From 50157f1fe05bda645f67cc2bbe5f45182b7b2c47 Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Tue, 7 Jul 2026 17:00:14 -0700 Subject: [PATCH 1/3] docs(gittensor): add impact badge, CI card job, and contributing disclosure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Gittensory is itself a Gittensor-listed repo. Adds the live api.gittensor.io impact badge to the README badge row, a short Gittensor-listing disclosure to CONTRIBUTING.md, and a scheduled workflow that refreshes a fuller SVG contributor-impact card via matthewevans/gittensor-impact-action (pinned to a commit SHA, contents:write scoped to just that job). The bigger rendered picture-card isn't wired into the README yet since its release assets don't exist until the workflow runs once post-merge — a follow-up once that's confirmed working. --- .github/workflows/gittensor-impact.yml | 23 +++++++++++++++++++++++ CONTRIBUTING.md | 4 ++++ README.md | 1 + 3 files changed, 28 insertions(+) create mode 100644 .github/workflows/gittensor-impact.yml diff --git a/.github/workflows/gittensor-impact.yml b/.github/workflows/gittensor-impact.yml new file mode 100644 index 000000000..c5fa38b60 --- /dev/null +++ b/.github/workflows/gittensor-impact.yml @@ -0,0 +1,23 @@ +name: Gittensor Impact + +on: + workflow_dispatch: + schedule: + - cron: "40 5 * * 1" + +permissions: + contents: write + +concurrency: + group: gittensor-impact + cancel-in-progress: false + +jobs: + publish: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Generate and publish Gittensor impact card + uses: matthewevans/gittensor-impact-action@397fd470899cba47367458289a374eea9cb0d76a # main, 2026-07-06 (#1 per-repo API endpoint) + with: + title: Gittensory diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 346a598d1..1b817c4de 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -61,6 +61,10 @@ a third. the subnet's on-chain hyperparameters and validators, not by this repo. Merging a PR is not a promise of score, ranking, or compensation, and all review decisions are at maintainer discretion and final. +**This repository is itself Gittensor-listed.** PRs merged here by registered miners may earn TAO +under the subnet's own rules — see the badge in `README.md` for a live, aggregate merged-PR/line-count +summary. That eligibility and scoring is Gittensor's, not ours, and does not change the bar above. + ## What We Accept Focused contributions are welcome in these areas: diff --git a/README.md b/README.md index 6ce530072..eb2e9cfe7 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ MCP package License Docs + Gittensor impact

Gittensory is a deterministic control plane for Gittensor OSS contribution work. From beff74c7a0da4e44b5546acdcc672a4aa0ed5611 Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Tue, 7 Jul 2026 17:13:36 -0700 Subject: [PATCH 2/3] ci(gittensor-impact): scope contents:write to the job, not the workflow Superagent flagged the workflow-level contents:write as broad for a third-party action from a repo with limited track record (~1.5 days old). Move it to the one job that actually needs it and default the workflow itself to read, so a future second job in this file doesn't silently inherit write access. --- .github/workflows/gittensor-impact.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gittensor-impact.yml b/.github/workflows/gittensor-impact.yml index c5fa38b60..4623c299e 100644 --- a/.github/workflows/gittensor-impact.yml +++ b/.github/workflows/gittensor-impact.yml @@ -6,7 +6,7 @@ on: - cron: "40 5 * * 1" permissions: - contents: write + contents: read concurrency: group: gittensor-impact @@ -16,6 +16,11 @@ jobs: publish: runs-on: ubuntu-latest timeout-minutes: 10 + # Scoped here rather than at workflow level (defense-in-depth): this is the + # only job that needs write access, to publish SVG assets to the pinned + # `gittensor-impact` release via matthewevans/gittensor-impact-action. + permissions: + contents: write steps: - name: Generate and publish Gittensor impact card uses: matthewevans/gittensor-impact-action@397fd470899cba47367458289a374eea9cb0d76a # main, 2026-07-06 (#1 per-repo API endpoint) From c582d1a80ea5803ba98185f08341516d6af661fa Mon Sep 17 00:00:00 2001 From: JSONbored <49853598+JSONbored@users.noreply.github.com> Date: Tue, 7 Jul 2026 17:18:56 -0700 Subject: [PATCH 3/3] ci(gittensor-impact): require a human approval before the job runs Superagent's finding wanted both mitigations: job-scoped permissions (previous commit) and a protected environment. Gate the job behind the new gittensor-impact GitHub Environment (required reviewer: JSONbored) so a run of this ~1.5-day-old third-party action needs a manual approval click every time, on top of the existing commit-SHA pin. --- .github/workflows/gittensor-impact.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/gittensor-impact.yml b/.github/workflows/gittensor-impact.yml index 4623c299e..eeec34d31 100644 --- a/.github/workflows/gittensor-impact.yml +++ b/.github/workflows/gittensor-impact.yml @@ -21,6 +21,9 @@ jobs: # `gittensor-impact` release via matthewevans/gittensor-impact-action. permissions: contents: write + # matthewevans/gittensor-impact-action is a ~1.5-day-old repo; require a + # human approval before it runs with contents:write, on top of the SHA pin. + environment: gittensor-impact steps: - name: Generate and publish Gittensor impact card uses: matthewevans/gittensor-impact-action@397fd470899cba47367458289a374eea9cb0d76a # main, 2026-07-06 (#1 per-repo API endpoint)