openclaw-ghsa-maintainer
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOpenClaw GHSA Maintainer
OpenClaw GHSA 维护者
Use this skill for repo security advisory workflow only. Keep general release work in .
openclaw-release-maintainer本技能仅用于仓库安全建议工作流。常规发布工作请使用。
openclaw-release-maintainerRespect advisory guardrails
遵守安全建议防护规则
- Before reviewing or publishing a repo advisory, read .
SECURITY.md - Ask permission before any publish action.
- Treat this skill as GHSA-only. Do not use it for stable or beta release work.
- 在审核或发布仓库安全建议前,请阅读。
SECURITY.md - 执行任何发布操作前需获得许可。
- 本技能仅用于GHSA相关工作,请勿用于正式版或测试版发布工作。
Fetch and inspect advisory state
获取并检查安全建议状态
Fetch the current advisory and the latest published npm version:
bash
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"Use the fetch output to confirm the advisory state, linked private fork, and vulnerability payload shape before patching.
获取当前安全建议和最新发布的npm版本:
bash
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
npm view openclaw version --userconfig "$(mktemp)"在打补丁前,使用获取到的输出确认安全建议状态、关联的私有分支以及漏洞负载结构。
Verify private fork PRs are closed
验证私有分支的PR已关闭
Before publishing, verify that the advisory's private fork has no open PRs:
bash
fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state openThe PR list must be empty before publish.
发布前,验证安全建议对应的私有分支没有开放的PR:
bash
fork=$(gh api /repos/openclaw/openclaw/security-advisories/<GHSA> | jq -r .private_fork.full_name)
gh pr list -R "$fork" --state open发布前PR列表必须为空。
Prepare advisory Markdown and JSON safely
安全准备安全建议的Markdown和JSON
- Write advisory Markdown via heredoc to a temp file. Do not use escaped strings.
\n - Build PATCH payload JSON with , not hand-escaped shell JSON.
jq
Example pattern:
bash
cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF
jq -n --rawfile desc /tmp/ghsa.desc.md \
'{summary,severity,description:$desc,vulnerabilities:[...]}' \
> /tmp/ghsa.patch.json- 通过here文档将安全建议Markdown写入临时文件。请勿使用转义的字符串。
\n - 使用构建PATCH负载JSON,而非手动转义的Shell JSON。
jq
示例模式:
bash
cat > /tmp/ghsa.desc.md <<'EOF'
<markdown description>
EOF
jq -n --rawfile desc /tmp/ghsa.desc.md \
'{summary,severity,description:$desc,vulnerabilities:[...]}' \
> /tmp/ghsa.patch.jsonApply PATCH calls in the correct sequence
按正确顺序执行PATCH调用
- Do not set and
severityin the same PATCH call.cvss_vector_string - Use separate calls when the advisory requires both fields.
- Publish by PATCHing the advisory and setting . There is no separate
"state":"published"endpoint./publish
Example shape:
bash
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
--input /tmp/ghsa.patch.json- 请勿在同一个PATCH调用中同时设置和
severity。cvss_vector_string - 当安全建议需要同时设置这两个字段时,请使用单独的调用。
- 通过PATCH安全建议并设置来完成发布,不存在单独的
"state":"published"端点。/publish
示例格式:
bash
gh api -X PATCH /repos/openclaw/openclaw/security-advisories/<GHSA> \
--input /tmp/ghsa.patch.jsonPublish and verify success
发布并验证成功
After publish, re-fetch the advisory and confirm:
state=published- is set
published_at - the description does not contain literal escaped
\\n
Verification pattern:
bash
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'发布后,重新获取安全建议并确认:
state=published- 已设置
published_at - 描述中不包含字面转义的
\\n
验证模式:
bash
gh api /repos/openclaw/openclaw/security-advisories/<GHSA>
jq -r .description < /tmp/ghsa.refetch.json | rg '\\\\n'Common GHSA footguns
常见GHSA陷阱
- Publishing fails with HTTP 422 if required fields are missing or the private fork still has open PRs.
- A payload that looks correct in shell can still be wrong if Markdown was assembled with escaped newline strings.
- Advisory PATCH sequencing matters; separate field updates when GHSA API constraints require it.
- 如果必填字段缺失或私有分支仍有开放PR,发布会失败并返回HTTP 422错误。
- 即使在Shell中看起来正确的负载,如果Markdown是用转义换行字符串组装的,仍可能存在错误。
- 安全建议PATCH的顺序很重要;当GHSA API有约束要求时,请分开更新字段。