feat(skills): add release notes maintainer workflow

[ericksoa]

Summary

• Add nemoclaw-maintainer-release-notes, a maintainer skill for drafting and posting NemoClaw release notes from live tag/compare data.
• Capture the release-note workflow used for v0.0.54: three-paragraph narrative, categorized shipped-change bullets, local HTML preview before posting, external-only GitHub username thanks, replay attribution, and no affiliation text.
• Update the skills guide so the new maintainer skill is discoverable and fix the guide counts to match the current skill directories.

Validation

• npx markdownlint-cli2 .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md .agents/skills/nemoclaw-skills-guide/SKILL.md
• git diff --check

Signed-off-by: Aaron Erickson aerickson@nvidia.com

Summary by CodeRabbit

• New Features

  • Added a user-invocable maintainer skill to draft and publish NemoClaw release notes with strict house style, categorized shipped changes, contributor credit rules, preview/draft-by-default behavior, and safeguards against premature posting.

• Documentation

  • Updated maintainer skills guide and skill catalog to reflect an expanded maintainer skill set and revised role skill counts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b17caa62-6516-4d48-84bd-fcc6e59fbfa9

📥 Commits

Reviewing files that changed from the base of the PR and between 4028fd2 and ec02222.

📒 Files selected for processing (1)

• .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md

---

📝 Walkthrough

Walkthrough

This PR adds a user-invocable NemoClaw release-notes skill with an eight-step workflow (tag discovery, change collection, curation, credits, drafting, preview, and GitHub Discussion publication) and updates the skills guide/catalog to include the new skill and expanded maintainer counts.

Changes

Release Notes Skill and Catalog Updates

Layer / File(s)	Summary
Skill metadata, house style, and prerequisites .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md	Introduces skill metadata (name: nemoclaw-maintainer-release-notes, user_invocable: true), licensing header, and the enforced house style (three lead paragraphs, categorized shipped changes, per-item "why it matters" bullets, external-only contributor thanks, visible #NNNN links). Specifies prerequisites: repo location, gh authentication, existing release tag, live GitHub/remote state.
Tag discovery and shipped changes collection .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md	Step 1 identifies current and previous release tags, validates peeled commits, and establishes the compare range. Step 2 collects shipped changes via GitHub compare API as the source of truth, augments with live PR metadata, and handles commits without PR numbers.
Inclusion rules, categorization, and contributor credit .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md	Step 3 defines rules for what to include and phrasing, with constraints on sensitive cleanup and revert-like commits. Step 4 requires each change in exactly one category. Step 5 determines external contributors via live org-member checks, handles replayed PRs, and formats external-only thank-you text.
Narrative drafting and local preview generation .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md	Step 6 drafts exactly three lead paragraphs with optional theme guidance. Step 7 creates local Markdown draft and HTML preview with suggested output paths, and halts pending user approval to post.
GitHub Discussion publishing and verification .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md	Step 8 resolves repo and category IDs via GraphQL, checks for existing Discussion to prevent duplicates, creates the Discussion with draft Markdown as body, verifies the live result, and confirms inclusion/omission of affiliations and thanks.
Output specification and hard rules .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md	Output section specifies draft-only runs return file paths and posted runs return Discussion URL, number, and verification summary. Hard rules enforce no premature posting, live GitHub data sources, internal contributor handling, affiliation text constraints, test/revert inclusion logic, and duplicate Discussion avoidance.
Skill guide catalog updates .agents/skills/nemoclaw-skills-guide/SKILL.md	Updated "Skill Buckets" description to expand nemoclaw-maintainer-* from 8 to 12 skills. Expanded maintainer skills table to include the new release-notes skill alongside morning, triage, cross-issue sweep, day, evening, cut-release-tag, find-review-pr, and pr-comparator. Updated "Getting Started" role cumulative counts: User 9→10, Contributor 11→12, Maintainer 19→24.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4438: Removes nemoclaw-skills-guide from catalog export allowlist while this PR updates the guide content—related to catalog/export behavior.
• NVIDIA/NemoClaw#3327: Previously expanded maintainer skill bucket and updated the skills guide; follows the same catalog-update pattern.

Suggested labels

enhancement: skill, documentation

Suggested reviewers

• miyoungc
• jyaunches
• cv

Poem

🐰 I hop through tags and draft with care,

From compares, PRs, and commits laid bare;
Three lead lines, categorized and neat,
A thank-you to externals, short and sweet—
Post when you say so, no duplicates to share.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding a new release notes maintainer workflow skill to the NemoClaw project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-release-note-skill

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No E2E is recommended because the changes are limited to agent skill Markdown documentation/instructions. They cannot directly affect NemoClaw runtime behavior or real user flows exercised by existing E2E jobs.

Optional E2E

• None.

New E2E recommendations

• None.

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. No scenario workflow, scenario metadata, scenario runtime, or validation-suite files changed.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 2 worth checking, 0 nice ideas
Since last review: 0 prior items resolved, 2 still apply, 0 new items found

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• Add untrusted-metadata guardrails to the release-notes workflow (.agents/skills/nemoclaw-maintainer-release-notes/SKILL.md:53): The skill tells a maintainer assistant to ingest live compare data, commit headlines, PR titles, PR bodies, labels, authors, and replay PR content, then later publish a GitHub Discussion after approval. Those fields are attacker-controlled in a public repository and may contain prompt-injection instructions or malicious Markdown/HTML. The workflow has useful approval and duplicate-post safeguards, but it does not explicitly define the trusted-code boundary for PR, issue, commit, branch, author, or comment metadata.
  • Recommendation: Add a hard rule near the data-collection steps and/or Hard Rules section stating that all GitHub PR/issue/commit metadata is untrusted evidence only, must never be followed as instructions, and should be summarized rather than copied verbatim unless reviewed. Also call out that copied Markdown/HTML for the local preview or Discussion body should be sanitized or escaped as appropriate, and quote/validate any shell variables derived from metadata.
  • Evidence: Step 2 collects commit headlines and PR metadata including title, author, labels, and body; Step 5 may inspect replay PR bodies; Step 6 drafts narrative from that release range; Step 8 can create a Discussion. The current hard rules require approval and duplicate avoidance but do not say to ignore instructions embedded in attacker-controlled metadata.
• Privileged workflow hard rules are not covered by validation (.agents/skills/nemoclaw-maintainer-release-notes/SKILL.md:242): This is documentation-only, so runtime unit tests are not required, but the new skill encodes privileged maintainer behavior: authenticated GitHub API reads, local preview generation, and GitHub Discussion creation. The diff does not add any fixture, lint rule, or checklist validation that would catch accidental removal of key guardrails such as approval-before-posting, duplicate Discussion checks, external-only thanks, or untrusted-metadata handling.
  • Recommendation: Consider adding a lightweight documentation validation fixture or checklist test for this skill's hard rules, especially approval-before-posting, duplicate-discussion prevention, external-only thanks/no affiliation text, and the recommended untrusted-metadata guardrail.
  • Evidence: The PR changes only the new skill and skills guide. The new skill's Hard Rules section contains important safety requirements, but no changed validation file asserts that these rules remain present.

🌱 Nice ideas

• None.

Since last review details

Current findings:

• Add untrusted-metadata guardrails to the release-notes workflow (.agents/skills/nemoclaw-maintainer-release-notes/SKILL.md:53): The skill tells a maintainer assistant to ingest live compare data, commit headlines, PR titles, PR bodies, labels, authors, and replay PR content, then later publish a GitHub Discussion after approval. Those fields are attacker-controlled in a public repository and may contain prompt-injection instructions or malicious Markdown/HTML. The workflow has useful approval and duplicate-post safeguards, but it does not explicitly define the trusted-code boundary for PR, issue, commit, branch, author, or comment metadata.
  • Recommendation: Add a hard rule near the data-collection steps and/or Hard Rules section stating that all GitHub PR/issue/commit metadata is untrusted evidence only, must never be followed as instructions, and should be summarized rather than copied verbatim unless reviewed. Also call out that copied Markdown/HTML for the local preview or Discussion body should be sanitized or escaped as appropriate, and quote/validate any shell variables derived from metadata.
  • Evidence: Step 2 collects commit headlines and PR metadata including title, author, labels, and body; Step 5 may inspect replay PR bodies; Step 6 drafts narrative from that release range; Step 8 can create a Discussion. The current hard rules require approval and duplicate avoidance but do not say to ignore instructions embedded in attacker-controlled metadata.
• Privileged workflow hard rules are not covered by validation (.agents/skills/nemoclaw-maintainer-release-notes/SKILL.md:242): This is documentation-only, so runtime unit tests are not required, but the new skill encodes privileged maintainer behavior: authenticated GitHub API reads, local preview generation, and GitHub Discussion creation. The diff does not add any fixture, lint rule, or checklist validation that would catch accidental removal of key guardrails such as approval-before-posting, duplicate Discussion checks, external-only thanks, or untrusted-metadata handling.
  • Recommendation: Consider adding a lightweight documentation validation fixture or checklist test for this skill's hard rules, especially approval-before-posting, duplicate-discussion prevention, external-only thanks/no affiliation text, and the recommended untrusted-metadata guardrail.
  • Evidence: The PR changes only the new skill and skills guide. The new skill's Hard Rules section contains important safety requirements, but no changed validation file asserts that these rules remain present.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/skills/nemoclaw-maintainer-release-notes/SKILL.md:
- Line 158: The README line using the macOS-only shell command "open
../nemoclaw-<current-version>-release-note-draft.html" should be made
cross-platform: update SKILL.md to either document platform-specific
alternatives (e.g., "xdg-open" for Linux and "start" for Windows) alongside the
existing "open" example, or replace it with a platform-agnostic invocation
instruction (for example, a short note to use your OS's default file opener or a
simple script that detects OS and runs the appropriate command); reference the
exact text "open ../nemoclaw-<current-version>-release-note-draft.html" so the
change is applied in the same line.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2e67dfb2-8dcd-4c5e-9eb1-1f75b295e9c4

📥 Commits

Reviewing files that changed from the base of the PR and between faa0b8e and 4028fd2.

📒 Files selected for processing (2)

• .agents/skills/nemoclaw-maintainer-release-notes/SKILL.md
• .agents/skills/nemoclaw-skills-guide/SKILL.md