diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 872228e006f..1d248d5c804 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -267,6 +267,12 @@ jobs: with: submodules: false + - name: Ensure secrets base commit + uses: ./.github/actions/ensure-base-commit + with: + base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }} + fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }} + - name: Setup Node environment uses: ./.github/actions/setup-node-env with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 95421eb071d..74dc847d487 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -69,6 +69,8 @@ repos: - '"ap[i]Key": "xxxxx"(,)?' - --exclude-lines - 'ap[i]Key: "A[I]za\.\.\.",' + - --exclude-lines + - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?' # Shell script linting - repo: https://github.com/koalaman/shellcheck-precommit rev: v0.11.0 diff --git a/.secrets.baseline b/.secrets.baseline index be62e5a4ca3..72adb0685b0 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -152,7 +152,8 @@ "grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \\|\\| cat >> ~/.bashrc <<'EOF'", "env: \\{ MISTRAL_API_K[E]Y: \"sk-\\.\\.\\.\" \\},", "\"ap[i]Key\": \"xxxxx\"(,)?", - "ap[i]Key: \"A[I]za\\.\\.\\.\"," + "ap[i]Key: \"A[I]za\\.\\.\\.\",", + "\"ap[i]Key\": \"(resolved|normalized|legacy)-key\"(,)?" ] }, { @@ -11515,14 +11516,14 @@ "filename": "src/agents/models-config.providers.nvidia.test.ts", "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f", "is_verified": false, - "line_number": 13 + "line_number": 14 }, { "type": "Secret Keyword", "filename": "src/agents/models-config.providers.nvidia.test.ts", "hashed_secret": "be1a7be9d4d5af417882b267f4db6dddc08507bd", "is_verified": false, - "line_number": 22 + "line_number": 23 } ], "src/agents/models-config.providers.ollama.e2e.test.ts": [ @@ -13034,5 +13035,5 @@ } ] }, - "generated_at": "2026-03-08T18:30:57Z" + "generated_at": "2026-03-08T20:08:19Z" } diff --git a/apps/macos/Tests/OpenClawIPCTests/AppStateRemoteConfigTests.swift b/apps/macos/Tests/OpenClawIPCTests/AppStateRemoteConfigTests.swift index 172dc7ffc55..16fb5eed1a0 100644 --- a/apps/macos/Tests/OpenClawIPCTests/AppStateRemoteConfigTests.swift +++ b/apps/macos/Tests/OpenClawIPCTests/AppStateRemoteConfigTests.swift @@ -43,7 +43,7 @@ struct AppStateRemoteConfigTests { "transport": "direct", "url": "wss://old-gateway.example", "token": [ - "$secretRef": "gateway-token", + "$secretRef": "gateway-token", // pragma: allowlist secret ], ], ], @@ -59,7 +59,7 @@ struct AppStateRemoteConfigTests { remoteToken: "", remoteTokenDirty: false) let sshRemote = (sshRoot["gateway"] as? [String: Any])?["remote"] as? [String: Any] - #expect((sshRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token") + #expect((sshRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token") // pragma: allowlist secret let localRoot = AppState._testSyncedGatewayRoot( currentRoot: sshRoot, @@ -73,7 +73,7 @@ struct AppStateRemoteConfigTests { let localGateway = localRoot["gateway"] as? [String: Any] let localRemote = localGateway?["remote"] as? [String: Any] #expect(localGateway?["mode"] as? String == "local") - #expect((localRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token") + #expect((localRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token") // pragma: allowlist secret } @Test @@ -81,7 +81,7 @@ struct AppStateRemoteConfigTests { let remote = AppState._testUpdatedRemoteGatewayConfig( current: [ "token": [ - "$secretRef": "gateway-token", + "$secretRef": "gateway-token", // pragma: allowlist secret ], ], transport: .direct, @@ -99,7 +99,7 @@ struct AppStateRemoteConfigTests { func updatedRemoteGatewayConfigClearsObjectTokenOnlyAfterExplicitEdit() { let current: [String: Any] = [ "token": [ - "$secretRef": "gateway-token", + "$secretRef": "gateway-token", // pragma: allowlist secret ], ] @@ -112,7 +112,7 @@ struct AppStateRemoteConfigTests { remoteIdentity: "", remoteToken: "", remoteTokenDirty: false) - #expect((preserved["token"] as? [String: String])?["$secretRef"] == "gateway-token") + #expect((preserved["token"] as? [String: String])?["$secretRef"] == "gateway-token") // pragma: allowlist secret let cleared = AppState._testUpdatedRemoteGatewayConfig( current: current, diff --git a/src/agents/models-config.applies-config-env-vars.test.ts b/src/agents/models-config.applies-config-env-vars.test.ts index fa4adb86168..4de78975cdb 100644 --- a/src/agents/models-config.applies-config-env-vars.test.ts +++ b/src/agents/models-config.applies-config-env-vars.test.ts @@ -22,7 +22,7 @@ describe("models-config", () => { models: { providers: {} }, env: { vars: { - OPENROUTER_API_KEY: "from-config", + OPENROUTER_API_KEY: "from-config", // pragma: allowlist secret [TEST_ENV_VAR]: "from-config", }, }, @@ -44,13 +44,13 @@ describe("models-config", () => { it("does not overwrite already-set host env vars while ensuring models.json", async () => { await withTempHome(async () => { await withTempEnv(["OPENROUTER_API_KEY", TEST_ENV_VAR], async () => { - process.env.OPENROUTER_API_KEY = "from-host"; + process.env.OPENROUTER_API_KEY = "from-host"; // pragma: allowlist secret process.env[TEST_ENV_VAR] = "from-host"; const cfg: OpenClawConfig = { models: { providers: {} }, env: { vars: { - OPENROUTER_API_KEY: "from-config", + OPENROUTER_API_KEY: "from-config", // pragma: allowlist secret [TEST_ENV_VAR]: "from-config", }, }, diff --git a/src/agents/models-config.providers.matrix.test.ts b/src/agents/models-config.providers.matrix.test.ts index ec2b743afb6..942cb68ab35 100644 --- a/src/agents/models-config.providers.matrix.test.ts +++ b/src/agents/models-config.providers.matrix.test.ts @@ -39,7 +39,7 @@ async function writeAuthProfiles( const MATRIX_CASES: MatrixCase[] = [ { name: "env api key injects a simple provider", - env: { NVIDIA_API_KEY: "test-nvidia-key" }, + env: { NVIDIA_API_KEY: "test-nvidia-key" }, // pragma: allowlist secret assertProviders(providers) { expect(providers?.nvidia?.apiKey).toBe("NVIDIA_API_KEY"); expect(providers?.nvidia?.baseUrl).toBe("https://integrate.api.nvidia.com/v1"); @@ -48,7 +48,7 @@ const MATRIX_CASES: MatrixCase[] = [ }, { name: "env api key injects paired plan providers", - env: { VOLCANO_ENGINE_API_KEY: "test-volcengine-key" }, + env: { VOLCANO_ENGINE_API_KEY: "test-volcengine-key" }, // pragma: allowlist secret assertProviders(providers) { expect(providers?.volcengine?.apiKey).toBe("VOLCANO_ENGINE_API_KEY"); expect(providers?.["volcengine-plan"]?.apiKey).toBe("VOLCANO_ENGINE_API_KEY"); @@ -116,7 +116,7 @@ const MATRIX_CASES: MatrixCase[] = [ }, { name: "explicit vllm config suppresses implicit vllm injection", - env: { VLLM_API_KEY: "test-vllm-key" }, + env: { VLLM_API_KEY: "test-vllm-key" }, // pragma: allowlist secret explicitProviders: { vllm: { baseUrl: "http://127.0.0.1:8000/v1",