CI: stabilize live release lanes (#67838)

* CI: stabilize live release lanes

* CI: widen codex live exclusions

* Gateway: stop live config/auth lazy re-imports

* CI: mount writable live Docker homes

* Live: tighten retry and provider filter overrides

* CI: use API-key auth for codex live lanes

* CI: fix remaining live lanes

* CI: stop forwarding live OpenAI base URLs

* Gateway: fix live startup loader regression

* CI: stop expanding OpenAI keys in live Docker lanes

* CI: stop expanding installer secrets in Docker

* CI: tighten live secret boundaries

* Gateway: pin Codex harness base URL

* CI: fix reusable workflow runner label

* CI: avoid template expansion in live ref guard

* CI: tighten live trust gate

* Gateway: ignore empty Codex harness base URL

* CI: stabilize remaining live lanes

* CI: harden live retries and canvas auth test

* CI: extend cron live probe budget

* CI: keep codex harness lane on api-key auth

* CI: stage live Docker OpenAI auth via env files

* CI: bootstrap codex login for Docker API-key lanes

* CI: accept hosted-runner codex fallback responses

* CI: accept additional codex sandbox fallback text

* CI: accept hosted-runner live fallback variants

* CI: accept codex current-model fallback

* CI: broaden codex sandbox model fallbacks

* CI: cover extra codex sandbox wording

* CI: extend cli backend cron retry budget

* CI: match codex models fallbacks by predicate

* CI: accept configured-models live fallback

* CI: relax OpenAI websocket warmup timeout

* CI: accept extra codex model fallback wording

* CI: generalize codex model fallback matching

* CI: retry cron verify cancellation wording

* CI: accept interactive codex model entrypoint fallback

* Agents: stabilize Claude bundle skill command test

* CI: prestage live Docker auth homes

* Tests: accept current Codex models wording

* CI: stabilize remaining live lanes

* Tests: widen CLI backend live timeout

* Tests: accept current Codex model summary wording

* CI: disable codex-cli image probe in Docker lane

* Tests: respect CLI override for Codex Docker login

* Tests: accept current Codex session models header

* CI: stabilize remaining live validation lanes

* CI: preserve Gemini ACP coverage in auth fallback

* CI: fix final live validation blockers

* CI: restore Codex auth for CLI backend lane

* CI: drop local Codex config in live Docker lane

* Tests: tolerate Codex cron and model reply drift

* Tests: accept current Codex live replies

* Tests: retry more Codex cron retry wording

* Tests: accept environment-cancelled Codex cron retries

* Tests: retry blank Codex cron probe replies

* Tests: broaden Codex cron retry wording

* Tests: require explicit Codex cron retry replies

* Tests: accept current Codex models environment wording

* CI: restore trusted Codex config in live lane

* CI: bypass nested Codex sandbox in docker

* CI: instrument live codex cron lane

* CI: forward live CLI resume args

* Tests: accept interactive Codex model selection

* Tests: bound websocket warm-up live lane

* CI: close live lane review gaps

* Tests: lazy-load gateway live server

* Tests: avoid gateway live loader regression

* CI: scope reusable workflow secrets

* Tests: tighten codex models live assertion

* Tests: normalize OpenAI speech live text

scripts/test-live-models-docker.sh

@@ -7,6 +7,7 @@ IMAGE_NAME="${OPENCLAW_IMAGE:-openclaw:local}"
 LIVE_IMAGE_NAME="${OPENCLAW_LIVE_IMAGE:-${IMAGE_NAME}-live}"
 PROFILE_FILE="${OPENCLAW_PROFILE_FILE:-$HOME/.profile}"
 DOCKER_USER="${OPENCLAW_DOCKER_USER:-node}"
+DOCKER_AUTH_PRESTAGED=0
 
 openclaw_live_truthy() {
   case "${1:-}" in
@@ -20,6 +21,7 @@ openclaw_live_truthy() {
 }
 
 TEMP_DIRS=()
+DOCKER_HOME_MOUNT=()
 cleanup_temp_dirs() {
   if ((${#TEMP_DIRS[@]} > 0)); then
     rm -rf "${TEMP_DIRS[@]}"
@@ -47,6 +49,9 @@ fi
 mkdir -p "$CACHE_HOME_DIR"
 if [[ "${CI:-}" == "true" || "${GITHUB_ACTIONS:-}" == "true" ]]; then
   DOCKER_USER="$(id -u):$(id -g)"
+  DOCKER_HOME_DIR="$(mktemp -d "${RUNNER_TEMP:-/tmp}/openclaw-docker-home.XXXXXX")"
+  TEMP_DIRS+=("$DOCKER_HOME_DIR")
+  DOCKER_HOME_MOUNT=(-v "$DOCKER_HOME_DIR":/home/node)
 fi
 
 PROFILE_MOUNT=()
@@ -103,9 +108,15 @@ if ((${#AUTH_FILES[@]} > 0)); then
   AUTH_FILES_CSV="$(openclaw_live_join_csv "${AUTH_FILES[@]}")"
 fi
 
+if [[ -n "${DOCKER_HOME_DIR:-}" ]]; then
+  openclaw_live_stage_auth_into_home "$DOCKER_HOME_DIR" "${AUTH_DIRS[@]}" --files "${AUTH_FILES[@]}"
+  DOCKER_AUTH_PRESTAGED=1
+fi
+
 EXTERNAL_AUTH_MOUNTS=()
 if ((${#AUTH_DIRS[@]} > 0)); then
   for auth_dir in "${AUTH_DIRS[@]}"; do
+    auth_dir="$(openclaw_live_validate_relative_home_path "$auth_dir")"
     host_path="$HOME/$auth_dir"
     if [[ -d "$host_path" ]]; then
       EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/host-auth/"$auth_dir":ro)
@@ -114,6 +125,7 @@ if ((${#AUTH_DIRS[@]} > 0)); then
 fi
 if ((${#AUTH_FILES[@]} > 0)); then
   for auth_file in "${AUTH_FILES[@]}"; do
+    auth_file="$(openclaw_live_validate_relative_home_path "$auth_file")"
     host_path="$HOME/$auth_file"
     if [[ -f "$host_path" ]]; then
       EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/host-auth-files/"$auth_file":ro)
@@ -130,27 +142,29 @@ export NPM_CONFIG_CACHE="${NPM_CONFIG_CACHE:-$XDG_CACHE_HOME/npm}"
 export npm_config_cache="$NPM_CONFIG_CACHE"
 mkdir -p "$XDG_CACHE_HOME" "$COREPACK_HOME" "$NPM_CONFIG_CACHE"
 chmod 700 "$XDG_CACHE_HOME" "$COREPACK_HOME" "$NPM_CONFIG_CACHE" || true
-IFS=',' read -r -a auth_dirs <<<"${OPENCLAW_DOCKER_AUTH_DIRS_RESOLVED:-}"
-IFS=',' read -r -a auth_files <<<"${OPENCLAW_DOCKER_AUTH_FILES_RESOLVED:-}"
-if ((${#auth_dirs[@]} > 0)); then
-  for auth_dir in "${auth_dirs[@]}"; do
-    [ -n "$auth_dir" ] || continue
-    if [ -d "/host-auth/$auth_dir" ]; then
-      mkdir -p "$HOME/$auth_dir"
-      cp -R "/host-auth/$auth_dir/." "$HOME/$auth_dir"
-      chmod -R u+rwX "$HOME/$auth_dir" || true
-    fi
-  done
-fi
-if ((${#auth_files[@]} > 0)); then
-  for auth_file in "${auth_files[@]}"; do
-    [ -n "$auth_file" ] || continue
-    if [ -f "/host-auth-files/$auth_file" ]; then
-      mkdir -p "$(dirname "$HOME/$auth_file")"
-      cp "/host-auth-files/$auth_file" "$HOME/$auth_file"
-      chmod u+rw "$HOME/$auth_file" || true
-    fi
-  done
+if [ "${OPENCLAW_DOCKER_AUTH_PRESTAGED:-0}" != "1" ]; then
+  IFS=',' read -r -a auth_dirs <<<"${OPENCLAW_DOCKER_AUTH_DIRS_RESOLVED:-}"
+  IFS=',' read -r -a auth_files <<<"${OPENCLAW_DOCKER_AUTH_FILES_RESOLVED:-}"
+  if ((${#auth_dirs[@]} > 0)); then
+    for auth_dir in "${auth_dirs[@]}"; do
+      [ -n "$auth_dir" ] || continue
+      if [ -d "/host-auth/$auth_dir" ]; then
+        mkdir -p "$HOME/$auth_dir"
+        cp -R "/host-auth/$auth_dir/." "$HOME/$auth_dir"
+        chmod -R u+rwX "$HOME/$auth_dir" || true
+      fi
+    done
+  fi
+  if ((${#auth_files[@]} > 0)); then
+    for auth_file in "${auth_files[@]}"; do
+      [ -n "$auth_file" ] || continue
+      if [ -f "/host-auth-files/$auth_file" ]; then
+        mkdir -p "$(dirname "$HOME/$auth_file")"
+        cp "/host-auth-files/$auth_file" "$HOME/$auth_file"
+        chmod u+rw "$HOME/$auth_file" || true
+      fi
+    done
+  fi
 fi
 tmp_dir="$(mktemp -d)"
 cleanup() {
@@ -185,6 +199,7 @@ docker run --rm -t \
   -e NODE_OPTIONS=--disable-warning=ExperimentalWarning \
   -e OPENCLAW_SKIP_CHANNELS=1 \
   -e OPENCLAW_SUPPRESS_NOTES=1 \
+  -e OPENCLAW_DOCKER_AUTH_PRESTAGED="$DOCKER_AUTH_PRESTAGED" \
   -e OPENCLAW_DOCKER_AUTH_DIRS_RESOLVED="$AUTH_DIRS_CSV" \
   -e OPENCLAW_DOCKER_AUTH_FILES_RESOLVED="$AUTH_FILES_CSV" \
   -e OPENCLAW_LIVE_TEST=1 \
@@ -196,6 +211,7 @@ docker run --rm -t \
   -e OPENCLAW_LIVE_GATEWAY_MODELS="${OPENCLAW_LIVE_GATEWAY_MODELS:-}" \
   -e OPENCLAW_LIVE_GATEWAY_PROVIDERS="${OPENCLAW_LIVE_GATEWAY_PROVIDERS:-}" \
   -e OPENCLAW_LIVE_GATEWAY_MAX_MODELS="${OPENCLAW_LIVE_GATEWAY_MAX_MODELS:-}" \
+  "${DOCKER_HOME_MOUNT[@]}" \
   -v "$CACHE_HOME_DIR":/home/node/.cache \
   -v "$ROOT_DIR":/src:ro \
   -v "$CONFIG_DIR":/home/node/.openclaw \