mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-03 18:14:06 +00:00
462b52f62c
Guard the remaining Windows Testbox workflow ref logging against GitHub Actions template injection by moving `target_ref` through step env before PowerShell reads it. Extend the local workflow check wrapper to run pinned `zizmor` across every workflow file, and keep Workflow Sanity's CI audit explicit with trusted-base pre-commit and zizmor configs for pull-request runs. Thanks @WT-WSL for the original report and patch. Co-authored-by: dev111-actor <captaintobb@outlook.com>
80 lines
2.7 KiB
TypeScript
80 lines
2.7 KiB
TypeScript
import { spawnSync } from "node:child_process";
|
|
import { mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
import { describe, expect, it } from "vitest";
|
|
|
|
const scriptPath = path.resolve("scripts/check-workflows.mjs");
|
|
|
|
describe("check-workflows", () => {
|
|
it("prints an actionable diagnostic when actionlint and go are unavailable", () => {
|
|
const result = spawnSync(process.execPath, [scriptPath], {
|
|
encoding: "utf8",
|
|
env: {
|
|
...process.env,
|
|
PATH: "",
|
|
},
|
|
});
|
|
|
|
expect(result.status).toBe(1);
|
|
expect(result.stderr).toContain("missing workflow linter");
|
|
expect(result.stderr).toContain("install actionlint, Go");
|
|
});
|
|
|
|
it("uses the pinned go fallback and audits all workflows with zizmor", () => {
|
|
const tempDir = mkdtempSync(path.join(os.tmpdir(), "check-workflows-"));
|
|
try {
|
|
const binDir = path.join(tempDir, "bin");
|
|
const markerPath = path.join(tempDir, "go-run.txt");
|
|
const preCommitMarkerPath = path.join(tempDir, "pre-commit.txt");
|
|
mkdirSync(binDir);
|
|
writeFileSync(
|
|
path.join(binDir, "go"),
|
|
[
|
|
"#!/bin/sh",
|
|
'if [ "$1" = "version" ]; then exit 0; fi',
|
|
'if [ "$1" = "run" ]; then printf "%s\\n" "$*" > "$GO_FALLBACK_MARKER"; exit 0; fi',
|
|
"exit 1",
|
|
"",
|
|
].join("\n"),
|
|
{ mode: 0o755 },
|
|
);
|
|
writeFileSync(
|
|
path.join(binDir, "pre-commit"),
|
|
[
|
|
"#!/bin/sh",
|
|
'if [ "$1" = "--version" ]; then exit 0; fi',
|
|
'printf "%s\\n" "$*" >> "$PRE_COMMIT_MARKER"',
|
|
"exit 0",
|
|
"",
|
|
].join("\n"),
|
|
{ mode: 0o755 },
|
|
);
|
|
for (const command of ["python3", "node"]) {
|
|
writeFileSync(path.join(binDir, command), "#!/bin/sh\nexit 0\n", { mode: 0o755 });
|
|
}
|
|
|
|
const result = spawnSync(process.execPath, [scriptPath], {
|
|
encoding: "utf8",
|
|
env: {
|
|
...process.env,
|
|
GO_FALLBACK_MARKER: markerPath,
|
|
PRE_COMMIT_MARKER: preCommitMarkerPath,
|
|
PATH: binDir,
|
|
},
|
|
});
|
|
|
|
expect(result.status).toBe(0);
|
|
expect(readFileSync(markerPath, "utf8")).toContain(
|
|
"github.com/rhysd/actionlint/cmd/actionlint@v1.7.11",
|
|
);
|
|
const preCommitArgs = readFileSync(preCommitMarkerPath, "utf8");
|
|
expect(preCommitArgs).toContain("run --config .pre-commit-config.yaml zizmor --files");
|
|
expect(preCommitArgs).toContain(".github/workflows/ci.yml");
|
|
expect(preCommitArgs).toContain(".github/workflows/windows-testbox-probe.yml");
|
|
} finally {
|
|
rmSync(tempDir, { force: true, recursive: true });
|
|
}
|
|
});
|
|
});
|