github-openclaw-intelligence-agent.yml

# ╔══════════════════════════════════════════════════════════════════════════════╗
# ║  OpenClaw Intelligence — Agent Workflow (Version 1.1.0)                      ║
# ║                                                                              ║
# ║  A standalone tool-rich AI agent that lives inside your GitHub repository.   ║
# ║  OpenClaw responds to `@`.                                                   ║
# ║                                                                              ║
# ║  WHAT THIS WORKFLOW CONTAINS (two jobs):                                     ║
# ║    run-install   — Self-installer and upgrader (workflow_dispatch only).     ║
# ║    run-agent     — AI agent that responds to issues, pull requests, and      ║
# ║                    comments on `@`, plus scheduled maintenance.              ║
# ║                                                                              ║
# ║  Docs: https://github.com/japer-technology/github-openclaw-intelligence      ║
# ╚══════════════════════════════════════════════════════════════════════════════╝

name: github-openclaw-intelligence-agent

# ──────────────────────────────────────────────────────────────────────────────
# TRIGGERS
# ──────────────────────────────────────────────────────────────────────────────
on:
  # 1. A new issue is opened → the agent reads it if the title starts with `@`.
  issues:
    types: [opened]

  # 2. A comment is added → the agent responds if the comment body starts with `@`.
  #    (PRs are issues, so PR conversation comments arrive as issue_comment too.)
  issue_comment:
    types: [created]

  # 3. A pull request is opened → the agent reads it if the title starts with `@`.
  pull_request:
    types: [opened]

  # 4. A pull-request review is submitted → respond if the review body starts with `@`.
  pull_request_review:
    types: [submitted]

  # 5. A pull-request review comment is added → respond if the body starts with `@`.
  pull_request_review_comment:
    types: [created]

  # 6. Scheduled maintenance → the agent runs housekeeping with no originating issue.
  #    GitHub Actions cron timing is approximate (runs may be delayed 5–60 min).
  schedule:
    - cron: "17 6 * * 1"   # Weekly, Mondays ~06:17 UTC

  # 7. Manual "Run workflow" button → installs or upgrades the agent folder.
  workflow_dispatch:

# ──────────────────────────────────────────────────────────────────────────────
# PERMISSIONS
# ──────────────────────────────────────────────────────────────────────────────
permissions:
  contents: write
  issues: write
  pull-requests: write
  actions: write

# ══════════════════════════════════════════════════════════════════════════════
# JOBS
# ══════════════════════════════════════════════════════════════════════════════
jobs:

  # ────────────────────────────────────────────────────────────────────────────
  # JOB 1 — run-install
  #
  # Purpose : Self-installer and upgrader. Creates the
  #           `.github-openclaw-intelligence/` folder and its contents.
  # Trigger : workflow_dispatch (manual "Run workflow" button only).
  # ────────────────────────────────────────────────────────────────────────────
  run-install:
    runs-on: ubuntu-latest
    if: >-
      github.event_name == 'workflow_dispatch'
      && github.repository != 'japer-technology/github-openclaw-intelligence'
    steps:

      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.repository.default_branch }}

      - name: Check for .github-openclaw-intelligence
        id: check-folder
        run: |
          if [ ! -d ".github-openclaw-intelligence" ]; then
            echo "action=install" >> "$GITHUB_OUTPUT"
            echo "📦 .github-openclaw-intelligence not found — will install."
          else
            LOCAL_VERSION="0.0.0"
            if [ -f ".github-openclaw-intelligence/VERSION" ]; then
              LOCAL_VERSION=$(tr -d '[:space:]' < .github-openclaw-intelligence/VERSION)
            fi

            REMOTE_VERSION=$(curl -fsSL "https://raw.githubusercontent.com/japer-technology/github-openclaw-intelligence/main/.github-openclaw-intelligence/VERSION" | tr -d '[:space:]' || true)

            if [ -z "$REMOTE_VERSION" ]; then
              echo "::warning::Could not fetch remote VERSION — skipping upgrade check."
              echo "action=skip" >> "$GITHUB_OUTPUT"
              exit 0
            fi

            echo "Local VERSION:  $LOCAL_VERSION"
            echo "Remote VERSION: $REMOTE_VERSION"

            SEMVER_RE='^[0-9]+\.[0-9]+\.[0-9]+$'
            if ! [[ "$LOCAL_VERSION" =~ $SEMVER_RE ]] || ! [[ "$REMOTE_VERSION" =~ $SEMVER_RE ]]; then
              echo "::warning::VERSION format is not valid semver — skipping upgrade check."
              echo "action=skip" >> "$GITHUB_OUTPUT"
              exit 0
            fi

            IFS='.' read -r L_MAJOR L_MINOR L_PATCH <<< "$LOCAL_VERSION"
            IFS='.' read -r R_MAJOR R_MINOR R_PATCH <<< "$REMOTE_VERSION"

            NEEDS_UPGRADE=false
            if [ "$R_MAJOR" -gt "$L_MAJOR" ]; then
              NEEDS_UPGRADE=true
            elif [ "$R_MAJOR" -eq "$L_MAJOR" ] && [ "$R_MINOR" -gt "$L_MINOR" ]; then
              NEEDS_UPGRADE=true
            elif [ "$R_MAJOR" -eq "$L_MAJOR" ] && [ "$R_MINOR" -eq "$L_MINOR" ] && [ "$R_PATCH" -gt "$L_PATCH" ]; then
              NEEDS_UPGRADE=true
            fi

            if [ "$NEEDS_UPGRADE" = true ]; then
              echo "action=upgrade" >> "$GITHUB_OUTPUT"
              echo "⬆️  Upgrade available: $LOCAL_VERSION → $REMOTE_VERSION"
            else
              echo "action=skip" >> "$GITHUB_OUTPUT"
              echo "✅ Local version ($LOCAL_VERSION) >= remote version ($REMOTE_VERSION) — nothing to do."
            fi
          fi

      - name: Download and install from template
        if: steps.check-folder.outputs.action != 'skip'
        run: |
          set -euo pipefail

          ACTION="${{ steps.check-folder.outputs.action }}"
          TARGET=".github-openclaw-intelligence"

          curl -fsSL "https://github.com/japer-technology/github-openclaw-intelligence/archive/refs/heads/main.zip" \
            -o /tmp/template.zip
          unzip -q /tmp/template.zip -d /tmp/template

          EXTRACTED=$(ls -d /tmp/template/github-openclaw-intelligence-*)

          rm -rf "$EXTRACTED/$TARGET/node_modules"
          rm -rf "$EXTRACTED/$TARGET/docs/analysis"

          if [ "$ACTION" = "upgrade" ]; then
            BACKUP="/tmp/oci-backup"
            mkdir -p "$BACKUP"
            [ -f "$TARGET/AGENTS.md" ] && cp "$TARGET/AGENTS.md" "$BACKUP/AGENTS.md"
            [ -f "$TARGET/MEMORY.md" ] && cp "$TARGET/MEMORY.md" "$BACKUP/MEMORY.md"
            [ -d "$TARGET/.pi" ]       && cp -R "$TARGET/.pi" "$BACKUP/.pi"
            [ -d "$TARGET/state" ]     && cp -R "$TARGET/state" "$BACKUP/state"
            [ -d "$TARGET/config" ]    && cp -R "$TARGET/config" "$BACKUP/config"

            rm -rf "$TARGET"
            cp -R "$EXTRACTED/$TARGET" "$TARGET"

            rm -rf "$TARGET/state"

            # Remove template defaults before restoring user data to prevent
            # cp -R from nesting directories (e.g. .pi/.pi, config/config).
            [ -d "$BACKUP/.pi" ]    && rm -rf "$TARGET/.pi"
            [ -d "$BACKUP/config" ] && rm -rf "$TARGET/config"

            [ -f "$BACKUP/AGENTS.md" ] && cp "$BACKUP/AGENTS.md" "$TARGET/AGENTS.md"
            [ -f "$BACKUP/MEMORY.md" ] && cp "$BACKUP/MEMORY.md" "$TARGET/MEMORY.md"
            [ -d "$BACKUP/.pi" ]       && cp -R "$BACKUP/.pi" "$TARGET/.pi"
            [ -d "$BACKUP/state" ]     && cp -R "$BACKUP/state" "$TARGET/state"
            [ -d "$BACKUP/config" ]    && cp -R "$BACKUP/config" "$TARGET/config"
          else
            cp -R "$EXTRACTED/$TARGET" "$TARGET"

            rm -rf "$TARGET/state"

            cp "$TARGET/install/OPENCLAW-AGENTS.md" "$TARGET/AGENTS.md"
            mkdir -p "$TARGET/.pi"
            cp "$TARGET/install/settings.json" "$TARGET/.pi/settings.json"
          fi

      - name: Ensure .gitignore entries
        if: steps.check-folder.outputs.action != 'skip'
        run: |
          touch .gitignore
          for entry in "node_modules/" ".github-openclaw-intelligence/node_modules/" ".DS_Store"; do
            grep -qxF "$entry" .gitignore || echo "$entry" >> .gitignore
          done

      - name: Ensure .gitattributes entries
        if: steps.check-folder.outputs.action != 'skip'
        run: |
          touch .gitattributes
          for entry in "memory.log merge=union"; do
            grep -qxF "$entry" .gitattributes || echo "$entry" >> .gitattributes
          done

      - name: Commit and push
        if: steps.check-folder.outputs.action != 'skip'
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

          git add .github-openclaw-intelligence/ .gitignore .gitattributes

          ACTION="${{ steps.check-folder.outputs.action }}"
          if [ "$ACTION" = "upgrade" ]; then
            COMMIT_MSG="chore: upgrade .github-openclaw-intelligence from template"
          else
            COMMIT_MSG="chore: install .github-openclaw-intelligence from template"
          fi

          if git diff --cached --quiet; then
            echo "No changes to commit."
          else
            git commit -m "$COMMIT_MSG"
            git push
          fi

  # ────────────────────────────────────────────────────────────────────────────
  # JOB 2 — run-agent
  #
  # Purpose : The core AI agent. Reads the issue, pull request, or comment,
  #           processes it through the OpenClaw runtime, and posts the response.
  #           Also performs scheduled maintenance on the `schedule` trigger.
  # Trigger : issues.opened / pull_request.opened (title starts with `@`),
  #           issue_comment / pull_request_review / pull_request_review_comment
  #           (body starts with `@`, ignoring bots), or schedule (maintenance).
  # Security: Only collaborators with write/maintain/admin access can trigger
  #           interactive runs; scheduled runs skip the authorization step.
  # ────────────────────────────────────────────────────────────────────────────
  run-agent:
    runs-on: ubuntu-latest

    # Concurrency: one agent run per issue or pull request at a time.  Scheduled
    # maintenance runs have no issue/PR, so they fall back to a unique run id.
    concurrency:
      group: github-openclaw-intelligence-${{ github.repository }}-${{ github.event.issue.number || github.event.pull_request.number || github.run_id }}
      cancel-in-progress: false

    # Trigger guard:
    #   • Run on new issues whose title starts with `@`.
    #   • Run on issue comments whose body starts with `@`, but skip bot comments.
    #   • Run on new pull requests whose title starts with `@`.
    #   • Run on PR reviews / PR review comments starting with `@`, skip bots.
    #   • Run on scheduled maintenance (no `@` prefix; no originating issue/PR).
    if: >-
      github.repository != 'japer-technology/github-openclaw-intelligence'
      && (
        (github.event_name == 'issues' && startsWith(github.event.issue.title, '@'))
        || (github.event_name == 'issue_comment'
            && !endsWith(github.event.comment.user.login, '[bot]')
            && startsWith(github.event.comment.body, '@'))
        || (github.event_name == 'pull_request'
            && startsWith(github.event.pull_request.title, '@'))
        || (github.event_name == 'pull_request_review'
            && !endsWith(github.event.review.user.login, '[bot]')
            && startsWith(github.event.review.body, '@'))
        || (github.event_name == 'pull_request_review_comment'
            && !endsWith(github.event.comment.user.login, '[bot]')
            && startsWith(github.event.comment.body, '@'))
        || github.event_name == 'schedule'
      )
    steps:

      # 1. AUTHORIZATION — verify the actor has write-level (or higher) access.
      #    Skipped for scheduled maintenance, which has no triggering actor.
      - name: Authorize
        id: authorize
        if: github.event_name != 'schedule'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          PERM=$(gh api "repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission" --jq '.permission' 2>/dev/null || echo "none")
          echo "Actor: ${{ github.actor }}, Permission: $PERM"

          if [[ "$PERM" != "admin" && "$PERM" != "maintain" && "$PERM" != "write" ]]; then
            echo "::error::Unauthorized: ${{ github.actor }} has '$PERM' permission"
            exit 1
          fi

          # Resolve the issue or pull-request number (PRs are issues).
          ISSUE_NUM="${{ github.event.issue.number }}"
          PR_NUM="${{ github.event.pull_request.number }}"
          NUM="${ISSUE_NUM:-$PR_NUM}"

          if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
            CID="${{ github.event.comment.id }}"
            REACTION_ID=$(gh api "repos/${{ github.repository }}/issues/comments/$CID/reactions" -f content=rocket --jq '.id' 2>/dev/null || echo "")
            if [[ -n "$REACTION_ID" ]]; then RID_JSON="\"$REACTION_ID\""; else RID_JSON="null"; fi
            echo '{"reactionId":'"$RID_JSON"',"reactionTarget":"comment","commentId":'"$CID"',"issueNumber":'"$NUM"',"repo":"${{ github.repository }}","actorPermission":"'"$PERM"'"}' > /tmp/reaction-state.json
          else
            REACTION_ID=$(gh api "repos/${{ github.repository }}/issues/$NUM/reactions" -f content=rocket --jq '.id' 2>/dev/null || echo "")
            if [[ -n "$REACTION_ID" ]]; then RID_JSON="\"$REACTION_ID\""; else RID_JSON="null"; fi
            echo '{"reactionId":'"$RID_JSON"',"reactionTarget":"issue","commentId":null,"issueNumber":'"$NUM"',"repo":"${{ github.repository }}","actorPermission":"'"$PERM"'"}' > /tmp/reaction-state.json
          fi

      # 2. REJECTION FEEDBACK
      - name: Reject
        if: ${{ failure() && steps.authorize.outcome == 'failure' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          ISSUE_NUM="${{ github.event.issue.number }}"
          PR_NUM="${{ github.event.pull_request.number }}"
          NUM="${ISSUE_NUM:-$PR_NUM}"
          if [[ "${{ github.event_name }}" == "issue_comment" ]]; then
            gh api "repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions" -f content=-1
          else
            gh api "repos/${{ github.repository }}/issues/$NUM/reactions" -f content=-1
          fi

      # 3. CHECKOUT
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.repository.default_branch }}
          fetch-depth: 0

      # 4. SAFETY CHECK
      - name: Check for .github-openclaw-intelligence
        id: check-folder
        run: |
          if [ -d ".github-openclaw-intelligence" ]; then
            echo "exists=true" >> "$GITHUB_OUTPUT"
          else
            echo "exists=false" >> "$GITHUB_OUTPUT"
            echo "::notice::.github-openclaw-intelligence folder not found, skipping."
          fi

      # 5. GUARD — fail-closed sentinel check (runs before bun install)
      - name: Guard
        if: steps.check-folder.outputs.exists == 'true'
        run: |
          if [ ! -f ".github-openclaw-intelligence/ENABLED.md" ]; then
            echo "::error::OpenClaw Intelligence disabled — sentinel file .github-openclaw-intelligence/ENABLED.md is missing."
            echo "::notice::To enable, restore .github-openclaw-intelligence/ENABLED.md and push."
            exit 1
          fi
          echo "OpenClaw Intelligence enabled — ENABLED.md found."

      # 6. RUNTIME
      - name: Setup Bun
        if: steps.check-folder.outputs.exists == 'true'
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: "1.2"

      # 7. PREFLIGHT — validate config before installing dependencies
      - name: Preflight
        if: steps.check-folder.outputs.exists == 'true'
        run: bun .github-openclaw-intelligence/lifecycle/preflight.ts

      # 8. CACHE
      - name: Cache dependencies
        if: steps.check-folder.outputs.exists == 'true'
        uses: actions/cache@v5
        with:
          path: .github-openclaw-intelligence/node_modules
          key: oci-deps-${{ hashFiles('.github-openclaw-intelligence/bun.lock') }}

      # 9. INSTALL
      - name: Install dependencies
        if: steps.check-folder.outputs.exists == 'true'
        run: |
          cd .github-openclaw-intelligence
          if [ -f bun.lock ]; then
            bun install --frozen-lockfile
          else
            bun install
          fi

      # 10. BUILD (placeholder — Bun runs TypeScript natively)
      - name: Build
        if: steps.check-folder.outputs.exists == 'true'
        run: |
          cd .github-openclaw-intelligence
          if jq -e '.scripts.build' package.json > /dev/null 2>&1; then
            bun run build
          else
            echo "No build script found -- Bun runs TypeScript natively, no build needed."
          fi

      # 10b. NODE.JS — OpenClaw requires Node.js >= 22 for its CLI binary.
      - name: Setup Node.js
        if: steps.check-folder.outputs.exists == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: '22'

      # 11. RUN THE AGENT
      - name: Run
        if: steps.check-folder.outputs.exists == 'true'
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
          XAI_API_KEY: ${{ secrets.XAI_API_KEY }}
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
          GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bun .github-openclaw-intelligence/lifecycle/agent.ts