Audience: engineers running an OpenClaw gateway on a remote Mac who want GitHub Check Suite hooks to drive lockfile scans and build summaries with narrow tokens. Use docs.openclaw.ai, openclaw doctor, and loopback binds behind TLS—no public admin port. See multi-endpoint CI summaries, gateway health LaunchAgent, help (public, no login).
  • Webhook noise: push storms fire while you only need terminal check_suite rows on protected branches.
  • Token bloat: repo scope when Contents read plus Metadata suffices for shallow lock inspection.
  • Workspace fights: shared clone dirs yield dirty diffs and false lockfile alerts.

① Gateway baseline: Node, docs.openclaw.ai, doctor, loopback bind

Install Node 22 LTS or newer for the launchd user. Install OpenClaw via curl or npm install -g openclaw, run openclaw onboard, then openclaw doctor clean.

Per docs.openclaw.ai, bind the gateway to 127.0.0.1, terminate TLS on nginx or Caddy, forward only GitHub-facing paths. Store tokens in ~/.config/openclaw/*.env mode 600; reload launchctl and match PATH to the shell where doctor passed.

GitHub signal When it helps Filter tip
check_suite You already run Checks API jobs and want one callback per suite completion Require action == completed and map head_branch to an allow list
workflow_run You need workflow names, conclusions, or artifacts metadata in the payload Match conclusion success or failure only; ignore in-progress noise
repository_dispatch Mac-side job finished and must wake a thin GitHub Actions wrapper Use typed event_type values; verify HMAC on custom relays

Loopback rule. GitHub hits the proxy hostname, the proxy speaks HTTP to 127.0.0.1 on the Mac, OpenClaw never owns a public bind. Pair with firewall rules that drop stray WAN probes.

When you need always-on probes, mirror the health checks from our LaunchAgent health daemon article so launchd restarts the gateway before GitHub redeliveries stack up.

② Repository webhook, event filtering, and minimal tokens

Settings → Webhooks: application/json, strong Secret, only needed events—usually check_suite; add workflow_run if you need workflow names in payload.

Receiver: allow list X-GitHub-Event, verify X-Hub-Signature-256, log delivery IDs, map check_suite.head_sha to the commit under test.

1
Prove doctor clean. Run openclaw doctor as the daemon user after every Node upgrade.
2
Start gateway on loopback. Hit the documented health URL locally before opening the reverse proxy.
3
Register webhook + secret. Store the secret beside other OpenClaw env files with chmod 600.
4
Filter events. Ignore anything where action is not terminal or branch is not protected.
5
End-to-end probe. Redeliver a sample payload from GitHub UI and confirm your handler wrote structured logs.
export HOOK_SECRET="$(tr -d '\n' < ~/.config/openclaw/github-hook.secret)"
# verify X-Hub-Signature-256 with HOOK_SECRET, then enqueue work with a unique JOB_ID
# reject replayed deliveries by caching the X-GitHub-Delivery header briefly

Fine-grained PAT: Contents read plus Metadata read on the target repo; omit Actions or Workflows unless you mutate YAML. Classic PATs with repo are easier but violate least privilege—prefer fine-grained with short expiry. Rotate within hours of any leak.

③ Workdir isolation and lockfile diff scan

Per delivery use /var/lib/openclaw/check-jobs/$DELIVERY_ID (or similar): fresh git clone --depth 1 at payload SHA, no shared mutable trees.

Diff package-lock.json, pnpm-lock.yaml, Gemfile.lock, Cargo.lock, gradle.lockfile against a scheduled snapshot of the default branch; emit compact markdown.

Optional: REST blob fetch with the read-only token; serialize per repo for rate limits. Always delete workdirs after run on shared remote Mac pools. Harden the staging parent with chmod 700 and watch free disk weekly.

④ Build summary callback, retries, and OpenClaw hooks

Post summaries via GITHUB_STEP_SUMMARY, a documented OpenClaw inbound JSON hook, or repository_dispatch to a thin workflow.

Three tries, backoff two four eight seconds, curl --max-time 25, log status plus x-github-request-id. More ops context: gateway hardening, build node guide.

⑤ Common error FAQ

HTTP 401 from GitHub

Expired fine-grained token or missing Contents read. Regenerate, refresh the 600 env file, reload launchd, curl as the daemon user.

Delivery 200, handler idle

Proxy dropped signature headers or JSON failed before filters. Redact logs and replay one payload with local curl.

openclaw doctor after OS upgrade

Pin absolute NODE_BINARY in the plist; rerun onboard.

Lockfile diff flaps

Serialize jobs per repo so clones never overlap.

Summary

Order of operations: doctor, loopback gateway, filtered webhooks, disposable workdirs, summary channel. Stays stable under load.

Home, purchase, help, blog—browse without signing in.

MacPull remote Mac hosting keeps OpenClaw gateways on stable Apple Silicon with hardened TLS fronts for GitHub-driven automation.

Remote Mac for OpenClaw + GitHub Check automation

Mac Mini nodes for OpenClaw, reproducible docs.openclaw.ai setups, loopback-friendly GitHub webhooks. Home, Purchase, Help, Blog—no login required.

Home Purchase Help Blog