fix(ci): GitHub App active-PR-limit exemption regression

[clawsweeper]

Summary

Found one regression in the new GitHub App active-PR-limit exemption. A concurrent successful removal by the Labeler workflow can make Barnacle receive a 404, keep the stale in-memory r: too-many-prs label, and then close the App-authored PR for the exact limit this commit meant to skip.

What ClawSweeper Is Fixing

• Medium: Barnacle can still close App-authored PRs when stale limit-label removal races (regression)
  • File: scripts/github/barnacle-auto-response.mjs:986
  • Evidence: The new App-author path calls removeLabels(...) at scripts/github/barnacle-auto-response.mjs:986, but removeLabels only deletes from labelSet after a successful API removal and ignores 404s without clearing the local set at scripts/github/barnacle-auto-response.mjs:799. The Labeler workflow now also removes the same stale label for bot/App authors at .github/workflows/labeler.yml:299, so both workflows can race on the same pull_request_target event. I reproduced this with a focused harness where removeLabel throws 404 for a renovate[bot] PR whose event payload includes r: too-many-prs; Barnacle attempted removal twice, then created the “more than 10 active PRs” close comment and closed the PR.
  • Impact: GitHub App-authored PRs can still be auto-closed by Barnacle if Labeler removes the stale limit label first. This undermines the commit’s intended exemption and can disrupt bot/App PR queues on synchronize, edited, or reopened events with a stale label in the webhook payload.
  • Suggested fix: When the code has decided a label should be treated as absent, delete it from labelSet even if GitHub returns 404. A small targeted test should simulate removeLabel returning 404 for an App-authored PR with r: too-many-prs and assert no comment/update happens.
  • Confidence: high

Expected Repair Surface

• scripts/github/barnacle-auto-response.mjs
• .github/workflows/labeler.yml
• test/scripts/barnacle-auto-response.test.ts

Source And Review Context

• ClawSweeper report: https://github.com/openclaw/clawsweeper/blob/main/records/openclaw-openclaw/commits/ef799fd57a77ff34eba85cae283267fb98543ad4.md

• Commit under review: ef799fd

• Latest main at intake: 52bf20b

• Original commit author: Shadow

• GitHub author: @thewilloftheshadow

• Highest severity: medium

• Review confidence: high

• Diff: 5a3b75de33dda11de7931686264ecf86df93de2d..ef799fd57a77ff34eba85cae283267fb98543ad4

• Changed files: .github/workflows/labeler.yml, scripts/github/barnacle-auto-response.mjs, test/scripts/barnacle-auto-response.test.ts

• Code read: changed files, Auto response workflow entry point, active-label callers, Barnacle label/action flow, CI workflow docs, scoped script instructions

• Dependencies/web: no dependency manifests changed; no web checks needed

Expected validation

• pnpm check:changed

ClawSweeper already ran:

• pnpm docs:list
• git diff --check 5a3b75de33dda11de7931686264ecf86df93de2d..ef799fd57a77ff34eba85cae283267fb98543ad4
• pnpm install
• pnpm test test/scripts/barnacle-auto-response.test.ts passed: 19 tests
• pnpm exec oxfmt --check --threads=1 scripts/github/barnacle-auto-response.mjs test/scripts/barnacle-auto-response.test.ts passed
• pnpm check:workflows passed

Known review limits:

• No full CI/Testbox run; this was a focused commit review.
• pnpm exec actionlint .github/workflows/labeler.yml was unavailable directly, so I used the repo wrapper pnpm check:workflows, which installs/runs the pinned actionlint path.

ClawSweeper Guardrails

• Re-check the finding against latest main before changing code.
• Keep the patch to the narrowest behavior change and matching regression coverage.
• Do not merge automatically; this PR stays for maintainer review.

ClawSweeper 🐠 replacement reef notes:

• Cluster: clawsweeper-commit-openclaw-openclaw-ef799fd57a77
• Source PRs: none
• Credit: Detected by ClawSweeper commit review for ef799fd.; Original commit author: Shadow.
• Validation: pnpm check:changed

fish notes: model gpt-5.5, reasoning medium; reviewed against 97ba924.

[thewilloftheshadow]

/clawsweeper automerge

[clawsweeper]

🦞🦞
ClawSweeper automerge is enabled for this PR.

I added clawsweeper:automerge and asked ClawSweeper to review this head. If ClawSweeper emits a repair marker or requests changes, I will repair/rebase the branch and ask for another review, up to the configured round limit.

Draft PRs stay fix-only until GitHub marks them ready for review. A maintainer can pause this with /clawsweeper stop.

[clawsweeper]

Codex review: passed for ClawSweeper automerge.

What this changes:

The PR updates Barnacle’s label-removal helper to clear the in-memory label set even when GitHub returns 404 and adds a regression test for GitHub App PRs with stale active-PR-limit labels.

Automerge follow-up:

No repair job is needed; this automerge-opted PR has no review findings and should be handled by exact-head mergeability and CI gates.

Security review:

Security review cleared: The diff only changes Barnacle’s in-memory label cache behavior and a unit-test mock; it does not add dependencies, action refs, permissions, secrets handling, package publishing, downloads, or artifact execution.

Review details

Best possible solution:

Land the narrow helper change with the regression test so Barnacle’s local label state matches the intended absent-label state after 404-tolerant removals, then let the existing automerge/CI gates handle the exact PR head.

Do we have a high-confidence way to reproduce the issue?

Yes. A focused harness can reproduce the current-main bug by simulating a GitHub App-authored PR whose webhook payload includes stale r: too-many-prs while issues.removeLabel returns 404; current main keeps the label in memory and reaches the close rule, and the PR adds that regression case.

Is this the best way to solve the issue?

Yes. Moving the in-memory delete outside the successful API-removal branch is the narrowest maintainable fix because the current removeLabels callers all use it to make r: too-many-prs absent, and a 404 from GitHub already means the remote label is absent.

What I checked:

• Current-main stale label path: On current main, removeLabels deletes from labelSet only after a successful issues.removeLabel; a 404 is ignored while leaving the stale label in memory. The GitHub App PR path calls this helper, and the later generic rule block still comments and closes when r: too-many-prs remains in the set. (scripts/github/barnacle-auto-response.mjs:799, 52bf20b07d6e)
• Competing Labeler removal: The Labeler workflow also removes r: too-many-prs for Bot/app authors and ignores 404s, so it can win the API race before Barnacle processes a webhook payload that still contains the stale label. (.github/workflows/labeler.yml:299, 52bf20b07d6e)
• PR patch behavior: The PR moves labelSet.delete(label) after the 404-tolerant removal attempt, so a label Barnacle intended to remove is treated as absent even when GitHub reports it was already gone. (scripts/github/barnacle-auto-response.mjs:808, 97ba9245149a)
• Regression coverage: The PR extends the Barnacle test helper to throw a 404 for configured label removals and adds a GitHub App-authored PR regression test asserting no close comment or close update occurs when r: too-many-prs removal returns 404. (test/scripts/barnacle-auto-response.test.ts:526, 97ba9245149a)
• Remote PR state and checks: GitHub API reported the PR open, non-draft, mergeable clean at head 97ba9245149a1afa0da69123479b2b2c82d0ccfd; check-run filtering found no runs with conclusions outside success, skipped, or cancelled. (97ba9245149a)
• Feature history: Blame and commit history show ef799fd57a77ff34eba85cae283267fb98543ad4 added the App active-limit exemption in Barnacle and Labeler, while 44ad65f02bbd6947d6dedae397228dcca1518f64 introduced the Barnacle script/test surface including removeLabels. (scripts/github/barnacle-auto-response.mjs:799, 52bf20b07d6e)

Likely related people:

• @thewilloftheshadow: ef799fd57a77ff34eba85cae283267fb98543ad4, authored as Shadow, added the GitHub App/Bot active-PR-limit exemption in both Barnacle and Labeler; the PR discussion also includes this maintainer enabling ClawSweeper automerge. (role: introduced App active-limit exemption and maintainer reviewer; confidence: high; commits: ef799fd57a77; files: .github/workflows/labeler.yml, scripts/github/barnacle-auto-response.mjs, test/scripts/barnacle-auto-response.test.ts)
• Peter Steinberger: Current checkout blame shows 44ad65f02bbd6947d6dedae397228dcca1518f64 introduced scripts/github/barnacle-auto-response.mjs, test/scripts/barnacle-auto-response.test.ts, the active-limit rule, and the original removeLabels helper behavior. (role: introduced Barnacle helper and test surface; confidence: medium; commits: 44ad65f02bbd; files: scripts/github/barnacle-auto-response.mjs, test/scripts/barnacle-auto-response.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 52bf20b07d6e.