vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-03 20:24:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
efd5d077345452fd416cd0450ba2b337eaec5a4c
openclaw/scripts/check-workflows.mjs
WT-WSL 462b52f62c fix(ci): guard workflow template injection 
Guard the remaining Windows Testbox workflow ref logging against GitHub Actions template injection by moving `target_ref` through step env before PowerShell reads it.

Extend the local workflow check wrapper to run pinned `zizmor` across every workflow file, and keep Workflow Sanity's CI audit explicit with trusted-base pre-commit and zizmor configs for pull-request runs.

Thanks @WT-WSL for the original report and patch.

Co-authored-by: dev111-actor <captaintobb@outlook.com>
2026-05-31 20:28:40 +01:00

74 lines
2.3 KiB
JavaScript
Raw Blame History

#!/usr/bin/env node
// Runs local workflow sanity checks.
// Uses installed tools when present, otherwise falls back to pinned hooks where
// possible, then runs repo-specific workflow guards.
import { spawnSync } from "node:child_process";
import { readdirSync } from "node:fs";
import { join } from "node:path";
const ACTIONLINT_VERSION = "1.7.11";
const WORKFLOW_DIR = ".github/workflows";
function commandExists(command, args = ["--version"]) {
const result = spawnSync(command, args, { stdio: "ignore" });
return !result.error && result.status === 0;
}
function run(command, args) {
const result = spawnSync(command, args, { stdio: "inherit" });
if (result.error) {
console.error(`[check-workflows] failed to run ${command}: ${result.error.message}`);
process.exit(1);
}
if (result.status !== 0) {
process.exit(result.status ?? 1);
}
}
function workflowFiles() {
return readdirSync(WORKFLOW_DIR)
.filter((file) => file.endsWith(".yml") || file.endsWith(".yaml"))
.toSorted()
.map((file) => join(WORKFLOW_DIR, file));
}
function runPreCommitHook(hook, files) {
const hookArgs = ["run", "--config", ".pre-commit-config.yaml", hook, "--files", ...files];
if (commandExists("pre-commit")) {
run("pre-commit", hookArgs);
return;
}
if (commandExists("python3", ["-m", "pre_commit", "--version"])) {
run("python3", ["-m", "pre_commit", ...hookArgs]);
return;
}
console.error(
`[check-workflows] missing pre-commit runtime for ${hook}: install pre-commit or python3 pre_commit.`,
);
process.exit(1);
}
const workflows = workflowFiles();
if (commandExists("actionlint")) {
run("actionlint", workflows);
} else if (commandExists("go", ["version"])) {
run("go", ["run", `github.com/rhysd/actionlint/cmd/actionlint@v${ACTIONLINT_VERSION}`]);
} else if (
commandExists("pre-commit") ||
commandExists("python3", ["-m", "pre_commit", "--version"])
) {
runPreCommitHook("actionlint", workflows);
} else {
console.error(
`[check-workflows] missing workflow linter: install actionlint, Go ${ACTIONLINT_VERSION} fallback support, or pre-commit.`,
);
process.exit(1);
}
runPreCommitHook("zizmor", workflows);
run("python3", ["scripts/check-composite-action-input-interpolation.py"]);
run("node", ["scripts/check-no-conflict-markers.mjs"]);
Reference in New Issue View Git Blame Copy Permalink