ci: speed up fast security checks

2026-05-06 10:30:44 +00:00 · 2026-04-20 18:46:42 +01:00
parent 537f4689f9
commit 0c75b9ce00
2 changed files with 66 additions and 27 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -319,14 +319,14 @@ jobs:

  # Run the fast security/SCM checks in parallel with scope detection so the
  # main Node jobs do not have to wait for Python/pre-commit setup.
-  security-fast:
+  security-scm-fast:
    permissions:
      contents: read
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-16vcpu-ubuntu-2404' || 'ubuntu-24.04' }}
    timeout-minutes: 20
    env:
-      PRE_COMMIT_CACHE_KEY_SUFFIX: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.sha }}
+      PRE_COMMIT_HOME: .cache/pre-commit-security-fast
    steps:
      - name: Checkout
        uses: actions/checkout@v6
@@ -352,35 +352,22 @@ jobs:
          git show "${BASE_SHA}:.pre-commit-config.yaml" > "$trusted_config"
          echo "PRE_COMMIT_CONFIG_PATH=$trusted_config" >> "$GITHUB_ENV"

-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-          install-deps: "false"
-
      - name: Setup Python
        id: setup-python
        uses: actions/setup-python@v6
        with:
          python-version: "3.12"
-          cache: "pip"
-          cache-dependency-path: |
-            pyproject.toml
-            .pre-commit-config.yaml
-            .github/workflows/ci.yml

      - name: Restore pre-commit cache
        uses: actions/cache@v5
        with:
-          path: ~/.cache/pre-commit
-          key: pre-commit-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}-${{ env.PRE_COMMIT_CACHE_KEY_SUFFIX }}
+          path: .cache/pre-commit-security-fast
+          key: pre-commit-security-fast-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
          restore-keys: |
-            pre-commit-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}-
+            pre-commit-security-fast-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-

      - name: Install pre-commit
-        run: |
-          python -m pip install --upgrade pip
-          python -m pip install pre-commit==4.2.0
+        run: python -m pip install --disable-pip-version-check pre-commit==4.2.0

      - name: Detect committed private keys
        run: pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" --all-files detect-private-key
@@ -412,8 +399,58 @@ jobs:
          printf 'Auditing workflow files:\n%s\n' "${workflow_files[@]}"
          pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" zizmor --files "${workflow_files[@]}"

+  security-dependency-audit:
+    permissions:
+      contents: read
+    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
+    runs-on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-16vcpu-ubuntu-2404' || 'ubuntu-24.04' }}
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+          fetch-tags: false
+          persist-credentials: false
+          submodules: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24.x"
+          check-latest: false
+
      - name: Audit production dependencies
-        run: pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" --all-files pnpm-audit-prod
+        run: node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
+
+  security-fast:
+    permissions: {}
+    needs: [security-scm-fast, security-dependency-audit]
+    if: always() && (github.event_name != 'pull_request' || !github.event.pull_request.draft)
+    runs-on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-16vcpu-ubuntu-2404' || 'ubuntu-24.04' }}
+    timeout-minutes: 5
+    steps:
+      - name: Verify fast security jobs
+        env:
+          DEPENDENCY_AUDIT_RESULT: ${{ needs.security-dependency-audit.result }}
+          SCM_RESULT: ${{ needs.security-scm-fast.result }}
+        run: |
+          set -euo pipefail
+          failed=0
+
+          for result in \
+            "security-scm-fast=${SCM_RESULT}" \
+            "security-dependency-audit=${DEPENDENCY_AUDIT_RESULT}"
+          do
+            job="${result%%=*}"
+            status="${result#*=}"
+            if [ "$status" != "success" ]; then
+              echo "::error::${job} ended with ${status}"
+              failed=1
+            fi
+          done
+
+          exit "$failed"

  # Build dist once for Node-relevant changes and share it with downstream jobs.
  # Keep this overlapping with the fast correctness lanes so green PRs get heavy