openclaw

mirror of https://fastgit.cc/github.com/openclaw/openclaw synced 2026-05-01 06:36:23 +08:00

Files

Viz c778562379 ci(security): harden workflow steps against template-injection (#68431 )

zizmor v1.24.1 reports 8 template-injection findings across three workflow files where GitHub Actions ${{ ... }} expressions are interpolated directly into shell run: blocks. Applies the canonical fix pattern: hoist every dynamic value into a step-level env: block and reference it as a shell variable ("${VAR}") from the script.

Files changed:

- control-ui-locale-refresh.yml: move matrix.locale into env as LOCALE (1 site)

- docker-release.yml: hoist steps.tags.outputs.{value,slim} plus the four needs.build-{amd64,arm64}.outputs.{digest,slim-digest} values into env for both manifest-creation steps (6 sites)

- openclaw-npm-release.yml: hoist steps.publish_tarball.outputs.path into env as PUBLISH_TARBALL_PATH in the Publish step (1 site)

Verified locally with zizmor --persona regular on the three files: 'No findings to report. Good job!'. pnpm format:check and pnpm lint pass.

Refs #68428. Complements #66884, which covers the remaining 12 sites in openclaw-cross-os-release-checks-reusable.yml.

2026-04-18 02:04:55 -04:00

actions

ci: align pnpm pins and vitest config

2026-04-04 05:44:29 +01:00

codeql

CI: scope CodeQL JavaScript analysis

2026-03-08 10:29:56 -07:00

instructions

Centralize date/time formatting utilities (#11831 )

2026-02-08 04:53:31 -08:00

ISSUE_TEMPLATE

docs: add beta blocker contributor guidance (#55199 )