feat(community): contributor onboarding automation#54
Conversation
…butor in silence Phase 1 of the Contributor Operating System. The #1 reason first-timers don't return is silence; this makes every new issue/PR get a warm, useful response within ~a minute, and keeps the queue self-organizing. Added: - .github/workflows/contributor-welcome.yml — greets every new issue/PR, with an extra-warm branch for first-time contributors. Uses gh CLI + the built-in (never-expiring) GITHUB_TOKEN; no third-party action, no external credential — this path cannot hit the credential bottleneck. pull_request_target with no checkout so it safely comments on fork PRs. - .github/workflows/labeler.yml + .github/labeler.yml — path-based auto-labeling (docs/js/python/integrations/ci/tests). actions/labeler SHA-pinned per supply-chain policy. - .github/ISSUE_TEMPLATE/ — bug, feature, question forms + config (blank issues off; links to Moltbook + private security advisories). - .github/pull_request_template.md — what/why + type + checklist. - CONTRIBUTING.md — 'What happens after you open a PR' so expectations are explicit; local check command; good-first-issue pointer; security disclosure note. All free on this public repo. Phase 2 (PR fast-path: pass->thanks/merge, fail->explain) and the Hermes credential cron follow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
WalkthroughAdds contributor infrastructure: three issue-form templates and their config, a PR template, labeler rules and workflows (labeler + contributor welcome), and CONTRIBUTING.md updates describing CI gates, security scans, and merge behavior. ChangesContributor workflow infrastructure
🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces GitHub issue templates, a PR template, a labeler configuration, and updates to the contribution guidelines. Feedback highlights that the corresponding GitHub Actions workflow files to trigger the auto-labeling and welcome automation are missing. Additionally, suggestions were made to include Python-specific verification steps in both the PR checklist and the local testing instructions in CONTRIBUTING.md to support Python contributors.
| # Path-based auto-labeling for PRs (actions/labeler v6 syntax). | ||
| # Keeps the queue self-organizing so maintainers can route at a glance. |
There was a problem hiding this comment.
The PR description mentions adding contributor-welcome.yml and labeler.yml (the workflow file) to trigger the auto-labeling and welcome responses. However, no workflow files under .github/workflows/ are included in this pull request. Without the corresponding GitHub Actions workflow files, the auto-labeling configuration in .github/labeler.yml and the welcome automation will not run.
Please ensure that .github/workflows/contributor-welcome.yml and .github/workflows/labeler.yml are added to this PR.
| ## Checklist | ||
| - [ ] Branched off the latest `main` (rebased if it drifted) | ||
| - [ ] `npm run lint` and `npm run type-check` pass | ||
| - [ ] `npm test` passes and new code has tests (80% coverage gate) | ||
| - [ ] Updated docs / CHANGELOG if behavior changed | ||
| - [ ] No secrets, keys, or tokens committed |
There was a problem hiding this comment.
Since the repository supports both TypeScript/JavaScript and Python packages (as indicated by the issue templates and labeler config), the PR checklist should also include guidelines/checks for Python contributions (e.g., running tests or linters in packages/python) to ensure consistent code quality across both ecosystems.
| ## Checklist | |
| - [ ] Branched off the latest `main` (rebased if it drifted) | |
| - [ ] `npm run lint` and `npm run type-check` pass | |
| - [ ] `npm test` passes and new code has tests (80% coverage gate) | |
| - [ ] Updated docs / CHANGELOG if behavior changed | |
| - [ ] No secrets, keys, or tokens committed | |
| ## Checklist | |
| - [ ] Branched off the latest main (rebased if it drifted) | |
| - [ ] For JS/TS: npm run lint and npm run type-check pass | |
| - [ ] For JS/TS: npm test passes and new code has tests (80% coverage gate) | |
| - [ ] For Python: Python tests and linters pass (if applicable) | |
| - [ ] Updated docs / CHANGELOG if behavior changed | |
| - [ ] No secrets, keys, or tokens committed |
| ### Quick local check (mirrors CI) | ||
|
|
||
| ```bash | ||
| npm ci | ||
| npm run lint && npm run type-check && npm test | ||
| ``` |
There was a problem hiding this comment.
Since the project supports Python contributions as well, it would be helpful to provide the local check commands for Python or mention where they can be found, so Python contributors also have a clear path to verify their changes locally.
| ### Quick local check (mirrors CI) | |
| ```bash | |
| npm ci | |
| npm run lint && npm run type-check && npm test | |
| ``` | |
| ### Quick local check (mirrors CI) | |
| For JavaScript/TypeScript: | |
| Run npm ci, then npm run lint && npm run type-check && npm test. | |
| For Python: | |
| Run the corresponding tests and linters within the packages/python directory before submitting your PR. |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
RBKunnela
changed the title
FriendlyAI review unavailable — upstream errorThe review service returned an error, so no verdict was produced. This is a neutral result, not a block. If this PR needs to merge while review is unavailable, a maintainer can apply the |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (2)
.github/ISSUE_TEMPLATE/bug_report.yml (1)
5-7: ⚡ Quick winAdd an explicit “don’t paste secrets” warning in the form.
This template asks for repro/code/environment details but does not explicitly tell users to redact keys/tokens/wallet secrets before posting in a public issue.
Suggested patch
- type: markdown attributes: - value: Thanks for reporting! Clear repro steps get bugs fixed fastest. 🙏 + value: | + Thanks for reporting! Clear repro steps get bugs fixed fastest. 🙏 + ⚠️ This is a public issue. Please redact API keys, private keys, tokens, and wallet secrets.Also applies to: 25-55
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/ISSUE_TEMPLATE/bug_report.yml around lines 5 - 7, Add an explicit “do not paste secrets” warning to the bug report template: update the markdown block (the YAML node with type: markdown and its value field) to prepend a clear, prominent note asking users to redact API keys, tokens, private keys/wallet seeds and other secrets before posting; mirror the same warning into the other similar markdown blocks referenced in the file (the blocks covering the form sections around the later occurrences) so the warning appears wherever users paste code, repro steps, or environment details..github/workflows/contributor-welcome.yml (1)
20-23: ⚡ Quick winTighten token scope by splitting issue vs PR comment jobs.
Current permissions are broader than necessary for each event. Split into two jobs (
if: github.event_name == ...) so issue flow gets onlyissues: writeand PR flow gets onlypull-requests: write.Also applies to: 24-73
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/contributor-welcome.yml around lines 20 - 23, Current workflow grants both issues: write and pull-requests: write globally; split the workflow into two jobs so each job has minimal permissions and an event guard: create an "issues" job with if: github.event_name == 'issues' and permissions: issues: write (omit pull-requests), and create a separate "pull_request" job with if: github.event_name == 'pull_request' and permissions: pull-requests: write (omit issues); update any shared steps into a reusable job or composite action called by both jobs to avoid duplication and ensure the correct scoped permissions are applied.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/labeler.yml:
- Around line 6-8: The javascript label's changed-files globs only list '*.ts'
and '*.js' which match root-level files; update the any-glob-to-any-file entries
under the javascript -> changed-files block (the any-glob-to-any-file array) to
use recursive globs like '**/*.ts' and '**/*.js' (or '**/*.{ts,js}') so nested
JS/TS files outside src/** are matched; keep existing src/** entry and preserve
YAML structure and indentation.
In `@CONTRIBUTING.md`:
- Around line 34-39: The section titled "Quick local check (mirrors CI)" is
inaccurate because the shown bash snippet only runs lint/type-check/test; either
rename the heading to "Quick local pre-check" or update the snippet to match CI
by adding the missing steps (e.g., build and security scan commands) so the
snippet truly mirrors CI; update the header text "Quick local check (mirrors
CI)" and the accompanying bash block (the three-line npm commands) to reflect
your chosen approach.
- Around line 32-33: The two statements conflict: the sentence beginning "When
everything's green, PRs from maintainers/members merge automatically"
contradicts the rule that "all PRs require one approving review." Decide on one
consistent policy and update either the "When everything's green..." sentence to
require at least one approving review for maintainers/members (e.g., "When
everything's green and at least one approving review exists...") or modify the
"all PRs require one approving review" statement to explicitly exempt
maintainers/members, and ensure both occurrences use the exact same wording so
the CONTRIBUTING.md is unambiguous.
---
Nitpick comments:
In @.github/ISSUE_TEMPLATE/bug_report.yml:
- Around line 5-7: Add an explicit “do not paste secrets” warning to the bug
report template: update the markdown block (the YAML node with type: markdown
and its value field) to prepend a clear, prominent note asking users to redact
API keys, tokens, private keys/wallet seeds and other secrets before posting;
mirror the same warning into the other similar markdown blocks referenced in the
file (the blocks covering the form sections around the later occurrences) so the
warning appears wherever users paste code, repro steps, or environment details.
In @.github/workflows/contributor-welcome.yml:
- Around line 20-23: Current workflow grants both issues: write and
pull-requests: write globally; split the workflow into two jobs so each job has
minimal permissions and an event guard: create an "issues" job with if:
github.event_name == 'issues' and permissions: issues: write (omit
pull-requests), and create a separate "pull_request" job with if:
github.event_name == 'pull_request' and permissions: pull-requests: write (omit
issues); update any shared steps into a reusable job or composite action called
by both jobs to avoid duplication and ensure the correct scoped permissions are
applied.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: a3b5a651-a86e-4e1d-8189-b8d7e876c583
📒 Files selected for processing (9)
.github/ISSUE_TEMPLATE/bug_report.yml.github/ISSUE_TEMPLATE/config.yml.github/ISSUE_TEMPLATE/feature_request.yml.github/ISSUE_TEMPLATE/question.yml.github/labeler.yml.github/pull_request_template.md.github/workflows/contributor-welcome.yml.github/workflows/labeler.ymlCONTRIBUTING.md
…template Adopts the universally-valuable structure from the AIOX PR template (acceptance/expected-behavior + testing evidence) while keeping it OSS-friendly — no internal story-ID / semantic-intent requirements that external contributors can't satisfy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
…ted) Use the full canonical AIOX product PR template structure — Summary, Related Issues, Changes Made, What-done-looks-like, Testing + Test Results, Quality checklist, Reviewer notes — so PRs carry all the items a reviewer needs. Excludes the internal story-driven fields (Story ID / semantic-intent.md) that external OSS contributors can't provide. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- labeler: match nested **/*.ts, **/*.js (not just root-level) - CONTRIBUTING: align merge policy (every PR needs an approving review; trusted PRs may use auto-merge) — removes the conflicting wording - CONTRIBUTING: rename 'mirrors CI' to 'quick local pre-check' (the command runs lint/type-check/test, not the full build + security scans) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/labeler.yml (1)
20-20:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winAdd
test_*.pypattern for pytest files.The current Python test pattern
**/*_test.pyonly catches files ending with_test.py. Pytest also recognizes files starting withtest_, liketest_auth.py. Without**/test_*.py, those files won't get thetestslabel.📋 Proposed fix
tests: - changed-files: - - any-glob-to-any-file: ['tests/**', '**/*.test.ts', '**/*.spec.ts', '**/*_test.py'] + - any-glob-to-any-file: ['tests/**', '**/*.test.ts', '**/*.spec.ts', '**/*_test.py', '**/test_*.py']🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/labeler.yml at line 20, Update the label pattern list under the any-glob-to-any-file entry so pytest-style filenames starting with "test_" are included: add the glob '**/test_*.py' alongside the existing '**/*_test.py' pattern so both test_auth-style and auth_test-style files will be matched by the labeler.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/pull_request_template.md:
- Around line 36-37: Update the PR template command line that currently reads
"npm run lint && npm run type-check && npm test" to include the coverage step;
modify the pipeline string so it runs "npm run coverage" (e.g., "npm run lint &&
npm run type-check && npm test && npm run coverage") so the pasted output
matches the 80% coverage gate referenced in the checklist and the "paste output"
section.
---
Outside diff comments:
In @.github/labeler.yml:
- Line 20: Update the label pattern list under the any-glob-to-any-file entry so
pytest-style filenames starting with "test_" are included: add the glob
'**/test_*.py' alongside the existing '**/*_test.py' pattern so both
test_auth-style and auth_test-style files will be matched by the labeler.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 4bcae4b5-0e48-4d74-b61e-3f5e4b3288bf
📒 Files selected for processing (3)
.github/labeler.yml.github/pull_request_template.mdCONTRIBUTING.md
| npm run lint && npm run type-check && npm test | ||
| # paste output |
There was a problem hiding this comment.
Align test-results command with the stated 80% coverage gate.
The template asks contributors to confirm the coverage gate (Line 43), but the command shown for pasted results omits coverage. Add npm run coverage so the evidence section matches the checklist expectation.
Suggested patch
npm run lint && npm run type-check && npm test
+npm run coverage
# paste outputAlso applies to: 43-43
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/pull_request_template.md around lines 36 - 37, Update the PR
template command line that currently reads "npm run lint && npm run type-check
&& npm test" to include the coverage step; modify the pipeline string so it runs
"npm run coverage" (e.g., "npm run lint && npm run type-check && npm test && npm
run coverage") so the pasted output matches the 80% coverage gate referenced in
the checklist and the "paste output" section.
CodeRabbit is advisory per operator policy 2026-06-03 — not a merge gate; defense-in-depth via other layers + SINKRA chain.
|
Triage (2026-06-11): deferred. Contributor-onboarding automation is currently BLOCKED and lower priority than the active hardening/GTM track. Leaving open as deferred; revisit after design-partner #1. |
1 participant
Summary
Adds contributor-experience automation and templates so issues and PRs get a consistent, helpful first response and stay organized by area.
Included
GITHUB_TOKEN(no external credentials).actions/labelerSHA-pinned.Cost
Free — public repo, standard runners; event-driven.
Verification
All workflow + issue-form YAML validated; the welcome step is bash-syntax-checked and dry-rendered.
🤖 Generated with Claude Code
Summary by CodeRabbit
Documentation
Chores