fix(ci): scope secrets scan to branch changes

2026-03-12 07:20:45 +00:00 · 2026-03-08 22:11:38 +02:00
parent 0ecfd37b44
commit dadd7f99cd
6 changed files with 25 additions and 16 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -267,6 +267,12 @@ jobs:
        with:
          submodules: false

+      - name: Ensure secrets base commit
+        uses: ./.github/actions/ensure-base-commit
+        with:
+          base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
+          fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}
+
      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -69,6 +69,8 @@ repos:
          - '"ap[i]Key": "xxxxx"(,)?'
          - --exclude-lines
          - 'ap[i]Key: "A[I]za\.\.\.",'
+          - --exclude-lines
+          - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
  # Shell script linting
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -152,7 +152,8 @@
        "grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bashrc \\|\\| cat >> ~/.bashrc <<'EOF'",
        "env: \\{ MISTRAL_API_K[E]Y: \"sk-\\.\\.\\.\" \\},",
        "\"ap[i]Key\": \"xxxxx\"(,)?",
-        "ap[i]Key: \"A[I]za\\.\\.\\.\","
+        "ap[i]Key: \"A[I]za\\.\\.\\.\",",
+        "\"ap[i]Key\": \"(resolved|normalized|legacy)-key\"(,)?"
      ]
    },
    {
@@ -11515,14 +11516,14 @@
        "filename": "src/agents/models-config.providers.nvidia.test.ts",
        "hashed_secret": "3acfb2c2b433c0ea7ff107e33df91b18e52f960f",
        "is_verified": false,
-        "line_number": 13
+        "line_number": 14
      },
      {
        "type": "Secret Keyword",
        "filename": "src/agents/models-config.providers.nvidia.test.ts",
        "hashed_secret": "be1a7be9d4d5af417882b267f4db6dddc08507bd",
        "is_verified": false,
-        "line_number": 22
+        "line_number": 23
      }
    ],
    "src/agents/models-config.providers.ollama.e2e.test.ts": [
@@ -13034,5 +13035,5 @@
      }
    ]
  },
-  "generated_at": "2026-03-08T18:30:57Z"
+  "generated_at": "2026-03-08T20:08:19Z"
 }
--- a/apps/macos/Tests/OpenClawIPCTests/AppStateRemoteConfigTests.swift
+++ b/apps/macos/Tests/OpenClawIPCTests/AppStateRemoteConfigTests.swift
@@ -43,7 +43,7 @@ struct AppStateRemoteConfigTests {
                    "transport": "direct",
                    "url": "wss://old-gateway.example",
                    "token": [
-                        "$secretRef": "gateway-token",
+                        "$secretRef": "gateway-token", // pragma: allowlist secret
                    ],
                ],
            ],
@@ -59,7 +59,7 @@ struct AppStateRemoteConfigTests {
            remoteToken: "",
            remoteTokenDirty: false)
        let sshRemote = (sshRoot["gateway"] as? [String: Any])?["remote"] as? [String: Any]
-        #expect((sshRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token")
+        #expect((sshRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token") // pragma: allowlist secret

        let localRoot = AppState._testSyncedGatewayRoot(
            currentRoot: sshRoot,
@@ -73,7 +73,7 @@ struct AppStateRemoteConfigTests {
        let localGateway = localRoot["gateway"] as? [String: Any]
        let localRemote = localGateway?["remote"] as? [String: Any]
        #expect(localGateway?["mode"] as? String == "local")
-        #expect((localRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token")
+        #expect((localRemote?["token"] as? [String: String])?["$secretRef"] == "gateway-token") // pragma: allowlist secret
    }

    @Test
@@ -81,7 +81,7 @@ struct AppStateRemoteConfigTests {
        let remote = AppState._testUpdatedRemoteGatewayConfig(
            current: [
                "token": [
-                    "$secretRef": "gateway-token",
+                    "$secretRef": "gateway-token", // pragma: allowlist secret
                ],
            ],
            transport: .direct,
@@ -99,7 +99,7 @@ struct AppStateRemoteConfigTests {
    func updatedRemoteGatewayConfigClearsObjectTokenOnlyAfterExplicitEdit() {
        let current: [String: Any] = [
            "token": [
-                "$secretRef": "gateway-token",
+                "$secretRef": "gateway-token", // pragma: allowlist secret
            ],
        ]

@@ -112,7 +112,7 @@ struct AppStateRemoteConfigTests {
            remoteIdentity: "",
            remoteToken: "",
            remoteTokenDirty: false)
-        #expect((preserved["token"] as? [String: String])?["$secretRef"] == "gateway-token")
+        #expect((preserved["token"] as? [String: String])?["$secretRef"] == "gateway-token") // pragma: allowlist secret

        let cleared = AppState._testUpdatedRemoteGatewayConfig(
            current: current,
--- a/src/agents/models-config.applies-config-env-vars.test.ts
+++ b/src/agents/models-config.applies-config-env-vars.test.ts
@@ -22,7 +22,7 @@ describe("models-config", () => {
          models: { providers: {} },
          env: {
            vars: {
-              OPENROUTER_API_KEY: "from-config",
+              OPENROUTER_API_KEY: "from-config", // pragma: allowlist secret
              [TEST_ENV_VAR]: "from-config",
            },
          },
@@ -44,13 +44,13 @@ describe("models-config", () => {
  it("does not overwrite already-set host env vars while ensuring models.json", async () => {
    await withTempHome(async () => {
      await withTempEnv(["OPENROUTER_API_KEY", TEST_ENV_VAR], async () => {
-        process.env.OPENROUTER_API_KEY = "from-host";
+        process.env.OPENROUTER_API_KEY = "from-host"; // pragma: allowlist secret
        process.env[TEST_ENV_VAR] = "from-host";
        const cfg: OpenClawConfig = {
          models: { providers: {} },
          env: {
            vars: {
-              OPENROUTER_API_KEY: "from-config",
+              OPENROUTER_API_KEY: "from-config", // pragma: allowlist secret
              [TEST_ENV_VAR]: "from-config",
            },
          },
--- a/src/agents/models-config.providers.matrix.test.ts
+++ b/src/agents/models-config.providers.matrix.test.ts
@@ -39,7 +39,7 @@ async function writeAuthProfiles(
 const MATRIX_CASES: MatrixCase[] = [
  {
    name: "env api key injects a simple provider",
-    env: { NVIDIA_API_KEY: "test-nvidia-key" },
+    env: { NVIDIA_API_KEY: "test-nvidia-key" }, // pragma: allowlist secret
    assertProviders(providers) {
      expect(providers?.nvidia?.apiKey).toBe("NVIDIA_API_KEY");
      expect(providers?.nvidia?.baseUrl).toBe("https://integrate.api.nvidia.com/v1");
@@ -48,7 +48,7 @@ const MATRIX_CASES: MatrixCase[] = [
  },
  {
    name: "env api key injects paired plan providers",
-    env: { VOLCANO_ENGINE_API_KEY: "test-volcengine-key" },
+    env: { VOLCANO_ENGINE_API_KEY: "test-volcengine-key" }, // pragma: allowlist secret
    assertProviders(providers) {
      expect(providers?.volcengine?.apiKey).toBe("VOLCANO_ENGINE_API_KEY");
      expect(providers?.["volcengine-plan"]?.apiKey).toBe("VOLCANO_ENGINE_API_KEY");
@@ -116,7 +116,7 @@ const MATRIX_CASES: MatrixCase[] = [
  },
  {
    name: "explicit vllm config suppresses implicit vllm injection",
-    env: { VLLM_API_KEY: "test-vllm-key" },
+    env: { VLLM_API_KEY: "test-vllm-key" }, // pragma: allowlist secret
    explicitProviders: {
      vllm: {
        baseUrl: "http://127.0.0.1:8000/v1",