mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-04 17:34:08 +00:00
462b52f62c
Guard the remaining Windows Testbox workflow ref logging against GitHub Actions template injection by moving `target_ref` through step env before PowerShell reads it. Extend the local workflow check wrapper to run pinned `zizmor` across every workflow file, and keep Workflow Sanity's CI audit explicit with trusted-base pre-commit and zizmor configs for pull-request runs. Thanks @WT-WSL for the original report and patch. Co-authored-by: dev111-actor <captaintobb@outlook.com>
47 lines
1.4 KiB
YAML
47 lines
1.4 KiB
YAML
name: Update Migration
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
workflow_ref:
|
|
description: Trusted workflow/harness ref
|
|
default: main
|
|
required: true
|
|
type: string
|
|
package_ref:
|
|
description: Branch, tag, or SHA to package as the update target
|
|
default: main
|
|
required: true
|
|
type: string
|
|
baselines:
|
|
description: Published baselines to migrate; use all-since-2026.4.23 for full coverage
|
|
default: all-since-2026.4.23
|
|
required: true
|
|
type: string
|
|
scenarios:
|
|
description: Update survivor scenarios
|
|
default: plugin-deps-cleanup
|
|
required: true
|
|
type: string
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
packages: write
|
|
pull-requests: read
|
|
|
|
jobs:
|
|
update_migration:
|
|
name: Update migration matrix
|
|
uses: ./.github/workflows/package-acceptance.yml
|
|
with:
|
|
workflow_ref: ${{ inputs.workflow_ref }}
|
|
source: ref
|
|
package_ref: ${{ inputs.package_ref }}
|
|
suite_profile: custom
|
|
docker_lanes: update-migration
|
|
published_upgrade_survivor_baselines: ${{ inputs.baselines }}
|
|
published_upgrade_survivor_scenarios: ${{ inputs.scenarios }}
|
|
telegram_mode: none
|
|
secrets: inherit # zizmor: ignore[secrets-inherit] Maintainer-dispatched package acceptance lane intentionally forwards its declared live-test secret matrix.
|