diff --git a/.github/workflows/ci-build-artifacts-testbox.yml b/.github/workflows/ci-build-artifacts-testbox.yml index 48cd441af58..71562b20668 100644 --- a/.github/workflows/ci-build-artifacts-testbox.yml +++ b/.github/workflows/ci-build-artifacts-testbox.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 35 steps: - name: Begin Testbox - uses: useblacksmith/begin-testbox@v2 + uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67 with: testbox_id: ${{ inputs.testbox_id }} @@ -218,7 +218,7 @@ jobs: run: bash scripts/ci-hydrate-testbox-env.sh - name: Run Testbox - uses: useblacksmith/run-testbox@v2 + uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc if: always() env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" diff --git a/.github/workflows/ci-check-testbox.yml b/.github/workflows/ci-check-testbox.yml index 78405b19a6d..52cdd74a52b 100644 --- a/.github/workflows/ci-check-testbox.yml +++ b/.github/workflows/ci-check-testbox.yml @@ -25,7 +25,7 @@ jobs: timeout-minutes: 30 steps: - name: Begin Testbox - uses: useblacksmith/begin-testbox@v2 + uses: useblacksmith/begin-testbox@d0e04585c26905fdd92c94a09c159544c7ee1b67 with: testbox_id: ${{ inputs.testbox_id }} - name: Checkout @@ -121,7 +121,7 @@ jobs: run: bash scripts/ci-hydrate-testbox-env.sh - name: Run Testbox - uses: useblacksmith/run-testbox@v2 + uses: useblacksmith/run-testbox@5ca05834db1d3813554d1dd109e5f2087a8d7cbc if: always() env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00117a2725b..627b4582100 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: runs-on: ubuntu-24.04 timeout-minutes: 20 outputs: - checkout_sha: ${{ steps.checkout_ref.outputs.sha }} + checkout_revision: ${{ steps.checkout_ref.outputs.sha }} docs_only: ${{ steps.manifest.outputs.docs_only }} docs_changed: ${{ steps.manifest.outputs.docs_changed }} run_node: ${{ steps.manifest.outputs.run_node }} @@ -468,7 +468,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -540,7 +540,7 @@ jobs: path: | dist/ dist-runtime/ - key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_sha }} + key: ${{ runner.os }}-dist-build-${{ needs.preflight.outputs.checkout_revision }} - name: Pack built runtime artifacts run: tar --posix -cf dist-runtime-build.tar.zst --use-compress-program zstdmt dist dist-runtime @@ -669,7 +669,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -764,7 +764,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -867,7 +867,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -935,7 +935,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -1055,7 +1055,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -1135,7 +1135,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -1322,7 +1322,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -1454,7 +1454,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -1652,7 +1652,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail @@ -1715,7 +1715,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preflight.outputs.checkout_sha }} + ref: ${{ needs.preflight.outputs.checkout_revision }} persist-credentials: false submodules: false @@ -1758,7 +1758,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preflight.outputs.checkout_sha }} + ref: ${{ needs.preflight.outputs.checkout_revision }} persist-credentials: false submodules: false @@ -1863,7 +1863,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preflight.outputs.checkout_sha }} + ref: ${{ needs.preflight.outputs.checkout_revision }} persist-credentials: false submodules: false @@ -1904,7 +1904,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preflight.outputs.checkout_sha }} + ref: ${{ needs.preflight.outputs.checkout_revision }} persist-credentials: false submodules: false @@ -2005,7 +2005,7 @@ jobs: shell: bash env: CHECKOUT_REPO: ${{ github.repository }} - CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_sha }} + CHECKOUT_SHA: ${{ needs.preflight.outputs.checkout_revision }} CHECKOUT_TOKEN: ${{ github.token }} run: | set -euo pipefail diff --git a/.github/workflows/docs-agent.yml b/.github/workflows/docs-agent.yml index ff4399565f1..a939f9c0af6 100644 --- a/.github/workflows/docs-agent.yml +++ b/.github/workflows/docs-agent.yml @@ -149,7 +149,7 @@ jobs: - name: Run Codex docs agent if: steps.gate.outputs.run_agent == 'true' - uses: openai/codex-action@v1 + uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 env: DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }} DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }} diff --git a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml index d49962394bf..aee56480b68 100644 --- a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml +++ b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml @@ -321,7 +321,7 @@ jobs: submodules: recursive - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 with: version: ${{ env.PNPM_VERSION }} run_install: false @@ -496,7 +496,7 @@ jobs: persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 with: version: ${{ env.PNPM_VERSION }} run_install: false diff --git a/.github/workflows/openclaw-release-checks.yml b/.github/workflows/openclaw-release-checks.yml index 011b670c358..257dc4f6e6b 100644 --- a/.github/workflows/openclaw-release-checks.yml +++ b/.github/workflows/openclaw-release-checks.yml @@ -72,7 +72,7 @@ jobs: contents: read outputs: ref: ${{ steps.inputs.outputs.ref }} - sha: ${{ steps.ref.outputs.sha }} + revision: ${{ steps.ref.outputs.sha }} provider: ${{ steps.inputs.outputs.provider }} mode: ${{ steps.inputs.outputs.mode }} release_profile: ${{ steps.inputs.outputs.release_profile }} @@ -106,6 +106,7 @@ jobs: - name: Checkout trusted workflow helper uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ github.ref_name }} path: workflow fetch-depth: 1 @@ -126,6 +127,7 @@ jobs: if: steps.fast_ref.outputs.fallback == 'true' uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ inputs.ref }} path: source fetch-depth: 0 @@ -240,6 +242,7 @@ jobs: - name: Checkout trusted workflow ref uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ github.ref_name }} fetch-depth: 0 @@ -259,7 +262,7 @@ jobs: id: package shell: bash env: - PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }} + PACKAGE_REF: ${{ needs.resolve_target.outputs.revision }} run: | set -euo pipefail node scripts/resolve-openclaw-package-candidate.mjs \ @@ -298,7 +301,7 @@ jobs: contents: read uses: ./.github/workflows/install-smoke.yml with: - ref: ${{ needs.resolve_target.outputs.sha }} + ref: ${{ needs.resolve_target.outputs.revision }} run_bun_global_install_smoke: true cross_os_release_checks: @@ -333,7 +336,7 @@ jobs: pull-requests: read uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml with: - ref: ${{ needs.resolve_target.outputs.sha }} + ref: ${{ needs.resolve_target.outputs.revision }} include_repo_e2e: true include_release_path_suites: true include_openwebui: ${{ needs.resolve_target.outputs.release_profile != 'minimum' }} @@ -488,7 +491,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.resolve_target.outputs.sha }} + persist-credentials: false + ref: ${{ needs.resolve_target.outputs.revision }} fetch-depth: 1 - name: Setup Node environment @@ -535,7 +539,7 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.sha }} + name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }} path: .artifacts/qa-e2e/ retention-days: 14 if-no-files-found: warn @@ -556,7 +560,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.resolve_target.outputs.sha }} + persist-credentials: false + ref: ${{ needs.resolve_target.outputs.revision }} fetch-depth: 1 - name: Setup Node environment @@ -569,7 +574,7 @@ jobs: - name: Download parity lane artifacts uses: actions/download-artifact@v4 with: - pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.sha }} + pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.revision }} path: .artifacts/qa-e2e/ merge-multiple: true @@ -590,7 +595,7 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: release-qa-parity-${{ needs.resolve_target.outputs.sha }} + name: release-qa-parity-${{ needs.resolve_target.outputs.revision }} path: .artifacts/qa-e2e/ retention-days: 14 if-no-files-found: warn @@ -612,7 +617,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.resolve_target.outputs.sha }} + persist-credentials: false + ref: ${{ needs.resolve_target.outputs.revision }} fetch-depth: 1 - name: Setup Node environment @@ -669,7 +675,7 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: release-qa-live-matrix-${{ needs.resolve_target.outputs.sha }} + name: release-qa-live-matrix-${{ needs.resolve_target.outputs.revision }} path: .artifacts/qa-e2e/ retention-days: 14 if-no-files-found: warn @@ -691,7 +697,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.resolve_target.outputs.sha }} + persist-credentials: false + ref: ${{ needs.resolve_target.outputs.revision }} fetch-depth: 1 - name: Setup Node environment @@ -754,7 +761,7 @@ jobs: if: always() uses: actions/upload-artifact@v4 with: - name: release-qa-live-telegram-${{ needs.resolve_target.outputs.sha }} + name: release-qa-live-telegram-${{ needs.resolve_target.outputs.revision }} path: .artifacts/qa-e2e/ retention-days: 14 if-no-files-found: warn diff --git a/.github/workflows/parity-gate.yml b/.github/workflows/parity-gate.yml index c88ef4f9c8a..1792f71ba8b 100644 --- a/.github/workflows/parity-gate.yml +++ b/.github/workflows/parity-gate.yml @@ -57,9 +57,11 @@ jobs: steps: - name: Checkout PR uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 - name: Setup Node uses: actions/setup-node@v6 diff --git a/.github/workflows/plugin-clawhub-release.yml b/.github/workflows/plugin-clawhub-release.yml index 05757fe8a4c..7820b0cd3b3 100644 --- a/.github/workflows/plugin-clawhub-release.yml +++ b/.github/workflows/plugin-clawhub-release.yml @@ -35,7 +35,7 @@ jobs: permissions: contents: read outputs: - ref_sha: ${{ steps.ref.outputs.sha }} + ref_revision: ${{ steps.ref.outputs.sha }} has_candidates: ${{ steps.plan.outputs.has_candidates }} candidate_count: ${{ steps.plan.outputs.candidate_count }} skipped_published_count: ${{ steps.plan.outputs.skipped_published_count }} @@ -44,6 +44,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ github.sha }} fetch-depth: 0 @@ -150,7 +151,8 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }} + persist-credentials: false + ref: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }} fetch-depth: 1 - name: Setup Node environment @@ -164,6 +166,7 @@ jobs: - name: Checkout ClawHub CLI source uses: actions/checkout@v6 with: + persist-credentials: false repository: ${{ env.CLAWHUB_REPOSITORY }} ref: ${{ env.CLAWHUB_REF }} path: clawhub-source @@ -187,7 +190,7 @@ jobs: env: CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }} SOURCE_REPO: ${{ github.repository }} - SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }} + SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }} SOURCE_REF: ${{ github.ref }} PACKAGE_TAG: ${{ matrix.plugin.publishTag }} PACKAGE_DIR: ${{ matrix.plugin.packageDir }} @@ -209,7 +212,8 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }} + persist-credentials: false + ref: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }} fetch-depth: 1 - name: Setup Node environment @@ -223,6 +227,7 @@ jobs: - name: Checkout ClawHub CLI source uses: actions/checkout@v6 with: + persist-credentials: false repository: ${{ env.CLAWHUB_REPOSITORY }} ref: ${{ env.CLAWHUB_REF }} path: clawhub-source @@ -266,7 +271,7 @@ jobs: env: CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }} SOURCE_REPO: ${{ github.repository }} - SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_sha }} + SOURCE_COMMIT: ${{ needs.preview_plugins_clawhub.outputs.ref_revision }} SOURCE_REF: ${{ github.ref }} PACKAGE_TAG: ${{ matrix.plugin.publishTag }} PACKAGE_DIR: ${{ matrix.plugin.packageDir }} diff --git a/.github/workflows/plugin-npm-release.yml b/.github/workflows/plugin-npm-release.yml index 8183a9df92f..5d63e144e06 100644 --- a/.github/workflows/plugin-npm-release.yml +++ b/.github/workflows/plugin-npm-release.yml @@ -46,7 +46,7 @@ jobs: permissions: contents: read outputs: - ref_sha: ${{ steps.ref.outputs.sha }} + ref_revision: ${{ steps.ref.outputs.sha }} has_candidates: ${{ steps.plan.outputs.has_candidates }} candidate_count: ${{ steps.plan.outputs.candidate_count }} matrix: ${{ steps.plan.outputs.matrix }} @@ -54,6 +54,7 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }} fetch-depth: 0 @@ -151,7 +152,8 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }} + persist-credentials: false + ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }} fetch-depth: 1 - name: Setup Node environment @@ -185,7 +187,8 @@ jobs: - name: Checkout uses: actions/checkout@v6 with: - ref: ${{ needs.preview_plugins_npm.outputs.ref_sha }} + persist-credentials: false + ref: ${{ needs.preview_plugins_npm.outputs.ref_revision }} fetch-depth: 1 - name: Setup Node environment diff --git a/.github/workflows/qa-live-transports-convex.yml b/.github/workflows/qa-live-transports-convex.yml index 16524328298..b206f1b8aa5 100644 --- a/.github/workflows/qa-live-transports-convex.yml +++ b/.github/workflows/qa-live-transports-convex.yml @@ -81,12 +81,13 @@ jobs: needs: authorize_actor runs-on: blacksmith-8vcpu-ubuntu-2404 outputs: - selected_sha: ${{ steps.validate.outputs.selected_sha }} + selected_revision: ${{ steps.validate.outputs.selected_revision }} trusted_reason: ${{ steps.validate.outputs.trusted_reason }} steps: - name: Checkout selected ref uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.sha }} fetch-depth: 0 @@ -98,27 +99,27 @@ jobs: shell: bash run: | set -euo pipefail - selected_sha="$(git rev-parse HEAD)" + selected_revision="$(git rev-parse HEAD)" trusted_reason="" git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main - if git merge-base --is-ancestor "$selected_sha" refs/remotes/origin/main; then + if git merge-base --is-ancestor "$selected_revision" refs/remotes/origin/main; then trusted_reason="main-ancestor" - elif git tag --points-at "$selected_sha" | grep -Eq '^v'; then + elif git tag --points-at "$selected_revision" | grep -Eq '^v'; then trusted_reason="release-tag" elif [[ "$INPUT_REF" =~ ^release/[0-9]{4}\.[0-9]+\.[0-9]+$ ]]; then git fetch --no-tags origin "+refs/heads/${INPUT_REF}:refs/remotes/origin/${INPUT_REF}" release_branch_sha="$(git rev-parse "refs/remotes/origin/${INPUT_REF}")" - if [[ "$selected_sha" == "$release_branch_sha" ]]; then + if [[ "$selected_revision" == "$release_branch_sha" ]]; then trusted_reason="release-branch-head" fi else pr_head_count="$( gh api \ -H "Accept: application/vnd.github+json" \ - "repos/${GITHUB_REPOSITORY}/commits/${selected_sha}/pulls" \ - --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_sha}"'")] | length' + "repos/${GITHUB_REPOSITORY}/commits/${selected_revision}/pulls" \ + --jq '[.[] | select(.state == "open" and .head.repo.full_name == "'"${GITHUB_REPOSITORY}"'" and .head.sha == "'"${selected_revision}"'")] | length' )" if [[ "$pr_head_count" != "0" ]]; then trusted_reason="open-pr-head" @@ -126,16 +127,16 @@ jobs: fi if [[ -z "$trusted_reason" ]]; then - echo "Ref '${INPUT_REF}' resolved to $selected_sha, which is not trusted for this secret-bearing QA run." >&2 + echo "Ref '${INPUT_REF}' resolved to $selected_revision, which is not trusted for this secret-bearing QA run." >&2 echo "Allowed refs must be on main, point to a release tag, match a release branch head, or match an open PR head in ${GITHUB_REPOSITORY}." >&2 exit 1 fi - echo "selected_sha=$selected_sha" >> "$GITHUB_OUTPUT" + echo "selected_revision=$selected_revision" >> "$GITHUB_OUTPUT" echo "trusted_reason=$trusted_reason" >> "$GITHUB_OUTPUT" { echo "Validated ref: \`${INPUT_REF}\`" - echo "Resolved SHA: \`$selected_sha\`" + echo "Resolved SHA: \`$selected_revision\`" echo "Trust reason: \`$trusted_reason\`" } >> "$GITHUB_STEP_SUMMARY" @@ -157,7 +158,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.validate_selected_ref.outputs.selected_sha }} + persist-credentials: false + ref: ${{ needs.validate_selected_ref.outputs.selected_revision }} fetch-depth: 1 - name: Setup Node environment @@ -220,7 +222,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.validate_selected_ref.outputs.selected_sha }} + persist-credentials: false + ref: ${{ needs.validate_selected_ref.outputs.selected_revision }} fetch-depth: 1 - name: Setup Node environment @@ -303,7 +306,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.validate_selected_ref.outputs.selected_sha }} + persist-credentials: false + ref: ${{ needs.validate_selected_ref.outputs.selected_revision }} fetch-depth: 1 - name: Setup Node environment @@ -375,7 +379,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.validate_selected_ref.outputs.selected_sha }} + persist-credentials: false + ref: ${{ needs.validate_selected_ref.outputs.selected_revision }} fetch-depth: 1 - name: Setup Node environment @@ -467,7 +472,8 @@ jobs: - name: Checkout selected ref uses: actions/checkout@v6 with: - ref: ${{ needs.validate_selected_ref.outputs.selected_sha }} + persist-credentials: false + ref: ${{ needs.validate_selected_ref.outputs.selected_revision }} fetch-depth: 1 - name: Setup Node environment diff --git a/.github/workflows/test-performance-agent.yml b/.github/workflows/test-performance-agent.yml index dbf29b83d33..22b49573a79 100644 --- a/.github/workflows/test-performance-agent.yml +++ b/.github/workflows/test-performance-agent.yml @@ -129,7 +129,7 @@ jobs: - name: Run Codex test performance agent if: steps.gate.outputs.run_agent == 'true' - uses: openai/codex-action@v1 + uses: openai/codex-action@5c3f4ccdb2b8790f73d6b21751ac00e602aa0c02 with: openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }} prompt-file: .github/codex/prompts/test-performance-agent.md