Codex/fix readme video links (#76)

* fix(readme): use github-safe demo previews and links

* fix(readme): use only github-hosted demo links

* fix(wiki): map wiki root to index

* feat(readme): add lightweight animated gif demo previews

* refactor(wiki): generate Home from INDEX during sync

* fix(ci): remove github token write scopes in workflows

* chore(ci): use existing poll token for write automation

.github/workflows/community-advisory.yml

@@ -20,10 +20,6 @@ jobs:
   process-advisory:
     if: github.event.label.name == 'advisory-approved'
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -244,12 +240,21 @@ jobs:
         if: steps.parse.outputs.already_exists != 'true'
         run: cp "$FEED_SIG_PATH" "$SKILL_FEED_SIG_PATH"
 
+      - name: Require automation token for write operations
+        env:
+          AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
+        run: |
+          if [ -z "$AUTOMATION_TOKEN" ]; then
+            echo "::error::Set POLL_NVD_CVES_PAT with repo write permissions."
+            exit 1
+          fi
+
       - name: Create Pull Request
         if: steps.parse.outputs.already_exists != 'true'
         id: create-pr
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.POLL_NVD_CVES_PAT }}
           branch: automated/community-advisory-${{ github.event.issue.number }}
           delete-branch: true
           title: "chore: add community advisory ${{ steps.parse.outputs.advisory_id }}"
@@ -278,6 +283,7 @@ jobs:
         if: steps.parse.outputs.already_exists != 'true'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
+          github-token: ${{ secrets.POLL_NVD_CVES_PAT }}
           script: |
             const advisoryId = '${{ steps.parse.outputs.advisory_id }}';
             const pullRequestUrl = '${{ steps.create-pr.outputs.pull-request-url }}';
@@ -303,6 +309,7 @@ jobs:
         if: steps.parse.outputs.already_exists == 'true'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
+          github-token: ${{ secrets.POLL_NVD_CVES_PAT }}
           script: |
             const advisoryId = '${{ steps.parse.outputs.advisory_id }}';
             await github.rest.issues.createComment({

.github/workflows/poll-nvd-cves.yml

@@ -29,10 +29,6 @@ env:
 jobs:
   poll-and-update:
     runs-on: ubuntu-latest
-    permissions:
-      actions: write
-      contents: write
-      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -658,12 +654,22 @@ jobs:
           git checkout -- .github/ 2>/dev/null || true
           git clean -fd .github/ 2>/dev/null || true
 
+      - name: Require automation token for PR operations
+        if: steps.transform.outputs.new_count != '0' || steps.updates.outputs.update_count != '0'
+        env:
+          AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
+        run: |
+          if [ -z "$AUTOMATION_TOKEN" ]; then
+            echo "::error::Set POLL_NVD_CVES_PAT with repo/workflow write permissions."
+            exit 1
+          fi
+
       - name: Create Pull Request
         if: steps.transform.outputs.new_count != '0' || steps.updates.outputs.update_count != '0'
         id: create-pr
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.POLL_NVD_CVES_PAT }}
           branch: automated/nvd-cve-update-${{ github.run_id }}
           delete-branch: true
           title: "chore: CVE advisories - ${{ steps.transform.outputs.new_count }} new, ${{ steps.updates.outputs.update_count }} updated"
@@ -693,7 +699,7 @@ jobs:
       - name: Run CodeQL on generated PR branch
         if: steps.create-pr.outputs.pull-request-number != ''
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
         run: |
           set -euo pipefail
 

.github/workflows/skill-release.yml

@@ -540,7 +540,7 @@ jobs:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
     outputs:
       skill_name: ${{ steps.parse.outputs.skill_name }}
       version: ${{ steps.parse.outputs.version }}
@@ -877,6 +877,15 @@ jobs:
             } >> $GITHUB_OUTPUT
           fi
 
+      - name: Require automation token for release publishing
+        env:
+          AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
+        run: |
+          if [ -z "$AUTOMATION_TOKEN" ]; then
+            echo "::error::Set POLL_NVD_CVES_PAT with repo write permissions."
+            exit 1
+          fi
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
@@ -936,7 +945,7 @@ jobs:
           draft: false
           prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
 
       - name: Delete superseded releases
         run: |
@@ -973,7 +982,7 @@ jobs:
 
           echo "Superseded release cleanup complete"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
 
   publish-clawhub:
     # Separate job for ClawHub publishing - runs after GitHub release

.github/workflows/wiki-sync.yml

@@ -7,8 +7,7 @@ on:
       - 'wiki/**'
   workflow_dispatch:
 
-permissions:
-  contents: write
+permissions: read-all
 
 concurrency:
   group: wiki-sync
@@ -23,7 +22,7 @@ jobs:
 
       - name: Sync wiki folder to repository wiki
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }}
         run: |
           set -euo pipefail
 
@@ -32,7 +31,20 @@ jobs:
             exit 1
           fi
 
-          WIKI_REMOTE="https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.wiki.git"
+          if [ -z "$AUTOMATION_TOKEN" ]; then
+            echo "::error::Set POLL_NVD_CVES_PAT with repo write permissions."
+            exit 1
+          fi
+
+          # GitHub Wiki root (/wiki) renders Home.md, not INDEX.md.
+          # INDEX.md is the canonical source; generate Home.md from it.
+          if [ ! -f wiki/INDEX.md ]; then
+            echo "::error::wiki/INDEX.md not found. It is required to generate wiki/Home.md."
+            exit 1
+          fi
+          cp wiki/INDEX.md wiki/Home.md
+
+          WIKI_REMOTE="https://x-access-token:${AUTOMATION_TOKEN}@github.com/${{ github.repository }}.wiki.git"
           if ! git ls-remote "$WIKI_REMOTE" >/dev/null 2>&1; then
             echo "::warning::Wiki remote unavailable (repository wiki may be disabled). Skipping sync."
             exit 0

README.md

@@ -98,17 +98,19 @@ Troubleshooting: if you see directories such as `~/.openclaw/workspace/$HOME/...
 
 ### Product Demos
 
+GitHub strips inline `<video>` tags in repository READMEs. The previews below are lightweight animated GIFs (no audio). Click any preview to open the full MP4 with audio.
+
 #### Install Demo (`clawsec-suite`)
 
-<video controls width="360" src="https://raw.githubusercontent.com/prompt-security/clawsec/main/public/video/install-demo.mp4"></video>
+[![Install demo animated preview](public/video/install-demo-preview.gif)](public/video/install-demo.mp4)
 
-Direct link: [install-demo.mp4](https://raw.githubusercontent.com/prompt-security/clawsec/main/public/video/install-demo.mp4)
+Direct link: [install-demo.mp4](public/video/install-demo.mp4)
 
 #### Drift Detection Demo (`soul-guardian`)
 
-<video controls width="960" src="https://raw.githubusercontent.com/prompt-security/clawsec/main/public/video/soul-guardian-demo.mp4"></video>
+[![Drift detection animated preview](public/video/soul-guardian-demo-preview.gif)](public/video/soul-guardian-demo.mp4)
 
-Direct link: [soul-guardian-demo.mp4](https://raw.githubusercontent.com/prompt-security/clawsec/main/public/video/soul-guardian-demo.mp4)
+Direct link: [soul-guardian-demo.mp4](public/video/soul-guardian-demo.mp4)
 
 ---