Files
openclaw/scripts/ci-hydrate-live-auth.sh
2026-07-06 04:20:58 -07:00

121 lines
3.5 KiB
Bash

#!/usr/bin/env bash
set -euo pipefail
profile_path="${1:-${RUNNER_TEMP:-/tmp}/openclaw-live.profile}"
mkdir -p "$(dirname "$profile_path")"
: >"$profile_path"
chmod 600 "$profile_path"
append_profile_env() {
local key="$1"
local value="${!key:-}"
if [[ -z "$value" || "$value" == "undefined" || "$value" == "null" ]]; then
return
fi
printf 'export %s=%q\n' "$key" "$value" >>"$profile_path"
}
write_secret_file() {
local destination="$1"
local source_env="$2"
local value="${!source_env:-}"
if [[ -z "$value" ]]; then
return
fi
mkdir -p "$(dirname "$destination")"
printf '%s' "$value" >"$destination"
chmod 600 "$destination"
}
activate_claude_oauth_access_token() {
local credentials="${OPENCLAW_CLAUDE_CREDENTIALS_JSON:-}"
if [[ -z "$credentials" ]]; then
return
fi
local access_token expires_at now_ms
local min_remaining_ms="$(( 90 * 60 * 1000 ))"
access_token="$(jq -r '.claudeAiOauth.accessToken // empty' <<<"$credentials" 2>/dev/null || true)"
expires_at="$(jq -r '.claudeAiOauth.expiresAt // 0' <<<"$credentials" 2>/dev/null || true)"
now_ms="$(( $(date +%s) * 1000 ))"
if [[ "$access_token" != sk-ant-oat* ]]; then
echo "::warning::Claude credentials JSON has no usable OAuth access token; keeping the configured Anthropic fallback." >&2
return
fi
# Stable live shards can run for an hour, so never shadow the fallback with
# a token that could expire before setup, retries, and cleanup complete.
if ! [[ "$expires_at" =~ ^[0-9]+$ ]] || (( expires_at <= now_ms + min_remaining_ms )); then
echo "::warning::Claude credentials JSON OAuth access token lacks 90 minutes of remaining life; keeping the configured Anthropic fallback." >&2
return
fi
echo "::add-mask::$access_token"
export ANTHROPIC_OAUTH_TOKEN="$access_token"
if [[ -n "${GITHUB_ENV:-}" ]]; then
printf 'ANTHROPIC_OAUTH_TOKEN=%s\n' "$access_token" >>"$GITHUB_ENV"
fi
}
activate_claude_oauth_access_token
for env_key in \
OPENAI_API_KEY \
OPENAI_BASE_URL \
ANTHROPIC_OAUTH_TOKEN \
ANTHROPIC_API_KEY \
ANTHROPIC_API_KEY_OLD \
ANTHROPIC_API_TOKEN \
BYTEPLUS_API_KEY \
CEREBRAS_API_KEY \
DEEPINFRA_API_KEY \
DASHSCOPE_API_KEY \
GROQ_API_KEY \
KIMI_API_KEY \
MODELSTUDIO_API_KEY \
MOONSHOT_API_KEY \
MISTRAL_API_KEY \
MINIMAX_API_KEY \
OPENCODE_API_KEY \
OPENCODE_ZEN_API_KEY \
OPENCLAW_LIVE_BROWSER_CDP_URL \
OPENCLAW_LIVE_SETUP_TOKEN \
OPENCLAW_LIVE_SETUP_TOKEN_MODEL \
OPENCLAW_LIVE_SETUP_TOKEN_PROFILE \
OPENCLAW_LIVE_SETUP_TOKEN_VALUE \
FACTORY_API_KEY \
GEMINI_API_KEY \
GOOGLE_API_KEY \
OPENROUTER_API_KEY \
QWEN_API_KEY \
FAL_KEY \
RUNWAY_API_KEY \
DEEPGRAM_API_KEY \
TOGETHER_API_KEY \
VYDRA_API_KEY \
XAI_API_KEY \
ZAI_API_KEY \
Z_AI_API_KEY \
BYTEPLUS_ACCESS_KEY_ID \
BYTEPLUS_SECRET_ACCESS_KEY \
CLAUDE_CODE_OAUTH_TOKEN \
FIREWORKS_API_KEY
do
append_profile_env "$env_key"
done
write_secret_file "$HOME/.codex/auth.json" OPENCLAW_CODEX_AUTH_JSON
write_secret_file "$HOME/.codex/config.toml" OPENCLAW_CODEX_CONFIG_TOML
write_secret_file "$HOME/.claude.json" OPENCLAW_CLAUDE_JSON
write_secret_file "$HOME/.claude/.credentials.json" OPENCLAW_CLAUDE_CREDENTIALS_JSON
write_secret_file "$HOME/.claude/settings.json" OPENCLAW_CLAUDE_SETTINGS_JSON
write_secret_file "$HOME/.claude/settings.local.json" OPENCLAW_CLAUDE_SETTINGS_LOCAL_JSON
write_secret_file "$HOME/.gemini/settings.json" OPENCLAW_GEMINI_SETTINGS_JSON
if [[ -n "${GITHUB_ENV:-}" ]]; then
{
echo "OPENCLAW_PROFILE_FILE=$profile_path"
} >>"$GITHUB_ENV"
fi