CI: fix release-check caller permissions (#67787)

* CI: fix release-check caller permissions * CI: fix scheduled live and e2e checks * CI: tighten release workflow permissions * CI: restore release workflow caller permissions * Actions: harden release check inputs
2026-05-06 11:50:43 +00:00 · 2026-04-16 21:41:21 +02:00
parent 781b1de921
commit 51606e9889
5 changed files with 37 additions and 12 deletions
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -211,6 +211,9 @@ jobs:
          install-bun: "true"
          use-sticky-disk: "false"

+      - name: Build dist for repo E2E
+        run: pnpm build
+
      - name: Run repo E2E suite
        run: pnpm test:e2e

@@ -253,6 +256,12 @@ jobs:
          install-bun: "true"
          use-sticky-disk: "false"

+      - name: Build dist for special E2E
+        if: |
+          (inputs.include_repo_e2e && matrix.requires_repo_e2e) ||
+          (inputs.include_live_suites && matrix.requires_live_suites)
+        run: pnpm build
+
      - name: Configure suite-specific env
        shell: bash
        run: |
@@ -457,12 +466,12 @@ jobs:
            label: Docker live models
            command: pnpm test:docker:live-models
            timeout_minutes: 120
-            profile_env_only: true
+            profile_env_only: false
          - suite_id: live-gateway-docker
            label: Docker live gateway
            command: pnpm test:docker:live-gateway
            timeout_minutes: 120
-            profile_env_only: true
+            profile_env_only: false
          - suite_id: live-cli-backend-docker
            label: Docker live CLI backend
            command: pnpm test:docker:live-cli-backend
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -93,12 +93,16 @@ jobs:

      - name: Capture selected inputs
        id: inputs
+        env:
+          RELEASE_REF_INPUT: ${{ inputs.ref }}
+          RELEASE_PROVIDER_INPUT: ${{ inputs.provider }}
+          RELEASE_MODE_INPUT: ${{ inputs.mode }}
        run: |
          set -euo pipefail
          {
-            echo "ref=${{ inputs.ref }}"
-            echo "provider=${{ inputs.provider }}"
-            echo "mode=${{ inputs.mode }}"
+            printf 'ref=%s\n' "$RELEASE_REF_INPUT"
+            printf 'provider=%s\n' "$RELEASE_PROVIDER_INPUT"
+            printf 'mode=%s\n' "$RELEASE_MODE_INPUT"
          } >> "$GITHUB_OUTPUT"

      - name: Summarize validated ref
@@ -120,8 +124,7 @@ jobs:

  cross_os_release_checks:
    needs: [resolve_target]
-    permissions:
-      contents: read
+    permissions: read-all
    uses: ./.github/workflows/openclaw-cross-os-release-checks-reusable.yml
    with:
      ref: ${{ needs.resolve_target.outputs.ref }}