docs(gittensor): add impact badge, CI card job, and contributing disclosure#4086
Conversation
…losure Gittensory is itself a Gittensor-listed repo. Adds the live api.gittensor.io impact badge to the README badge row, a short Gittensor-listing disclosure to CONTRIBUTING.md, and a scheduled workflow that refreshes a fuller SVG contributor-impact card via matthewevans/gittensor-impact-action (pinned to a commit SHA, contents:write scoped to just that job). The bigger rendered picture-card isn't wired into the README yet since its release assets don't exist until the workflow runs once post-merge — a follow-up once that's confirmed working.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4086 +/- ##
=======================================
Coverage 93.64% 93.64%
=======================================
Files 384 384
Lines 35835 35835
Branches 13150 13150
=======================================
Hits 33556 33556
Misses 1618 1618
Partials 661 661 🚀 New features to boost your workflow:
|
Superagent flagged the workflow-level contents:write as broad for a third-party action from a repo with limited track record (~1.5 days old). Move it to the one job that actually needs it and default the workflow itself to read, so a future second job in this file doesn't silently inherit write access.
Superagent's finding wanted both mitigations: job-scoped permissions (previous commit) and a protected environment. Gate the job behind the new gittensor-impact GitHub Environment (required reviewer: JSONbored) so a run of this ~1.5-day-old third-party action needs a manual approval click every time, on top of the existing commit-SHA pin.
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-08 00:30:43 UTC
⏸️ Suggested Action - Manual Review
Review summary Blockers
Nits — 5 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Summary
api.gittensor.ioimpact badge to the top README badge row, linking to the repo's Gittensor dashboard.CONTRIBUTING.mdnoting the repo is Gittensor-listed and that scoring/rewards are Gittensor's, not ours (mirrors the existing "Scoring and rewards are not ours to grant" paragraph right above it)..github/workflows/gittensor-impact.yml, a weekly + manually-dispatchable job that publishes a fuller SVG contributor-impact card (Gittensor vs. non-Gittensor PR/LOC share) viamatthewevans/gittensor-impact-action, pinned to commit SHA397fd470899cba47367458289a374eea9cb0d76a(not a floating tag) withcontents: writescoped to just that job.Security review of the action (all 4 of its Python scripts): zero third-party pip deps, no shell-injection-prone subprocess calls (list-form args throughout), one outbound GET to
api.gittensor.iowrapped in try/except with graceful degradation, HTML-escaped SVG text output, tokens never logged,gh release create ... --latest=falseso it never hijacks the repo's real "Latest release". Caveat: the action repo is ~1.5 days old (7 commits, 2 contributors) — young, but the code itself is clean and narrowly scoped.The bigger rendered picture-card is intentionally not wired into the README yet — its release assets don't exist until the workflow runs once post-merge, and a dead image link is worse than not having it yet. Planned as a fast-follow once the first scheduled/dispatched run is confirmed to have published the SVGs.
Scope
type(scope): short summaryConventional Commit format.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Validation
git diff --checknpm run actionlintnpm run typechecknpm run test:coverage— not applicable, nosrc/**lines changed (README/CONTRIBUTING/workflow only, not Codecov-measured)npm run test:workers— not applicable, no worker code changednpm run build:mcp/npm run test:mcp-pack— not applicable, no MCP code changednpm run ui:openapi:checknpm run ui:lintnpm run ui:typechecknpm run ui:buildnpm audit --audit-level=moderateFull
npm run test:ciran green once already on this branch before rebasing onto latestmain(which only moved by unrelatedfix(review): ...commits); re-ranactionlint+typecheckafter the rebase to confirm.If any required check was skipped, explain why:
README.md,CONTRIBUTING.md, and one new declarative GitHub Actions workflow file, nosrc/**/packages/**code.Safety
UI Evidencesection — not applicable; the only visible change is a new badge image inREADME.md(a static markdown link, not an app UI surface).