ci(github): require maintainer edits on fork PRs

[cv]

Summary

Adds a lightweight pull_request_target workflow that fails fork PRs when maintainers cannot modify the branch. This makes the repository policy visible in CI without checking out or executing untrusted PR code.

Changes

• Added .github/workflows/require-maintainer-edits.yaml.
• The new check passes for same-repository PRs and fork PRs with maintainer edits enabled.
• The new check fails fork PRs when maintainer_can_modify is false, with an actionable error message.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

npm test was attempted but did not pass because the existing test/install-preflight.test.ts case warns on Podman but still runs onboarding expected Host preflight found warnings. while the local output reported Host preflight found issues...; this appears unrelated to the workflow-only change.

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 7 minutes and 29 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 612179ed-28a7-4ec8-bf2b-cf2bfa4aa0ab

📥 Commits

Reviewing files that changed from the base of the PR and between d5d2339 and 2c0db8d.

📒 Files selected for processing (1)

• .github/workflows/require-maintainer-edits.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/require-maintainer-edits

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No E2E is recommended because this PR only adds a CI metadata-gating workflow for pull requests. It does not modify NemoClaw runtime code, CLI behavior, OpenClaw plugin behavior, sandbox lifecycle, credentials, network policies, inference routing, deployment assets, or real assistant workflows.

Optional E2E

• None.

New E2E recommendations

• None.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. Change adds a non-scenario GitHub workflow for maintainer-edit enforcement and does not affect test/e2e-scenario, scenario metadata/runtime, expected states, suite definitions, or e2e-scenarios workflows.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Top item: Ensure the maintainer-edits check refreshes after contributors enable the setting

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Ensure the check refreshes after contributors enable maintainer edits (.github/workflows/require-maintainer-edits.yaml:10): The workflow fails fork PRs when maintainer_can_modify is false and tells contributors to enable Allow edits by maintainers, but the trigger list may not create a new pull_request_target run when only that checkbox changes. If the setting change does not emit one of opened, reopened, synchronize, edited, or ready_for_review with a refreshed pull_request payload, the failed status can remain stale even after the contributor follows the error message.
  • Recommendation: Confirm the GitHub event emitted by toggling Allow edits by maintainers. If it does not rerun this workflow with updated metadata, add a reliable refresh path or update the error message to tell contributors the exact additional action needed, such as pushing a new commit or editing the PR description after enabling the setting.
  • Evidence: The only triggers are pull_request_target types [opened, reopened, synchronize, edited, ready_for_review], and the failure path at lines 35-37 only instructs the user to enable maintainer edits.

🌱 Nice ideas

• None.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.