ci: auto-publish changed skills to ClawHub on push to main#1835
Conversation
miga-heygen
left a comment
There was a problem hiding this comment.
Review: ci: auto-publish changed skills to ClawHub on push to main
Summary: Clean, well-scoped CI workflow to auto-sync skills to ClawHub on main pushes. One issue to fix.
Findings:
| # | Location | Severity | Note |
|---|---|---|---|
| 1 | sync-skills-to-clawhub.yml:43 |
concern | node-version: 24 — rest of the repo standardizes on 22 (every job in ci.yml, publish.yml, etc.). Node 24 is current/latest (not LTS), could introduce subtle behavioral differences. Should be 22 for consistency. |
| 2 | sync-skills-to-clawhub.yml:55 |
nit | When triggered by push, github.event.inputs.dry_run is empty/unset, not "false". The if [ "$DRY_RUN" = "true" ] check handles this correctly — but a comment would help future readers. |
Security: Clean — CLAWHUB_TOKEN stored as secret, never echoed, passed via env var. Minimal contents: read permissions. Action SHAs pinned to repo-wide commits. clawhub@0.23.1 version-pinned. No user input reaches shell expansion unsafely.
Ponytail: Lean already. Ship. One job, six steps, no matrix, no custom actions. Concurrency guard and dry-run toggle are the right amount of operability.
Verdict: CHANGES_REQUESTED — Fix node-version: 24 → 22 to match the rest of the CI fleet. Everything else is solid.
— Miga
jrusso1020
left a comment
There was a problem hiding this comment.
Reviewed (review-only — external author, so the stamp routes to James). Layering on Miga, not echoing:
- +1 on her
node-version: 24→22blocker — good catch; the rest of the fleet (ci.yml,publish.yml) is on 22/LTS, and Node 24 is current-not-LTS, so it risks subtle drift. - Concur with her security read (token-as-secret,
contents: read, SHA-pinned actions). One detail to reinforce it: the handling is specifically injection-safe —CLAWHUB_TOKENis referenced as"$CLAWHUB_TOKEN"viaenv(not${{ secrets.* }}interpolated into the shell), anddry_runis a typed boolean via$DRY_RUN— so no script-injection vector.
Two additional non-blocking notes (not in Miga's pass):
- This needs the
CLAWHUB_TOKENrepo secret configured — theAuthenticatestep red-fails atclawhub loginwithout it on the first livemainpush touchingskills/**. Worth confirming it's set. - The "unchanged skills = no-op, safe on every push" guarantee rests entirely on
clawhub sync --all --bump patchcorrectly diffing content vs the registry (not spuriously patch-bumping unchanged skills). Recommend a firstworkflow_dispatchwithdry_run: trueto confirm it reports only the actually-changed skills before letting it run live on push.
Once the Node version's fixed (and ideally those two confirmed), it's clean.
— Rames Jusso
Address review on #1835 (Miga): the rest of the CI fleet (ci.yml, windows-render, player-perf, preview-regression, docs, catalog-previews) pins setup-node to Node 22 LTS. Node 24 is current, not LTS, and could introduce subtle differences. Align this workflow to 22. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
miga-heygen
left a comment
There was a problem hiding this comment.
Re-review: ci: auto-publish changed skills to ClawHub on push to main
Node version fixed to 22 in latest commit. Previous concern resolved. No other changes needed.
Verdict: LGTM — Ship it.
— Miga
miguel-heygen
left a comment
There was a problem hiding this comment.
Code re-review after 073fea9b: the Node runtime concern is resolved (node-version: 22), the workflow stays least-privilege (contents: read plus ClawHub token secret), and CI is green. I concur with Miga/Rames on the implementation.
blocker: PR metadata still violates the repo convention gate: the PR body still has the Generated with [Claude Code] footer, and both commits (e650f29e, 073fea9b) still carry Co-Authored-By: Claude Opus 4.8 trailers. Please strip the PR-body footer and amend/rebase the commit messages to remove the generated-tool co-author trailers, then re-push.
Verdict: REQUEST CHANGES
Reasoning: Code is ready after the Node 22 fix, but the generated-tool attribution remains in PR/commit metadata and needs cleanup before approval.
— Magi
Add a GitHub Actions workflow that runs `clawhub sync` whenever skills/** changes on main, publishing only changed skills to ClawHub (https://clawhub.ai/heygen-com) under the heygen-com publisher and auto-bumping the patch version. Unchanged skills are a no-op, so it is safe to run on every push. Requires the CLAWHUB_TOKEN repo secret.
Address review on #1835 (Miga): the rest of the CI fleet (ci.yml, windows-render, player-perf, preview-regression, docs, catalog-previews) pins setup-node to Node 22 LTS. Node 24 is current, not LTS, and could introduce subtle differences. Align this workflow to 22.
073fea9 to
7ddb8a3
Compare
miga-heygen
left a comment
There was a problem hiding this comment.
Re-review — ci: auto-publish changed skills to ClawHub on push to main
Verdict: LGTM ✅
Node version fixed from 24 to 22, matching the CI fleet's LTS pin. Everything else looks the same as last review — single workflow file, permissions: contents: read only, concurrency serialization, actions pinned to the same SHAs as publish.yml, clawhub@0.23.1 pinned. Ship it.
— Miga
miguel-heygen
left a comment
There was a problem hiding this comment.
Clean latest diff: the workflow is scoped to skills/** pushes plus manual dispatch, serializes publish runs, keeps repo permissions to contents: read, pins the third-party actions by SHA, uses Node 22 to match the CI fleet, and keeps the ClawHub token only in the login step env. CI is green at 7ddb8a33.
No blockers found in the latest workflow diff.
Verdict: APPROVE
Reasoning: The prior Node-version concern is resolved, the workflow is narrowly scoped and least-privileged, and the latest checks are green.
— Magi
What
Add a GitHub Actions workflow (
.github/workflows/sync-skills-to-clawhub.yml) that mirrors this repo's skills to the ClawHub registry. On every push tomainthat touchesskills/**, it runsclawhub sync, which publishes only the skills whose content changed vs. the registry and auto-bumps their patch version. Unchanged skills are a no-op, so the job is safe to run on every push. Also dispatchable manually with adry_runtoggle.Why
The 19 skills under
skills/are published to ClawHub under theheygen-compublisher, but until now that had to be done by hand from a maintainer's machine after each change — easy to forget, and the registry drifts behindmain. This closes the loop so the published catalog tracksmainautomatically.How it works
pushtomainfiltered topaths: ["skills/**"], plusworkflow_dispatchclawhub sync --all --owner heygen-com— diffs local skills against the registry, publishes only changed ones--bump patch(skills carry no version field in frontmatter; ClawHub tracks semver and auto-increments)--source-repo/--source-commit/--source-refstamp each release with its GitHub originconcurrency: clawhub-sync(no cancel) serializes runs so two pushes can't race the same versionclawhub login --token "$CLAWHUB_TOKEN"from theCLAWHUB_TOKENrepo secretSupply-chain hygiene consistent with the rest of
.github/workflows:actions/checkout+actions/setup-nodepinned to the same SHAs used bypublish.yml, andclawhubpinned to@0.23.1.Prerequisite (done)
CLAWHUB_TOKENrepo secret is set (a ClawHub API token with publish rights to theheygen-compublisher).Test plan
clawhub sync --all --owner heygen-com --dry-rundetects all 19 skills, reports them already synced at their current versions, and correctly reports "Nothing to sync" with no changes — confirming the changed-only detection.permissions: contents: readonly; the token is the sole write credential and lives in a secret.dry_run: truefrom the Actions tab to confirm the CI environment authenticates and previews correctly before the first real publish.Notes
CLAWHUB_TOKENrepo secret holds the live credential; rotate it (ClawHub → regenerate →gh secret set CLAWHUB_TOKEN) on any suspected exposure.patch. If a skill needs aminor/majorrelease,workflow_dispatchsemantics can be extended later, or publish that skill manually with the desired--bump.