fix: add workflow permissions and npm provenance

[evansantos]

Changes

• ci.yml: Add top-level permissions: contents: read — fixes code scanning alerts (Blocked: Active optimization requires OpenClaw hook mutation support #1, feat: integrate ClawRouter for intelligent model routing #2)
• publish.yml: Add id-token: write permission + --provenance flag — fixes npm OTP error (EOTP) by using provenance-based publish (no OTP needed with granular access tokens)
• ci.yml: Fix build-check job using Node 20 → Node 22

Fixes

• Resolves code scanning alert: actions/missing-workflow-permissions (medium severity)
• Resolves publish workflow failure: npm error code EOTP

Note: The NPM_TOKEN secret must be a granular access token (not legacy/classic) for provenance to work. If still using a classic token with 2FA, regenerate as granular at https://www.npmjs.com/settings/tokens

---

🐕 GitSniff Summary

What this PR does

This PR improves the CI/CD pipeline by adding necessary workflow permissions to ci.yml and publish.yml, resolving code scanning alerts and enabling npm provenance for a more secure publishing process. It also updates the Node.js version used in ci.yml from 20 to 22, ensuring consistency with the project's development environment.

Key Changes

• Add permissions: contents: read to ci.yml to resolve code scanning alerts.
• Update publish.yml with id-token: write permission and --provenance flag for secure npm publishing.
• Fix the build-check job in ci.yml to use Node.js 22 instead of Node.js 20.
• Add npm audit --omit=dev --audit-level=high to the test job in ci.yml for vulnerability checks.

Review Score: Good 🟢

Warning

1 security issue detected - see review comments for details.

_{🐕 Reviewed by GitSniff}

[gitsniff]

Score: Excellent ✅

The pull request improves the CI/CD workflows by setting appropriate permissions for GitHub Actions and enabling npm provenance for publishing. The CI workflow now explicitly requests contents: read permissions to resolve code scanning alerts and updates Node.js to version 22 for the build check job. The publish workflow gains id-token: write permission and utilizes the --provenance flag for npm publish, addressing OTP errors and enhancing package security.

Warning

Security issues detected - review inline comments before merging.

2 findings posted as inline comments below.

_{Review completed in 42s | Basic Plan | Gemini 2.5 Flash}

[gitsniff]

ℹ️ Info

The build-check job uses Node.js 22.x, but the lint, typecheck, and security jobs explicitly set node-version: ${{ env.NODE_VERSION }}, which is defined as 22 at the workflow level. For consistency and to avoid potential discrepancies, all jobs should reference the NODE_VERSION environment variable. This ensures a single source of truth for the Node.js version across the CI.

Fix: Modify the build-check job to use node-version: ${{ env.NODE_VERSION }} instead of a hardcoded '22.x'. This makes the Node.js version consistent across all jobs that use it and simplifies future updates.

Suggested change

	- name: Use Node.js 22.x
	uses: actions/setup-node@v4
	with:
	node-version: '20.x'
	node-version: '22.x'
	- name: Use Node.js ${{ env.NODE_VERSION }}
	uses: actions/setup-node@v4
	with:
	node-version: ${{ env.NODE_VERSION }}

[gitsniff]

⚠️ Security

The ci.yml workflow specifies permissions for pull_request events, but not for push events. While contents: read is a sensible default, it's good practice to explicitly define permissions for all trigger events if they differ or if default permissions are insufficient for certain jobs. This ensures consistent and explicit permission management.

Fix: Add a permissions: block directly under the on:push: event or at the top-level on: block to cover all events where permissions might be required. In this case, contents: read is likely sufficient for the push event as well.

[gitsniff]

Score: Excellent ✅

This PR addresses workflow permission issues and updates the Node.js version in CI, improving security and build reliability. The changes are straightforward and directly resolve the stated problems.

Warning

Security issues detected - review inline comments before merging.

2 findings posted as inline comments below.

_{Review completed in 48s | Basic Plan | Gemini 2.5 Flash}

[gitsniff]

🟡 Warning

The current CI workflow for ci.yml is triggered only on pull_request events for main and develop branches. This means that direct pushes to these branches, or any other branch, will not trigger the CI workflow. This can lead to situations where code is pushed directly to the main or develop branch without being fully tested by the CI pipeline, potentially introducing regressions or untested code.

Fix: Add push events as a trigger for the CI workflow to ensure that all pushes to the specified branches (main, develop) also run the CI checks. This provides more comprehensive testing and prevents untested code from being merged or deployed. It also provides immediate feedback on the health of the branch after a direct push.

🤖 Prompt for AI Agents

In .github/workflows/ci.yml around line 6:

Issue: The current CI workflow for `ci.yml` is triggered only on `pull_request` events for `main` and `develop` branches. This means that direct pushes to these branches, or any other branch, will not trigger the CI workflow. This can lead to situations where code is pushed directly to the main or develop branch without being fully tested by the CI pipeline, potentially introducing regressions or untested code.

Add `push` events as a trigger for the CI workflow to ensure that all pushes to the specified branches (main, develop) also run the CI checks. This provides more comprehensive testing and prevents untested code from being merged or deployed. It also provides immediate feedback on the health of the branch after a direct push.

Replace with:
on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]

[gitsniff]

⚠️ Security

The npm audit command is used to check for vulnerabilities, and currently, it allows the workflow to proceed even if vulnerabilities are found by echoing a warning. While this prevents the CI from failing due to minor vulnerabilities, it might lead to overlooking critical security issues if not explicitly configured to fail on high or critical vulnerabilities. For a high strictness level, it's recommended that npm audit should fail the build if critical or high severity vulnerabilities are detected, ensuring that all security-related issues are addressed before deployment.

Fix: Consider configuring npm audit to fail on high or critical severity vulnerabilities. This can be achieved by removing || echo "::warning::npm audit found vulnerabilities (see above)" and relying on the default exit code of npm audit, or by adding a specific flag like --audit-level=high if available in the npm version being used. If npm audit does not support this level of granularity directly, consider using npm audit --json and parsing the output to enforce a specific failure threshold.

[gitsniff]

Score: Excellent ✅

This PR addresses critical CI/CD pipeline issues by adjusting GitHub Actions permissions, enabling npm provenance for publishing, and updating Node.js versions for consistency. The changes are well-justified and resolve identified security and publishing failures.

2 findings posted as inline comments below.

_{Review completed in 23s | Basic Plan | Gemini 2.5 Flash}

[gitsniff]

🟡 Warning

The npm audit command is modified to issue a warning for all vulnerabilities that are not of 'high' severity. While this prevents CI from failing on lower severity issues, it might obscure visibility into 'moderate' and 'low' severity vulnerabilities, which could still pose risks or accumulate over time if not addressed. It's important to understand the project's policy on these.

Fix: Consider explicitly setting an --audit-level that aligns with the project's security policy. For example, --audit-level=moderate would warn on moderate and high issues, providing better visibility while still allowing builds to pass for low-severity findings. Alternatively, add a comment explaining the rationale for ignoring non-high vulnerabilities.

Suggested change

	run: npm audit --omit=dev --audit-level=high || echo "::warning::npm audit found vulnerabilities (see above)"
	run: npm audit --omit=dev --audit-level=moderate || echo "::warning::npm audit found vulnerabilities (see above)"

[gitsniff]

ℹ️ Info

The comment # matches test job on line 69 is redundant given the explicit node-version: '22.x' directly above it. The purpose of this change is to ensure consistency, and the comment doesn't add significant value beyond what the code itself conveys.

Fix: Remove the redundant comment # matches test job as the intention is clear from the adjacent code, adhering to the principle of self-documenting code and minimizing comment cruft.

Suggested change

	node-version: '22.x' # matches test job
	node-version: '22.x'

[evansantos]

All GitSniff findings addressed in 7e42f54:

• ✅ env.NODE_VERSION as single source of truth — both jobs reference it, removed matrix strategy
• ✅ --audit-level=high — fails on high/critical, warns on moderate (openclaw host dep has moderate advisory we can't fix from plugin side)
• ℹ️ push trigger already existed — false positive
• ℹ️ Top-level permissions block covers both push and PR events
• ✅ Removed redundant comment and stale matrix.node-version reference

[gitsniff]

Score: Good ✅

The PR addresses critical CI/CD issues by enhancing workflow permissions, fixing npm provenance, and updating Node.js versions. While these changes improve security and reliability, there are inconsistencies in how npm audit is handled across workflows and a potential for dependency installation issues due to differing package managers.

Warning

Security issues detected - review inline comments before merging.

3 findings posted as inline comments below.

_{Review completed in 1m 27s | Basic Plan | Gemini 2.5 Flash}

[gitsniff]

🔴 Error

The ci.yml workflow uses npm ci to install dependencies, but the project's README.md and other configuration might suggest pnpm. Inconsistent package manager usage can lead to different dependency trees, build failures, or unexpected behavior between local development and CI environments.

Fix: Standardize on a single package manager for the project. If pnpm is the intended package manager, update ci.yml to use pnpm install --frozen-lockfile. If npm is preferred, ensure all project documentation and developer setup instructions reflect this.

Suggested change

	run: npm ci
	run: pnpm install --frozen-lockfile

[gitsniff]

ℹ️ Info

The condition if: matrix.node-version == '22.x' for uploading coverage to Codecov is now redundant. With the removal of the build matrix and a single Node.js version set in env.NODE_VERSION, this condition will always evaluate to true (or the equivalent of always running), and it is no longer necessary to explicitly check the Node.js version.

Fix: Remove the redundant if: condition from the Codecov action, as it no longer serves a purpose with the simplified Node.js versioning.

Suggested change

	uses: codecov/codecov-action@v3
	uses: codecov/codecov-action@v3

[gitsniff]

⚠️ Security

The npm audit command is configured to emit a warning for any vulnerabilities found, but it doesn't fail the job directly. This can lead to vulnerabilities being overlooked, especially if the warning is missed in the logs. It's generally better to fail the build on high-severity vulnerabilities to enforce security.

Fix: Consider making the npm audit step fail the job if high-severity vulnerabilities are found. This ensures that security issues are addressed promptly. If a warning is acceptable for certain levels, configure the --audit-level accordingly.

[evansantos]

Responding to GitSniff round 4 (commit 7e42f54):

🔴 Error — npm ci vs pnpm: False positive. Project uses npm — package-lock.json exists, no pnpm-lock.yaml. npm ci is correct.

⚠️ Security — audit warning: Already addressed in previous commits. --audit-level=high ensures high/critical vulns fail the build. The moderate advisory is from the openclaw host package (GHSA-6c9j-x93c-rw6j) — not actionable from plugin side.

ℹ️ Info — redundant matrix condition on Codecov: Already removed in this commit. → Issue #20 created.