vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-12 07:20:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: harden workflow action input handling

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 15:27:41 +01:00
parent efca61e3ac
commit 9130fd2b06
6 changed files with 132 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.github/actions/setup-node-env/action.yml vendored
View File

@@ -37,7 +37,7 @@ runs:
exit 1 exit 1
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with: with:
node-version: ${{ inputs.node-version }} node-version: ${{ inputs.node-version }}
check-latest: true check-latest: true
@@ -70,14 +70,29 @@ runs:
shell: bash shell: bash
env: env:
CI: "true" CI: "true"
FROZEN_LOCKFILE: ${{ inputs.frozen-lockfile }}
run: | run: |
set -euo pipefail
export PATH="$NODE_BIN:$PATH" export PATH="$NODE_BIN:$PATH"
which node which node
node -v node -v
pnpm -v pnpm -v
LOCKFILE_FLAG="" case "$FROZEN_LOCKFILE" in
if [ "${{ inputs.frozen-lockfile }}" = "true" ]; then true) LOCKFILE_FLAG="--frozen-lockfile" ;;
LOCKFILE_FLAG="--frozen-lockfile" false) LOCKFILE_FLAG="" ;;
*)
echo "::error::Invalid frozen-lockfile input: '$FROZEN_LOCKFILE' (expected true or false)"
exit 2
;;
esac
install_args=(
install
--ignore-scripts=false
--config.engine-strict=false
--config.enable-pre-post-scripts=true
)
if [ -n "$LOCKFILE_FLAG" ]; then
install_args+=("$LOCKFILE_FLAG")
fi fi
pnpm install $LOCKFILE_FLAG --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true || \ pnpm "${install_args[@]}" || pnpm "${install_args[@]}"
pnpm install $LOCKFILE_FLAG --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true

8
.github/actions/setup-pnpm-store-cache/action.yml vendored
View File

@@ -14,11 +14,17 @@ runs:
steps: steps:
- name: Setup pnpm (corepack retry) - name: Setup pnpm (corepack retry)
shell: bash shell: bash
env:
PNPM_VERSION: ${{ inputs.pnpm-version }}
run: | run: |
set -euo pipefail set -euo pipefail
if [[ ! "$PNPM_VERSION" =~ ^[0-9]+(\.[0-9]+){1,2}([.-][0-9A-Za-z.-]+)?$ ]]; then
echo "::error::Invalid pnpm-version input: '$PNPM_VERSION'"
exit 2
fi
corepack enable corepack enable
for attempt in 1 2 3; do for attempt in 1 2 3; do
if corepack prepare "pnpm@${{ inputs.pnpm-version }}" --activate; then if corepack prepare "pnpm@$PNPM_VERSION" --activate; then
pnpm -v pnpm -v
exit 0 exit 0
fi fi

2
.github/workflows/ci.yml vendored
View File

@@ -368,7 +368,7 @@ jobs:
test -s dist/plugin-sdk/index.js test -s dist/plugin-sdk/index.js
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with: with:
node-version: 22.x node-version: 22.x
check-latest: true check-latest: true

2
.github/workflows/install-smoke.yml vendored
View File

@@ -34,7 +34,7 @@ jobs:
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Setup Node.js - name: Setup Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with: with:
node-version: 22.x node-version: 22.x
check-latest: true check-latest: true

21
.github/workflows/workflow-sanity.yml vendored
View File

@@ -40,3 +40,24 @@ jobs:
print(f"- {path}") print(f"- {path}")
sys.exit(1) sys.exit(1)
PY PY
actionlint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install actionlint
shell: bash
run: |
set -euo pipefail
ACTIONLINT_VERSION="1.7.11"
archive="actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz"
curl -sSfL "https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/${archive}" | tar -xz actionlint
sudo mv actionlint /usr/local/bin/actionlint
- name: Lint workflows
run: actionlint
- name: Disallow direct inputs interpolation in composite run blocks
run: python3 scripts/check-composite-action-input-interpolation.py

81
scripts/check-composite-action-input-interpolation.py Normal file
View File

@@ -0,0 +1,81 @@
#!/usr/bin/env python3
from __future__ import annotations
import pathlib
import re
import sys
INPUT_INTERPOLATION_RE = re.compile(r"\$\{\{\s*inputs\.")
RUN_LINE_RE = re.compile(r"^(\s*)run:\s*(.*)$")
USING_COMPOSITE_RE = re.compile(r"^\s*using:\s*composite\s*$", re.MULTILINE)
def indentation(line: str) -> int:
return len(line) - len(line.lstrip(" "))
def scan_file(path: pathlib.Path) -> list[tuple[int, str]]:
text = path.read_text(encoding="utf-8")
if not USING_COMPOSITE_RE.search(text):
return []
lines = text.splitlines()
violations: list[tuple[int, str]] = []
line_count = len(lines)
index = 0
while index < line_count:
line = lines[index]
match = RUN_LINE_RE.match(line)
if not match:
index += 1
continue
run_indent = len(match.group(1))
run_value = match.group(2).strip()
line_no = index + 1
if run_value and run_value[0] not in ("|", ">"):
if INPUT_INTERPOLATION_RE.search(run_value):
violations.append((line_no, line.strip()))
index += 1
continue
index += 1
while index < line_count:
script_line = lines[index]
if script_line.strip() == "":
index += 1
continue
if indentation(script_line) <= run_indent:
break
if INPUT_INTERPOLATION_RE.search(script_line):
violations.append((index + 1, script_line.strip()))
index += 1
return violations
def main() -> int:
root = pathlib.Path(".github/actions")
files = sorted(root.rglob("action.y*ml"))
all_violations: list[tuple[pathlib.Path, int, str]] = []
for file_path in files:
for line_no, line in scan_file(file_path):
all_violations.append((file_path, line_no, line))
if all_violations:
print("Disallowed direct inputs interpolation in composite run blocks:")
for file_path, line_no, line in all_violations:
print(f"- {file_path}:{line_no}: {line}")
print("Use env: and reference shell variables instead.")
return 1
print("No direct inputs interpolation found in composite run blocks.")
return 0
if __name__ == "__main__":
sys.exit(main())