From 17094640f876be133de430428bead4c5799339bd Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sun, 26 Apr 2026 22:35:45 +0100 Subject: [PATCH] ci(release): trust release branch docker checks (cherry picked from commit abf0ef9cd35889f4a07bd6c1129713300bffca08) --- .../openclaw-live-and-e2e-checks-reusable.yml | 9 ++++++++- test/scripts/test-install-sh-docker.test.ts | 10 ++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml index 279073e15e1..37ab6538e71 100644 --- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml +++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml @@ -192,6 +192,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} INPUT_REF: ${{ inputs.ref }} + WORKFLOW_REF_NAME: ${{ github.ref_name }} shell: bash run: | set -euo pipefail @@ -199,9 +200,15 @@ jobs: trusted_reason="" git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main + if [[ "${WORKFLOW_REF_NAME}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then + git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}" + fi if git merge-base --is-ancestor "$selected_sha" refs/remotes/origin/main; then trusted_reason="main-ancestor" + elif [[ "${WORKFLOW_REF_NAME}" =~ ^release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]] && + [[ "$selected_sha" == "$(git rev-parse "refs/remotes/origin/${WORKFLOW_REF_NAME}")" ]]; then + trusted_reason="release-branch-head" elif git tag --points-at "$selected_sha" | grep -Eq '^v'; then trusted_reason="release-tag" else @@ -218,7 +225,7 @@ jobs: if [[ -z "$trusted_reason" ]]; then echo "Ref '${INPUT_REF}' resolved to $selected_sha, which is not trusted for secret-bearing live/E2E checks." >&2 - echo "Allowed refs must be on main, point to a release tag, or match an open PR head in ${GITHUB_REPOSITORY}." >&2 + echo "Allowed refs must be on main, match the current release branch head, point to a release tag, or match an open PR head in ${GITHUB_REPOSITORY}." >&2 exit 1 fi diff --git a/test/scripts/test-install-sh-docker.test.ts b/test/scripts/test-install-sh-docker.test.ts index 288a7b4a547..909a3e9b0db 100644 --- a/test/scripts/test-install-sh-docker.test.ts +++ b/test/scripts/test-install-sh-docker.test.ts @@ -6,6 +6,7 @@ const SMOKE_RUNNER_PATH = "scripts/docker/install-sh-smoke/run.sh"; const BUN_GLOBAL_SMOKE_PATH = "scripts/e2e/bun-global-install-smoke.sh"; const INSTALL_SMOKE_WORKFLOW_PATH = ".github/workflows/install-smoke.yml"; const RELEASE_CHECKS_WORKFLOW_PATH = ".github/workflows/openclaw-release-checks.yml"; +const LIVE_E2E_WORKFLOW_PATH = ".github/workflows/openclaw-live-and-e2e-checks-reusable.yml"; describe("test-install-sh-docker", () => { it("defaults local Apple Silicon smoke runs to native arm64 while keeping CI on amd64", () => { @@ -57,6 +58,15 @@ describe("test-install-sh-docker", () => { expect(script).toContain('echo "==> Reuse local dist/ from Docker image: $image"'); }); + it("allows release branch head refs for secret-backed Docker release checks", () => { + const workflow = readFileSync(LIVE_E2E_WORKFLOW_PATH, "utf8"); + + expect(workflow).toContain("WORKFLOW_REF_NAME: ${{ github.ref_name }}"); + expect(workflow).toContain("release-branch-head"); + expect(workflow).toContain("refs/remotes/origin/${WORKFLOW_REF_NAME}"); + expect(workflow).toContain("match the current release branch head"); + }); + it("prints package size audits for release smoke tarballs", () => { const script = readFileSync(SCRIPT_PATH, "utf8");