chore: revert dependency guard backfill machinery

[RomneyDa]

Summary

Cleanly revert the two temporary dependency guard backfill PRs after the required-check backfill window is done:

• Revert ci: isolate dependency guard backfill label #87882: ci: isolate dependency guard backfill label
• Revert Add dependency guard backfill label trigger #87866: ci: add dependency guard backfill label trigger

After this lands, Dependency Guard returns to normal PR lifecycle events only:

• opened
• reopened
• synchronize
• ready_for_review

Verification

• git diff --check
• Parsed dependency guard, auto-response, ClawSweeper dispatch, and real behavior proof workflow YAML files.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed May 29, 2026, 1:42 AM ET / 05:42 UTC.

Summary
This PR reverts the temporary dependency-guard-backfill label trigger plus the paired workflow/test guards, returning Dependency Guard to normal PR lifecycle events.

PR surface: Tests -40, Config -17. Total -57 across 5 files.

Reproducibility: not applicable. this is workflow cleanup rather than a bug report. Source inspection confirms the PR removes the temporary label-based backfill path and matching sibling workflow exclusions.

Review metrics: 1 noteworthy metric.

• Workflow trigger cleanup: 1 pull_request_target activity removed; 3 backfill label exclusions removed. This is the operational surface maintainers need to confirm before the temporary backfill path disappears.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Confirm the dependency-guard backfill batch is complete or intentionally abandoned before merge.

Risk before merge

• [P1] If the required-check backfill batch has not completed or been intentionally abandoned, removing the only dependency-guard-backfill label trigger leaves older PRs without this low-churn way to create the required Dependency Guard check.
• [P1] After this lands, future add/remove operations for the backfill label will again wake Auto response, ClawSweeper Dispatch, and Real behavior proof; that is acceptable only if maintainers no longer plan to use that label at scale.

Maintainer options:

1. Confirm backfill completion before merge (recommended)
   Record that the frozen backfill batch is complete or intentionally abandoned, then land the workflow cleanup.
2. Pause while the label is still needed
   Keep the temporary trigger and sibling workflow exclusions until maintainers no longer need dependency-guard-backfill for old PRs.
3. Accept immediate automation cleanup
   Maintainers can intentionally land now if they are comfortable ending the label-based backfill path immediately.

Next step before merge

• [P2] Needs maintainer confirmation of backfill completion or abandonment; there is no narrow automated code repair to queue.

Security
Cleared: The diff touches workflow automation but removes a temporary trigger and exclusions without adding new actions, permissions, secret exposure, or untrusted checkout paths.

Review details

Best possible solution:

Land the cleanup after maintainers record that the backfill window is complete or abandoned; otherwise keep the temporary trigger and exclusions until the batch is done.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is workflow cleanup rather than a bug report. Source inspection confirms the PR removes the temporary label-based backfill path and matching sibling workflow exclusions.

Is this the best way to solve the issue?

Yes for the intended cleanup once the temporary window is over. The remaining question is operational timing, not a code repair.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9d49299d67e.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a maintainer-authored workflow cleanup, so the external contributor real-behavior-proof gate does not apply.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P3: This is a low-risk maintainer workflow cleanup, not a user-facing runtime regression.
• merge-risk: 🚨 automation: Merging changes which GitHub workflows run for dependency-guard-backfill label events and removes the temporary required-check backfill trigger.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a maintainer-authored workflow cleanup, so the external contributor real-behavior-proof gate does not apply.

Evidence reviewed

PR surface:

Tests -40, Config -17. Total -57 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	0	40	-40
Docs	0	0	0	0
Config	4	5	22	-17
Generated	0	0	0	0
Other	0	0	0	0
Total	5	5	62	-57

What I checked:

• PR branch removes the Dependency Guard backfill trigger: The proposed head removes labeled from the Dependency Guard pull_request_target activity list and reduces the job condition to the draft gate. (.github/workflows/dependency-guard.yml:5, 3cd95f6910b8)
• PR branch keeps the bot-label filter while removing the backfill exception: The proposed ClawSweeper Dispatch condition no longer special-cases dependency-guard-backfill, but it preserves the general bot label/unlabel suppression. (.github/workflows/clawsweeper-dispatch.yml:27, 3cd95f6910b8)
• Current main still contains the temporary machinery: Current main still has the dependency-guard-backfill label path in Dependency Guard and sibling workflow exclusions in Auto response, ClawSweeper Dispatch, and Real behavior proof. (.github/workflows/dependency-guard.yml:5, e9d49299d67e)
• Temporary sibling exclusions provenance: The sibling workflow exclusions were introduced by the merged temporary isolation change referenced from this PR. (.github/workflows/clawsweeper-dispatch.yml:27, 21b33bd04df2)
• Temporary Dependency Guard trigger provenance: The label-trigger backfill path was introduced by the merged temporary backfill-trigger change referenced from this PR. (.github/workflows/dependency-guard.yml:5, 5a6472718da9)
• Protected maintainer context: The GitHub context marks the PR author association as MEMBER and includes the maintainer label, so this review should not auto-close it.

Likely related people:

• RomneyDa: Authored the merged temporary Dependency Guard backfill trigger and sibling isolation changes that this PR reverts, and authored the current cleanup branch. (role: recent area contributor; confidence: high; commits: 5a6472718da9, 21b33bd04df2, 12de159e47a8; files: .github/workflows/dependency-guard.yml, .github/workflows/auto-response.yml, .github/workflows/clawsweeper-dispatch.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[RomneyDa]

Additional context for this revert: the label-based backfill approach did not work as intended.

The dependency-guard-backfill label can trigger workflows, but the required check still depends on the workflow/script existing in the code GitHub evaluates for that PR. Older PRs whose effective workflow revision does not include the dependency guard script fail instead of producing the desired backfill check. Example: https://github.com/openclaw/openclaw/actions/runs/26618426362/job/78438946410?pr=86826

So this PR reverts the temporary backfill machinery rather than keeping a label path that creates noisy failures for old PRs.