vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 07:40:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci(release): trust release branch docker checks

Browse Source 
(cherry picked from commit abf0ef9cd3)
This commit is contained in:
Peter Steinberger
2026-04-26 22:35:45 +01:00
parent 16c6a92c53
commit 17094640f8
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/openclaw-live-and-e2e-checks-reusable.yml vendored
View File

@@ -192,6 +192,7 @@ jobs:
env:
GH_TOKEN: ${{ github.token }}
INPUT_REF: ${{ inputs.ref }}
WORKFLOW_REF_NAME: ${{ github.ref_name }}
shell: bash
run: |
set -euo pipefail
@@ -199,9 +200,15 @@ jobs:
trusted_reason=""
git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
if [[ "${WORKFLOW_REF_NAME}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
fi
if git merge-base --is-ancestor "$selected_sha" refs/remotes/origin/main; then
trusted_reason="main-ancestor"
elif [[ "${WORKFLOW_REF_NAME}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] &&
[[ "$selected_sha" == "$(git rev-parse "refs/remotes/origin/${WORKFLOW_REF_NAME}")" ]]; then
trusted_reason="release-branch-head"
elif git tag --points-at "$selected_sha" | grep -Eq '^v'; then
trusted_reason="release-tag"
else
@@ -218,7 +225,7 @@ jobs:
if [[ -z "$trusted_reason" ]]; then
echo "Ref '${INPUT_REF}' resolved to $selected_sha, which is not trusted for secret-bearing live/E2E checks." >&2
echo "Allowed refs must be on main, point to a release tag, or match an open PR head in ${GITHUB_REPOSITORY}." >&2
echo "Allowed refs must be on main, match the current release branch head, point to a release tag, or match an open PR head in ${GITHUB_REPOSITORY}." >&2
exit 1
fi

10
test/scripts/test-install-sh-docker.test.ts
View File

@@ -6,6 +6,7 @@ const SMOKE_RUNNER_PATH = "scripts/docker/install-sh-smoke/run.sh";
const BUN_GLOBAL_SMOKE_PATH = "scripts/e2e/bun-global-install-smoke.sh";
const INSTALL_SMOKE_WORKFLOW_PATH = ".github/workflows/install-smoke.yml";
const RELEASE_CHECKS_WORKFLOW_PATH = ".github/workflows/openclaw-release-checks.yml";
const LIVE_E2E_WORKFLOW_PATH = ".github/workflows/openclaw-live-and-e2e-checks-reusable.yml";
describe("test-install-sh-docker", () => {
it("defaults local Apple Silicon smoke runs to native arm64 while keeping CI on amd64", () => {
@@ -57,6 +58,15 @@ describe("test-install-sh-docker", () => {
expect(script).toContain('echo "==> Reuse local dist/ from Docker image: $image"');
});
it("allows release branch head refs for secret-backed Docker release checks", () => {
const workflow = readFileSync(LIVE_E2E_WORKFLOW_PATH, "utf8");
expect(workflow).toContain("WORKFLOW_REF_NAME: ${{ github.ref_name }}");
expect(workflow).toContain("release-branch-head");
expect(workflow).toContain("refs/remotes/origin/${WORKFLOW_REF_NAME}");
expect(workflow).toContain("match the current release branch head");
});
it("prints package size audits for release smoke tarballs", () => {
const script = readFileSync(SCRIPT_PATH, "utf8");