From 8ec9bfb31e51919f3cdb8ee4896eceda0ab7be32 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Thu, 14 May 2026 14:33:13 +0800
Subject: [PATCH] fix(ci): authenticate performance report publishing

---
 .github/workflows/openclaw-performance.yml    |  7 +--
 CHANGELOG.md                                  |  1 +
 .../openclaw-performance-workflow.test.ts     | 47 +++++++++++++++++++
 3 files changed, 52 insertions(+), 3 deletions(-)
 create mode 100644 test/scripts/openclaw-performance-workflow.test.ts

diff --git a/.github/workflows/openclaw-performance.yml b/.github/workflows/openclaw-performance.yml
index 209ac004b92..c757e8c4840 100644
--- a/.github/workflows/openclaw-performance.yml
+++ b/.github/workflows/openclaw-performance.yml
@@ -489,9 +489,7 @@ jobs:
           reports_root=".artifacts/clawgrit-reports"
           mkdir -p "$reports_root"
           git -C "$reports_root" init -b main
-          git -C "$reports_root" remote add origin https://github.com/openclaw/clawgrit-reports.git
-          auth_header="$(printf 'x-access-token:%s' "$CLAWGRIT_REPORTS_TOKEN" | base64 -w0)"
-          git -C "$reports_root" config http.https://github.com/.extraheader "AUTHORIZATION: basic ${auth_header}"
+          git -C "$reports_root" remote add origin "https://x-access-token:${CLAWGRIT_REPORTS_TOKEN}@github.com/openclaw/clawgrit-reports.git"
           if git -C "$reports_root" ls-remote --exit-code --heads origin main >/dev/null 2>&1; then
             git -C "$reports_root" fetch --depth=1 origin main
             git -C "$reports_root" checkout -B main FETCH_HEAD
@@ -501,10 +499,13 @@ jobs:
 
       - name: Publish to clawgrit reports
         if: ${{ steps.kova.outputs.report_json != '' && steps.clawgrit.outputs.present == 'true' }}
+        env:
+          CLAWGRIT_REPORTS_TOKEN: ${{ secrets.CLAWGRIT_REPORTS_TOKEN }}
         shell: bash
         run: |
           set -euo pipefail
           reports_root=".artifacts/clawgrit-reports"
+          git -C "$reports_root" remote set-url origin "https://x-access-token:${CLAWGRIT_REPORTS_TOKEN}@github.com/openclaw/clawgrit-reports.git"
           ref_slug="$(printf '%s' "${TESTED_REF}" | tr -c 'A-Za-z0-9._-' '-')"
           run_slug="${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
           dest="${reports_root}/openclaw-performance/${ref_slug}/${run_slug}/${LANE_ID}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1f1a467fe0..185a680dfb7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ Docs: https://docs.openclaw.ai
 - Telegram: allow trusted local Bot API media files whose filenames start with dots instead of falling back to remote download.
 - Agents/Codex app-server: remap injected context files under dot-dot-prefixed workspace directories when a run switches to an effective sandbox workspace.
 - Control UI/i18n: use the installed workspace pi runtime for locale refreshes, update the fallback package pin, and skip scheduled refreshes with invalid provider credentials instead of failing main.
+- CI/performance: authenticate the clawgrit report repository remote during both checkout and publish so performance report pushes do not fail after benchmarks complete.
 - Hooks: load workspace-relative legacy hook modules from dot-dot-prefixed directories without treating the filename prefix as parent traversal.
 - Plugins: preserve installed package metadata and persisted registry freshness checks for plugin package paths under dot-dot-prefixed directories.
 - Agents: allow dot-dot-prefixed filenames such as `..note.txt` through sandbox FS bridge, remote sandbox reads, and apply_patch summaries without mistaking the name for parent traversal.
diff --git a/test/scripts/openclaw-performance-workflow.test.ts b/test/scripts/openclaw-performance-workflow.test.ts
new file mode 100644
index 00000000000..4cd67e4699e
--- /dev/null
+++ b/test/scripts/openclaw-performance-workflow.test.ts
@@ -0,0 +1,47 @@
+import { readFileSync } from "node:fs";
+import { describe, expect, it } from "vitest";
+import { parse } from "yaml";
+
+const WORKFLOW = ".github/workflows/openclaw-performance.yml";
+
+type WorkflowStep = {
+  name?: string;
+  run?: string;
+  env?: Record<string, string>;
+};
+
+type WorkflowJob = {
+  steps?: WorkflowStep[];
+};
+
+type Workflow = {
+  jobs?: Record<string, WorkflowJob>;
+};
+
+function readWorkflow(): Workflow {
+  return parse(readFileSync(WORKFLOW, "utf8")) as Workflow;
+}
+
+function findStep(name: string): WorkflowStep {
+  const steps = readWorkflow().jobs?.kova?.steps ?? [];
+  const step = steps.find((candidate) => candidate.name === name);
+  expect(step).toBeDefined();
+  return step as WorkflowStep;
+}
+
+describe("OpenClaw performance workflow", () => {
+  it("uses the clawgrit reports token for every report repo push path", () => {
+    const prepare = findStep("Prepare clawgrit reports checkout");
+    const publish = findStep("Publish to clawgrit reports");
+
+    expect(prepare.env?.CLAWGRIT_REPORTS_TOKEN).toBe("${{ secrets.CLAWGRIT_REPORTS_TOKEN }}");
+    expect(publish.env?.CLAWGRIT_REPORTS_TOKEN).toBe("${{ secrets.CLAWGRIT_REPORTS_TOKEN }}");
+    expect(prepare.run).toContain(
+      'remote add origin "https://x-access-token:${CLAWGRIT_REPORTS_TOKEN}@github.com/openclaw/clawgrit-reports.git"',
+    );
+    expect(publish.run).toContain(
+      'remote set-url origin "https://x-access-token:${CLAWGRIT_REPORTS_TOKEN}@github.com/openclaw/clawgrit-reports.git"',
+    );
+    expect(publish.run).toContain('git -C "$reports_root" push origin HEAD:main');
+  });
+});