From c35210ad31a68b0a428e7cc89731dea8fd08a89d Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 00:30:13 -0700 Subject: [PATCH 1/6] chore(security): add protected automation owners --- .github/CODEOWNERS | 11 +++++++++++ .github/dependabot.yml | 13 +++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..fc19136 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,11 @@ +# Protect ownership and automation rules. +/.github/CODEOWNERS @openclaw/openclaw-secops +/.github/dependabot.yml @openclaw/openclaw-secops +/.github/workflows/ @openclaw/openclaw-secops + +# Release and package integrity surfaces. +/.goreleaser.yaml @openclaw/openclaw-secops +/go.mod @openclaw/openclaw-secops +/go.sum @openclaw/openclaw-secops +/scripts/*release* @openclaw/openclaw-secops +/scripts/*publish* @openclaw/openclaw-secops diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..e1b6fae --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 10 + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 10 From 43d9491b8164b6445a6e3218dec6de434d04fdb8 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 00:30:14 -0700 Subject: [PATCH 2/6] chore(ci): add CodeQL analysis --- .github/workflows/codeql.yml | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..8f14673 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,37 @@ +name: CodeQL + +on: + pull_request: + push: + branches: + - main + schedule: + - cron: "23 4 * * 1" + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: analyze + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Setup Go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: go + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 From 94a25db94ac4e7e0fa58afc515facc16a1564216 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 00:30:16 -0700 Subject: [PATCH 3/6] chore(ci): add stale issue automation --- .github/workflows/stale.yml | 86 +++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/stale.yml diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..74ad25c --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,86 @@ +name: Stale + +on: + schedule: + - cron: "21 4 * * *" + workflow_dispatch: + +permissions: {} + +jobs: + stale: + permissions: + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Mark stale unassigned issues and pull requests + uses: actions/stale@v10 + with: + days-before-issue-stale: 14 + days-before-issue-close: 7 + days-before-pr-stale: 14 + days-before-pr-close: 7 + stale-issue-label: stale + stale-pr-label: stale + exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale + exempt-pr-labels: maintainer,no-stale + operations-per-run: 1000 + ascending: true + exempt-all-assignees: true + remove-stale-when-updated: true + stale-issue-message: | + This issue has been automatically marked as stale due to inactivity. + Please add updated gitcrawl details or it will be closed. + stale-pr-message: | + This pull request has been automatically marked as stale due to inactivity. + Please update it or it will be closed. + close-issue-message: | + Closing due to inactivity. + If this still affects gitcrawl, open a new issue with current reproduction details. + close-issue-reason: not_planned + close-pr-message: | + Closing due to inactivity. + If this PR should be revived, reopen it with current context and validation. + + - name: Mark stale assigned issues + uses: actions/stale@v10 + with: + days-before-issue-stale: 30 + days-before-issue-close: 10 + days-before-pr-stale: -1 + days-before-pr-close: -1 + stale-issue-label: stale + exempt-issue-labels: enhancement,maintainer,pinned,security,no-stale + operations-per-run: 1000 + ascending: true + include-only-assigned: true + remove-stale-when-updated: true + stale-issue-message: | + This assigned issue has been automatically marked as stale after 30 days of inactivity. + Please add an update or it will be closed. + close-issue-message: | + Closing due to inactivity. + If this still affects gitcrawl, reopen or file a new issue with current evidence. + close-issue-reason: not_planned + + - name: Mark stale assigned pull requests + uses: actions/stale@v10 + with: + days-before-issue-stale: -1 + days-before-issue-close: -1 + days-before-pr-stale: 27 + days-before-pr-close: 7 + stale-pr-label: stale + exempt-pr-labels: maintainer,no-stale + operations-per-run: 1000 + ascending: true + include-only-assigned: true + ignore-pr-updates: true + remove-stale-when-updated: true + stale-pr-message: | + This assigned pull request has been automatically marked as stale after being open for 27 days. + Please add an update or it will be closed. + close-pr-message: | + Closing due to inactivity. + If this PR should be revived, reopen it with current context and validation. From ad2a4344a6e987d902848f14126788dcf2f92d73 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 00:42:35 -0700 Subject: [PATCH 4/6] chore(ci): rely on CodeQL default setup --- .github/workflows/codeql.yml | 37 ------------------------------------ 1 file changed, 37 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 8f14673..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: CodeQL - -on: - pull_request: - push: - branches: - - main - schedule: - - cron: "23 4 * * 1" - workflow_dispatch: - -permissions: - actions: read - contents: read - security-events: write - -jobs: - analyze: - name: analyze - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v6 - - - name: Setup Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - cache: true - - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: go - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 From f205d3abe44ff73f6dc02d21d0e70e4ded8526a1 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 01:37:03 -0700 Subject: [PATCH 5/6] chore: add Go repository hygiene files --- .editorconfig | 12 ++++++++++++ .gitattributes | 6 ++++++ 2 files changed, 18 insertions(+) create mode 100644 .editorconfig create mode 100644 .gitattributes diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..383e82a --- /dev/null +++ b/.editorconfig @@ -0,0 +1,12 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +indent_style = tab +indent_size = 4 + +[*.{md,yml,yaml,json,toml}] +indent_style = space +indent_size = 2 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..7bde2fb --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +* text=auto +*.go text eol=lf +*.md text eol=lf +*.toml text eol=lf +*.yml text eol=lf +*.yaml text eol=lf From a4ab91b035da657a12c2a960c37332b1e0ab6bc0 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 6 May 2026 01:37:04 -0700 Subject: [PATCH 6/6] chore(security): add verified secret scanning --- .github/workflows/secret-scan.yml | 63 +++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/secret-scan.yml diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml new file mode 100644 index 0000000..835e307 --- /dev/null +++ b/.github/workflows/secret-scan.yml @@ -0,0 +1,63 @@ +name: "Security Gate: Secret Scanning" + +on: + push: + branches: ["**"] + pull_request: + branches: [main, master] + +permissions: {} + +jobs: + trufflehog: + name: Scan for Verified Secrets + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Resolve scan range + id: scan_range + env: + EVENT_NAME: ${{ github.event_name }} + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + PUSH_BASE_SHA: ${{ github.event.before }} + PUSH_HEAD_SHA: ${{ github.sha }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + run: | + set -euo pipefail + zero_sha="0000000000000000000000000000000000000000" + + if [[ "$EVENT_NAME" == "pull_request" ]]; then + base="$PR_BASE_SHA" + head="$PR_HEAD_SHA" + else + base="$PUSH_BASE_SHA" + head="$PUSH_HEAD_SHA" + if [[ -z "$base" || "$base" == "$zero_sha" ]]; then + base="origin/$DEFAULT_BRANCH" + fi + fi + + echo "base=$base" >> "$GITHUB_OUTPUT" + echo "head=$head" >> "$GITHUB_OUTPUT" + + - name: TruffleHog OSS + id: trufflehog + uses: trufflesecurity/trufflehog@v3.95.2 + with: + path: ./ + base: ${{ steps.scan_range.outputs.base }} + head: ${{ steps.scan_range.outputs.head }} + extra_args: --only-verified --debug + + - name: Notify on failure + if: steps.trufflehog.outcome == 'failure' + run: | + echo "::error::Verified secrets found. Rotate the credential before merging." + exit 1