chore: add workflow to auto-add issues and PRs to NemoClaw Development Tracker#504
Closed
chore: add workflow to auto-add issues and PRs to NemoClaw Development Tracker#504
Conversation
…t Tracker Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
📝 WalkthroughWalkthroughIntroduces a GitHub Actions workflow that automatically adds newly opened issues and pull requests to a specified GitHub Project board using the add-to-project action with repository secret authentication. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment Tip CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/add-to-project.yml (1)
9-17: Declare explicit workflow permissions (least privilege).Please add an explicit
permissions:block for this job/workflow so defaults don’t drift to broader access than needed.🛠️ Suggested permissions block
jobs: add-to-project: name: Add to NemoClaw Development Tracker runs-on: ubuntu-latest + permissions: + contents: read + issues: read + pull-requests: read steps:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/add-to-project.yml around lines 9 - 17, The workflow does not specify explicit permissions, which can lead to broader access than necessary. Add a `permissions:` block to the job or workflow and specify only the minimum required permissions for the actions to run securely, such as `contents: read` and `workflows: write` or others relevant to the add-to-project action in the YAML file to enforce least privilege.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/add-to-project.yml:
- Around line 14-17: Replace the mutable action tag
"actions/add-to-project@v1.0.2" with a specific immutable commit SHA to prevent
supply-chain risk; update the "uses" line to
"actions/add-to-project@<commit-sha>" (use the exact commit SHA from the
action's repository), keep the existing "project-url" and the secret
"ADD_TO_PROJECT_PAT" intact, and verify the chosen SHA corresponds to the
intended release before committing the change.
---
Nitpick comments:
In @.github/workflows/add-to-project.yml:
- Around line 9-17: The workflow does not specify explicit permissions, which
can lead to broader access than necessary. Add a `permissions:` block to the job
or workflow and specify only the minimum required permissions for the actions to
run securely, such as `contents: read` and `workflows: write` or others relevant
to the add-to-project action in the YAML file to enforce least privilege.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 7a275890-1860-4068-8aff-ede003a3fa04
📒 Files selected for processing (1)
.github/workflows/add-to-project.yml
Comment on lines
+14
to
+17
| - uses: actions/add-to-project@v1.0.2 | ||
| with: | ||
| project-url: https://github.com/orgs/NVIDIA/projects/199 | ||
| github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether workflow actions are pinned to immutable SHAs.
# Expected: lines use `owner/repo/path@<40-hex-sha>` for third-party actions.
rg -n '^\s*-\s*uses:\s*' .github/workflows | sed 's/^/FOUND: /'Repository: NVIDIA/NemoClaw
Length of output: 149
🏁 Script executed:
cat -n .github/workflows/add-to-project.ymlRepository: NVIDIA/NemoClaw
Length of output: 568
🏁 Script executed:
# Check all workflows for other version-tagged actions
rg -n '^\s*-\s*uses:\s*\w+/' .github/workflows -A 3 | head -50Repository: NVIDIA/NemoClaw
Length of output: 401
Pin the third-party action to a commit SHA before using PAT secrets.
actions/add-to-project@v1.0.2 is a mutable tag. Since this step consumes ADD_TO_PROJECT_PAT, pin to an immutable commit SHA to reduce supply-chain risk.
🔒 Suggested hardening patch
- - uses: actions/add-to-project@v1.0.2
+ - uses: actions/add-to-project@<full_commit_sha>
with:
project-url: https://github.com/orgs/NVIDIA/projects/199
github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/add-to-project.yml around lines 14 - 17, Replace the
mutable action tag "actions/add-to-project@v1.0.2" with a specific immutable
commit SHA to prevent supply-chain risk; update the "uses" line to
"actions/add-to-project@<commit-sha>" (use the exact commit SHA from the
action's repository), keep the existing "project-url" and the secret
"ADD_TO_PROJECT_PAT" intact, and verify the chosen SHA corresponds to the
intended release before committing the change.
wscurran
added
project management
jestyr27
added a commit
to uhstray-io/NemoClaw
that referenced
this pull request
Mar 23, 2026
The sandbox network namespace (10.200.0.0/24) could not resolve DNS because CoreDNS at 10.43.0.10 was both unreachable (wrong subnet) and had broken forwarding (loopback upstream on systemd-resolved hosts). This fixes both breaks in the DNS chain: - Add setup-dns-proxy.sh: iptables NAT rules in the gateway container route DNS traffic from the sandbox network to the CoreDNS pod, bridging the 10.200.0.0/24 ↔ 10.43.0.0/16 subnet gap. - Extend fix-coredns.sh to all platforms (was Colima-only) so CoreDNS always forwards to a working upstream. Add 8.8.8.8 as a last-resort fallback in resolve_coredns_upstream(). - Update shouldPatchCoredns() to return true for all known container runtimes, matching the existing comment "broken on all platforms." Resolves: NVIDIA#626, NVIDIA#504 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jestyr27
added a commit
to uhstray-io/NemoClaw
that referenced
this pull request
Mar 23, 2026
The sandbox runs in an isolated network namespace (10.200.0.0/24) where dns.lookup() fails because the CoreDNS service IP (10.43.0.10) is unreachable. This blocks web_search, web_fetch, and any tool that does pre-flight DNS resolution before using the HTTP proxy. Fix: run a Python DNS forwarder in the sandbox pod's root namespace that intercepts queries to 10.43.0.10 and forwards them to the CoreDNS pod. Key details: - setup-dns-proxy.sh: adds 10.43.0.10 as a local address in the pod, starts a Python UDP forwarder bound to 10.43.0.10:53, forwards to the CoreDNS pod IP (discovered via kubectl endpoints). Launched via docker exec -d + nsenter for persistence. - fix-coredns.sh: extended to all platforms (was Colima-only). The comment already said "broken on all platforms" but the code only ran for Colima. - runtime.sh: added 8.8.8.8 fallback to resolve_coredns_upstream() for hosts where all nameservers are loopback (systemd-resolved). - platform.js: shouldPatchCoredns() returns true for all known runtimes. - onboard.js / setup.sh: call setup-dns-proxy.sh after sandbox creation. The forwarder MUST bind to 10.43.0.10 (not 0.0.0.0) because glibc uses connected UDP sockets that discard responses from unexpected source IPs. It MUST forward to the CoreDNS pod IP (not 8.8.8.8) because the openshell-sandbox binary also uses DNS to reach the gateway for inference routing, and public DNS cannot resolve *.svc.cluster.local. Fixes NVIDIA#626 Related: OpenShell NVIDIA#437, NVIDIA#504
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a GitHub Actions workflow that automatically adds all new issues and pull requests to the NemoClaw Development Tracker project (project #199) with Status = No Status (the default).
Changes
.github/workflows/add-to-project.ymlpull_request_targetfor PRs to handle fork contributors (consistent withpr-limit.yaml)The workflow references
${{ secrets.ADD_TO_PROJECT_PAT }}— a PAT withprojectscope. Please confirm this secret exists in Settings → Secrets and variables → Actions, or add it before merging.Testing
Summary by CodeRabbit