mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-24 01:19:50 +00:00
06a39015f2
Summary: - The branch restricts exact-head ClawSweeper proof markers to GitHub App-authored comments, adds read-only issue-comment token fallback for the proof workflow, and adds focused regression tests plus a changelog entry. - Reproducibility: yes. Source inspection of current main shows any issue comment body with a matching `clawsw ... SHA is accepted without author/App authentication; the PR adds focused negative tests for forged comments. Automerge notes: - PR branch already contained follow-up commit before automerge: fix(ci): authenticate proof verdict markers Validation: - ClawSweeper review passed for headf4c375eaa7. - Required merge gates passed before the squash merge. Prepared head SHA:f4c375eaa7Review: https://github.com/openclaw/openclaw/pull/83692#issuecomment-4479843682 Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com> Co-authored-by: clawsweeper[bot] <274271284+clawsweeper[bot]@users.noreply.github.com> Approved-by: takhoffman Co-authored-by: takhoffman <781889+takhoffman@users.noreply.github.com>
51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
name: Real behavior proof
|
|
|
|
on:
|
|
pull_request_target: # zizmor: ignore[dangerous-triggers] trusted base checkout only; no untrusted PR code execution
|
|
types: [opened, edited, synchronize, reopened, ready_for_review, labeled, unlabeled]
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}
|
|
cancel-in-progress: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
real-behavior-proof:
|
|
name: Real behavior proof
|
|
permissions:
|
|
contents: read
|
|
issues: read
|
|
pull-requests: read
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
ref: ${{ github.event.pull_request.base.sha }}
|
|
persist-credentials: false
|
|
- uses: actions/create-github-app-token@v3
|
|
id: app-token
|
|
continue-on-error: true
|
|
with:
|
|
app-id: "2729701"
|
|
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
|
permission-issues: read
|
|
permission-members: read
|
|
- uses: actions/create-github-app-token@v3
|
|
id: app-token-fallback
|
|
if: steps.app-token.outcome == 'failure'
|
|
continue-on-error: true
|
|
with:
|
|
app-id: "2971289"
|
|
private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
|
|
permission-issues: read
|
|
permission-members: read
|
|
- name: Check real behavior proof
|
|
env:
|
|
GH_APP_TOKEN: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
run: node scripts/github/real-behavior-proof-check.mjs
|