs aminor/majorrelease, runworkflow_dispatchsemantics can be extended later, or publish that skill manually with the desired--bump.🤖 Generated with Claude Code