fix(ci): harden workflow checkouts

2026-05-06 17:31:06 +00:00 · 2026-04-28 01:16:24 -07:00
parent f76c8322d3
commit 5ac6d7661c
11 changed files with 85 additions and 62 deletions
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -72,7 +72,7 @@ jobs:
      contents: read
    outputs:
      ref: ${{ steps.inputs.outputs.ref }}
-      sha: ${{ steps.ref.outputs.sha }}
+      revision: ${{ steps.ref.outputs.sha }}
      provider: ${{ steps.inputs.outputs.provider }}
      mode: ${{ steps.inputs.outputs.mode }}
      release_profile: ${{ steps.inputs.outputs.release_profile }}
@@ -106,6 +106,7 @@ jobs:
      - name: Checkout trusted workflow helper
        uses: actions/checkout@v6
        with:
+          persist-credentials: false
          ref: ${{ github.ref_name }}
          path: workflow
          fetch-depth: 1
@@ -126,6 +127,7 @@ jobs:
        if: steps.fast_ref.outputs.fallback == 'true'
        uses: actions/checkout@v6
        with:
+          persist-credentials: false
          ref: ${{ inputs.ref }}
          path: source
          fetch-depth: 0
@@ -240,6 +242,7 @@ jobs:
      - name: Checkout trusted workflow ref
        uses: actions/checkout@v6
        with:
+          persist-credentials: false
          ref: ${{ github.ref_name }}
          fetch-depth: 0

@@ -259,7 +262,7 @@ jobs:
        id: package
        shell: bash
        env:
-          PACKAGE_REF: ${{ needs.resolve_target.outputs.sha }}
+          PACKAGE_REF: ${{ needs.resolve_target.outputs.revision }}
        run: |
          set -euo pipefail
          node scripts/resolve-openclaw-package-candidate.mjs \
@@ -298,7 +301,7 @@ jobs:
      contents: read
    uses: ./.github/workflows/install-smoke.yml
    with:
-      ref: ${{ needs.resolve_target.outputs.sha }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
      run_bun_global_install_smoke: true

  cross_os_release_checks:
@@ -333,7 +336,7 @@ jobs:
      pull-requests: read
    uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
    with:
-      ref: ${{ needs.resolve_target.outputs.sha }}
+      ref: ${{ needs.resolve_target.outputs.revision }}
      include_repo_e2e: true
      include_release_path_suites: true
      include_openwebui: ${{ needs.resolve_target.outputs.release_profile != 'minimum' }}
@@ -488,7 +491,8 @@ jobs:
      - name: Checkout selected ref
        uses: actions/checkout@v6
        with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
          fetch-depth: 1

      - name: Setup Node environment
@@ -535,7 +539,7 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-parity-${{ matrix.lane }}-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
          retention-days: 14
          if-no-files-found: warn
@@ -556,7 +560,8 @@ jobs:
      - name: Checkout selected ref
        uses: actions/checkout@v6
        with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
          fetch-depth: 1

      - name: Setup Node environment
@@ -569,7 +574,7 @@ jobs:
      - name: Download parity lane artifacts
        uses: actions/download-artifact@v4
        with:
-          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.sha }}
+          pattern: release-qa-parity-*-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
          merge-multiple: true

@@ -590,7 +595,7 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: release-qa-parity-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-parity-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
          retention-days: 14
          if-no-files-found: warn
@@ -612,7 +617,8 @@ jobs:
      - name: Checkout selected ref
        uses: actions/checkout@v6
        with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
          fetch-depth: 1

      - name: Setup Node environment
@@ -669,7 +675,7 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-live-matrix-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
          retention-days: 14
          if-no-files-found: warn
@@ -691,7 +697,8 @@ jobs:
      - name: Checkout selected ref
        uses: actions/checkout@v6
        with:
-          ref: ${{ needs.resolve_target.outputs.sha }}
+          persist-credentials: false
+          ref: ${{ needs.resolve_target.outputs.revision }}
          fetch-depth: 1

      - name: Setup Node environment
@@ -754,7 +761,7 @@ jobs:
        if: always()
        uses: actions/upload-artifact@v4
        with:
-          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.sha }}
+          name: release-qa-live-telegram-${{ needs.resolve_target.outputs.revision }}
          path: .artifacts/qa-e2e/
          retention-days: 14
          if-no-files-found: warn