#!/usr/bin/env bash set -euo pipefail profile_path="${1:-${RUNNER_TEMP:-/tmp}/openclaw-live.profile}" mkdir -p "$(dirname "$profile_path")" : >"$profile_path" chmod 600 "$profile_path" append_profile_env() { local key="$1" local value="${!key:-}" if [[ -z "$value" || "$value" == "undefined" || "$value" == "null" ]]; then return fi printf 'export %s=%q\n' "$key" "$value" >>"$profile_path" } write_secret_file() { local destination="$1" local source_env="$2" local value="${!source_env:-}" if [[ -z "$value" ]]; then return fi mkdir -p "$(dirname "$destination")" printf '%s' "$value" >"$destination" chmod 600 "$destination" } activate_claude_oauth_access_token() { local credentials="${OPENCLAW_CLAUDE_CREDENTIALS_JSON:-}" if [[ -z "$credentials" ]]; then return fi local access_token expires_at now_ms local min_remaining_ms="$(( 90 * 60 * 1000 ))" access_token="$(jq -r '.claudeAiOauth.accessToken // empty' <<<"$credentials" 2>/dev/null || true)" expires_at="$(jq -r '.claudeAiOauth.expiresAt // 0' <<<"$credentials" 2>/dev/null || true)" now_ms="$(( $(date +%s) * 1000 ))" if [[ "$access_token" != sk-ant-oat* ]]; then echo "::warning::Claude credentials JSON has no usable OAuth access token; keeping the configured Anthropic fallback." >&2 return fi # Stable live shards can run for an hour, so never shadow the fallback with # a token that could expire before setup, retries, and cleanup complete. if ! [[ "$expires_at" =~ ^[0-9]+$ ]] || (( expires_at <= now_ms + min_remaining_ms )); then echo "::warning::Claude credentials JSON OAuth access token lacks 90 minutes of remaining life; keeping the configured Anthropic fallback." >&2 return fi echo "::add-mask::$access_token" export ANTHROPIC_OAUTH_TOKEN="$access_token" if [[ -n "${GITHUB_ENV:-}" ]]; then printf 'ANTHROPIC_OAUTH_TOKEN=%s\n' "$access_token" >>"$GITHUB_ENV" fi } activate_claude_oauth_access_token for env_key in \ OPENAI_API_KEY \ OPENAI_BASE_URL \ ANTHROPIC_OAUTH_TOKEN \ ANTHROPIC_API_KEY \ ANTHROPIC_API_KEY_OLD \ ANTHROPIC_API_TOKEN \ BYTEPLUS_API_KEY \ CEREBRAS_API_KEY \ DEEPINFRA_API_KEY \ DASHSCOPE_API_KEY \ GROQ_API_KEY \ KIMI_API_KEY \ MODELSTUDIO_API_KEY \ MOONSHOT_API_KEY \ MISTRAL_API_KEY \ MINIMAX_API_KEY \ OPENCODE_API_KEY \ OPENCODE_ZEN_API_KEY \ OPENCLAW_LIVE_BROWSER_CDP_URL \ OPENCLAW_LIVE_SETUP_TOKEN \ OPENCLAW_LIVE_SETUP_TOKEN_MODEL \ OPENCLAW_LIVE_SETUP_TOKEN_PROFILE \ OPENCLAW_LIVE_SETUP_TOKEN_VALUE \ FACTORY_API_KEY \ GEMINI_API_KEY \ GOOGLE_API_KEY \ OPENROUTER_API_KEY \ QWEN_API_KEY \ FAL_KEY \ RUNWAY_API_KEY \ DEEPGRAM_API_KEY \ TOGETHER_API_KEY \ VYDRA_API_KEY \ XAI_API_KEY \ ZAI_API_KEY \ Z_AI_API_KEY \ BYTEPLUS_ACCESS_KEY_ID \ BYTEPLUS_SECRET_ACCESS_KEY \ CLAUDE_CODE_OAUTH_TOKEN \ FIREWORKS_API_KEY do append_profile_env "$env_key" done write_secret_file "$HOME/.codex/auth.json" OPENCLAW_CODEX_AUTH_JSON write_secret_file "$HOME/.codex/config.toml" OPENCLAW_CODEX_CONFIG_TOML write_secret_file "$HOME/.claude.json" OPENCLAW_CLAUDE_JSON write_secret_file "$HOME/.claude/.credentials.json" OPENCLAW_CLAUDE_CREDENTIALS_JSON write_secret_file "$HOME/.claude/settings.json" OPENCLAW_CLAUDE_SETTINGS_JSON write_secret_file "$HOME/.claude/settings.local.json" OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON write_secret_file "$HOME/.gemini/settings.json" OPENCLAW_GEMINI_SETTINGS_JSON if [[ -n "${GITHUB_ENV:-}" ]]; then { echo "OPENCLAW_PROFILE_FILE=$profile_path" } >>"$GITHUB_ENV" fi