From 7a9584f0f9f033e7b90878350ee8d1bc5151c24c Mon Sep 17 00:00:00 2001 From: alexlomt Date: Sat, 25 Apr 2026 07:13:30 +0200 Subject: [PATCH] fix(ci): harden release checks workflow inputs (#66884) Merged via squash. Prepared head SHA: d4e00973012eed2c60a027e3c4be472e0c0a4663 Co-authored-by: alexlomt <181166594+alexlomt@users.noreply.github.com> Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com> Reviewed-by: @hxy91819 --- ...nclaw-cross-os-release-checks-reusable.yml | 33 ++++++++++++------- CHANGELOG.md | 9 +++++ 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml index 6ee07b4c6f1..474139e7b75 100644 --- a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml +++ b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml @@ -432,24 +432,35 @@ jobs: OPENCLAW_DISCORD_SMOKE_CHANNEL_ID: ${{ secrets.OPENCLAW_DISCORD_SMOKE_CHANNEL_ID }} OPENCLAW_RELEASE_CHECK_OS: ${{ matrix.os_id }} OPENCLAW_RELEASE_CHECK_RUNNER: ${{ matrix.runner }} + CANDIDATE_TGZ: ${{ runner.temp }}/openclaw-cross-os-release-checks/candidate/${{ needs.prepare.outputs.candidate_file_name }} + CANDIDATE_VERSION: ${{ needs.prepare.outputs.candidate_version }} + SOURCE_SHA: ${{ needs.prepare.outputs.source_sha }} + BASELINE_SPEC: ${{ needs.prepare.outputs.baseline_spec }} + PREVIOUS_VERSION: ${{ inputs.previous_version }} + BASELINE_TGZ: ${{ runner.temp }}/openclaw-cross-os-release-checks/baseline/${{ needs.prepare.outputs.baseline_file_name }} + PROVIDER: ${{ inputs.provider }} + MODE: ${{ matrix.lane }} + SUITE: ${{ matrix.suite }} + REF: ${{ inputs.ref }} + OUTPUT_DIR: ${{ runner.temp }}/openclaw-cross-os-release-checks/${{ matrix.artifact_name }}-${{ matrix.suite }} run: | DISCORD_ARGS=() if [[ -n "${OPENCLAW_DISCORD_SMOKE_BOT_TOKEN}" ]] && [[ -n "${OPENCLAW_DISCORD_SMOKE_GUILD_ID}" ]] && [[ -n "${OPENCLAW_DISCORD_SMOKE_CHANNEL_ID}" ]]; then DISCORD_ARGS+=(--run-discord-roundtrip true) fi pnpm dlx "tsx@${TSX_VERSION}" workflow/scripts/openclaw-cross-os-release-checks.ts \ - --candidate-tgz "$RUNNER_TEMP/openclaw-cross-os-release-checks/candidate/${{ needs.prepare.outputs.candidate_file_name }}" \ - --candidate-version "${{ needs.prepare.outputs.candidate_version }}" \ - --source-sha "${{ needs.prepare.outputs.source_sha }}" \ - --baseline-spec "${{ needs.prepare.outputs.baseline_spec }}" \ - --previous-version "${{ inputs.previous_version }}" \ - --baseline-tgz "$RUNNER_TEMP/openclaw-cross-os-release-checks/baseline/${{ needs.prepare.outputs.baseline_file_name }}" \ - --provider "${{ inputs.provider }}" \ - --mode "${{ matrix.lane }}" \ - --suite "${{ matrix.suite }}" \ - --ref "${{ inputs.ref }}" \ + --candidate-tgz "${CANDIDATE_TGZ}" \ + --candidate-version "${CANDIDATE_VERSION}" \ + --source-sha "${SOURCE_SHA}" \ + --baseline-spec "${BASELINE_SPEC}" \ + --previous-version "${PREVIOUS_VERSION}" \ + --baseline-tgz "${BASELINE_TGZ}" \ + --provider "${PROVIDER}" \ + --mode "${MODE}" \ + --suite "${SUITE}" \ + --ref "${REF}" \ "${DISCORD_ARGS[@]}" \ - --output-dir "$RUNNER_TEMP/openclaw-cross-os-release-checks/${{ matrix.artifact_name }}-${{ matrix.suite }}" + --output-dir "${OUTPUT_DIR}" - name: Summarize release checks if: always() diff --git a/CHANGELOG.md b/CHANGELOG.md index 097034b461f..566689b1c67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ Docs: https://docs.openclaw.ai +## Unreleased + +### Changes + +### Fixes + +- CI/release-checks: pass workflow inputs and matrix values through step environment variables instead of embedding them directly into `run:` shell commands, reducing template-injection surface in the cross-OS release-check workflow. (#66884) Thanks @alexlomt. +- fix(ci): harden release checks workflow inputs (#66884). Thanks @alexlomt + ## 2026.4.24 (Unreleased) ### Breaking