vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-28 15:27:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
51,800 Commits 1,843 Branches 149 Tags
c4f0da00a9fec2db072b1e398c16fe5032f0614d
Commit Graph

1195 Commits

Author SHA1 Message Date
Peter Steinberger
ee61f79b90 ci: retry release child workflow dispatch 2026-05-23 19:56:23 +01:00
Peter Steinberger
fcb9c46af0 ci: retry GHCR docker login 2026-05-23 19:28:03 +01:00
Peter Steinberger
d42bc0b684 ci: harden manual checkout auth 2026-05-23 19:11:13 +01:00
Peter Steinberger
02b1c8c902 ci: fix release reachability auth 2026-05-23 18:59:14 +01:00
Peter Steinberger
41f4605020 ci: harden release package validation 2026-05-23 18:48:17 +01:00
Peter Steinberger
3e14f54ffc ci(testbox): expose stable pnpm through corepack 2026-05-23 18:32:04 +01:00
Peter Steinberger
1f2d8f98ba ci(testbox): avoid ready raw runners after hydration failure 2026-05-23 18:30:37 +01:00
Peter Steinberger
391f29baad ci: harden beta release validation flakes 2026-05-23 18:23:39 +01:00
Jason O'Neal
7fffbf60b0 fix: harden package URL downloads (#85578) 
* fix: harden package URL downloads

Guard package acceptance URL downloads with HTTPS-only validation, no embedded credentials, private/special-use DNS and IP rejection, manual redirect checks, bounded timeout/size limits, pinned lookup, and atomic temp-file writes. Add tooling tests for unsafe URLs, redirect validation, size limits, and successful writes.

* fix: cancel redirect response bodies before closing dispatcher

ClawSweeper P2: the redirect branch in openPackageDownloadResponse cleared
the timeout and awaited dispatcher.close() without first cancelling
response.body. Undici's close() is graceful — it waits for in-flight
requests to complete — so a malicious redirect with a slow/never-ending
body could hang the hardened downloader.

Fix: call response.body?.cancel() before dispatcher.close() to abort the
redirect body immediately.

Test: add a regression test that uses a ReadableStream with an indefinite
interval to simulate a hanging body, and asserts cancel() was called.

Refs: clawsweeper review on PR #85512

* test: harden redirect body cancellation race in regression test

Guard the ReadableStream controller.enqueue() call with a cancelled
flag and try/catch to prevent ERR_INVALID_STATE when the interval
fires after cancel() closes the controller.

* fix: cancel final response body before closing dispatcher in downloadUrl

ClawSweeper P2: the HTTP-error and declared-oversize early-exit paths
in downloadUrl threw before consuming or canceling response.body. The
finally block then cleared the timeout and awaited graceful
dispatcher.close() with the body still open, allowing a slow/never-ending
response to hang release tooling.

Fix: add response.body?.cancel() in the finally block before
dispatcher.close().

Tests: add two regressions:
- HTTP 500 with slow body: asserts cancel() called before dispatcher close
- Declared content-length oversize with slow body: same assertion

* fix: add trusted package URL source policy

* fix: keep package URL resolver dependency-free

* test: cover encoded IPv6 package URL bypasses

* docs: sync package acceptance source overview

* docs: restore release doc formatting

* docs: sync package acceptance trusted-url source

* test: cover dotted IPv4 embedded IPv6 package URLs

* fix: parse dotted IPv4 embedded in IPv6 package URLs

* test: isolate anthropic pruning defaults

* test: move anthropic dated model coverage

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-05-23 17:28:29 +01:00
Peter Steinberger
35969ff440 ci: retry npm Telegram release dispatch 2026-05-23 17:19:00 +01:00
Peter Steinberger
6191750deb ci: avoid duplicate release-check auth headers 2026-05-23 16:55:03 +01:00
Peter Steinberger
0c192e2915 ci: authenticate release-check reachability fetches 2026-05-23 16:45:13 +01:00
Peter Steinberger
d9f73cfe33 ci: persist checkout credentials for release validation 2026-05-23 16:17:24 +01:00
Peter Steinberger
9c26b87114 ci(release): isolate npm publish concurrency 2026-05-23 13:39:43 +01:00
Peter Steinberger
0e3726305b ci(release): allow beta publish after npm preflight 2026-05-23 13:39:43 +01:00
Peter Steinberger
c689f71805 ci(release): retry child workflow polling 2026-05-23 13:39:43 +01:00
Peter Steinberger
e5dab55aca ci(release): poll child workflows through actions api 2026-05-23 13:39:43 +01:00
Vincent Koc
0d7d99befa fix(ci): repair crabbox hydrate replay (#85706) 2026-05-23 20:02:07 +08:00
Vincent Koc
68bcd4e39d test(ci): harden installer smoke coverage 2026-05-23 13:19:12 +02:00
Vincent Koc
1e21121021 fix(ci): require live docker credentials by resource 2026-05-23 12:39:02 +02:00
Vincent Koc
cc6c3728c7 fix(ci): require factory auth for droid live docker 2026-05-23 12:20:26 +02:00
Kevin Lin
5656f687c1 Add Slack approval QA checkpoints (#85141) 
* test: add slack approval qa checkpoints

* fix(slack): scope plugin approval session fallback

* ci(mantis): allow slack approval checkpoint dispatch

* ci(mantis): use on-demand aws slack desktops

* ci(mantis): run slack smoke from candidate checkout

* ci(mantis): pin aws ssh ingress to runner

* test(mantis): skip crabbox actions hydrate for slack desktop

* ci(mantis): use fresh pr checkout for slack desktop

* ci(mantis): start slack desktop smoke from source

* fix(mantis): use relative slack qa output dir

* test(mantis): surface slack smoke failure logs

* fix(mantis): write slack approval watcher script

* fix(mantis): accept successful slack qa metadata

* fix(mantis): tighten slack approval evidence

* fix(mantis): repair slack evidence manifest

* fix(mantis): render slack approval checkpoint proof

* fix(mantis): quote approval checkpoint renderer html

* fix(mantis): preserve slack approval failure artifacts

* fix(mantis): timeout silent slack desktop runs

* fix(mantis): keep slack desktop runs chatty

* fix(mantis): keep slack workflow harness trusted

* fix(qa-lab): make slack approval evidence robust

* fix(qa-lab): harden slack approval workflow proof

* test(qa-lab): surface slack approval diagnostics

* test(qa-lab): loosen slack approval readiness
 2026-05-22 22:04:15 -07:00
Peter Steinberger
dcfc7e58fa ci: unblock advisory Tideclaw alpha release checks 2026-05-22 22:09:18 +01:00
Dallin Romney
0a50cbdf34 Add TUI PTY integration coverage (#85485) 
* test: add TUI PTY integration coverage

* test: stabilize TUI PTY CI

* test: speed up TUI PTY coverage

* test: bound TUI PTY local waits

* ci: keep TUI PTY gate fast

* test: route TUI PTY project in full suite

* ci: run TUI PTY on routing edits
 2026-05-22 13:42:58 -07:00
Peter Steinberger
4b63502279 ci: run binding command escape in release checks 2026-05-22 20:12:53 +01:00
Peter Steinberger
0241a6e7ae ci: skip pnpm auto repair in Crabbox shell 2026-05-22 19:47:16 +01:00
Peter Steinberger
7552634996 ci: share Crabbox hydrate pnpm store 2026-05-22 19:37:46 +01:00
Peter Steinberger
b6940b5dc4 ci(release): pass node pin to pnpm setup 2026-05-22 19:27:56 +01:00
Peter Steinberger
b00d3065cf ci: use stable pnpm wrapper for Crabbox hydrate 2026-05-22 19:25:19 +01:00
Peter Steinberger
a0702e195d build(pnpm): use packageManager as pnpm source 
Recreated from #85108 because the original branch could not be updated by maintainers.

Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install.

Co-authored-by: Altay <altay@hey.com>
 2026-05-22 19:17:43 +01:00
Peter Steinberger
f6840acc21 ci: export Crabbox hydrate pnpm layout 2026-05-22 19:16:33 +01:00
Peter Steinberger
489ea84819 ci: keep Crabbox hydrate runs reusable 2026-05-22 19:02:52 +01:00
Vincent Koc
9d24fde283 fix(release): keep shrinkwrap pinned to pnpm lock 2026-05-22 16:21:52 +02:00
Vincent Koc
52759294ca ci(package): gate acceptance on package integrity 2026-05-22 21:17:20 +08:00
Peter Steinberger
7b1fbe1c37 ci(release): harden docker package build 2026-05-22 14:15:46 +01:00
Peter Steinberger
f4bdfd46a9 ci(crabbox): harden docker hydration 2026-05-22 13:28:53 +01:00
Vincent Koc
bfa5b39648 fix: cover plugin package locks in dependency review 2026-05-22 12:56:10 +01:00
Peter Steinberger
b6c8807ca0 chore: add shrinkwrap to plugin npm packages 2026-05-22 12:56:10 +01:00
Peter Steinberger
c56067e34f chore: harden npm shrinkwrap release path 2026-05-22 12:56:10 +01:00
Alex Knight
e2f82d4d30 test: add mocked Control UI E2E tests and playwright for local verification and development (#85278) 
* test: add control ui mocked e2e
 2026-05-22 19:36:38 +10:00
Peter Steinberger
08f66133ef ci(release): link durable release evidence 2026-05-21 23:24:35 +01:00
Peter Steinberger
504f0dfa36 fix(installer): handle headless onboarding tty 2026-05-21 21:20:52 +01:00
Vincent Koc
652712e0ad ci(qa): publish soak parity artifacts 2026-05-22 00:08:51 +08:00
Vincent Koc
0e6f314dbb ci: tune crabbox developer image config 2026-05-21 23:21:35 +08:00
Peter Steinberger
3eb2d64392 ci: add live Codex plugin release check 2026-05-21 08:44:18 +01:00
Peter Steinberger
3faddfb506 ci(release): keep non-waiting clawhub publish best effort 2026-05-21 08:03:48 +01:00
Peter Steinberger
2fd02c2060 ci(release): require resolved target before child dispatch 2026-05-21 07:58:15 +01:00
Peter Steinberger
624d920351 ci(release): keep focused validation reruns independent 2026-05-21 07:58:15 +01:00
Peter Steinberger
0604d25101 ci(release): preserve direct repair publishes 2026-05-21 07:58:15 +01:00
Peter Steinberger
1c5fda115f ci(release): streamline beta publish verification 2026-05-21 07:58:15 +01:00