mirror of
https://fastgit.cc/github.com/openclaw/openclaw
synced 2026-04-20 21:02:10 +08:00
361750775d
* CI: stabilize live release lanes * CI: widen codex live exclusions * Gateway: stop live config/auth lazy re-imports * CI: mount writable live Docker homes * Live: tighten retry and provider filter overrides * CI: use API-key auth for codex live lanes * CI: fix remaining live lanes * CI: stop forwarding live OpenAI base URLs * Gateway: fix live startup loader regression * CI: stop expanding OpenAI keys in live Docker lanes * CI: stop expanding installer secrets in Docker * CI: tighten live secret boundaries * Gateway: pin Codex harness base URL * CI: fix reusable workflow runner label * CI: avoid template expansion in live ref guard * CI: tighten live trust gate * Gateway: ignore empty Codex harness base URL * CI: stabilize remaining live lanes * CI: harden live retries and canvas auth test * CI: extend cron live probe budget * CI: keep codex harness lane on api-key auth * CI: stage live Docker OpenAI auth via env files * CI: bootstrap codex login for Docker API-key lanes * CI: accept hosted-runner codex fallback responses * CI: accept additional codex sandbox fallback text * CI: accept hosted-runner live fallback variants * CI: accept codex current-model fallback * CI: broaden codex sandbox model fallbacks * CI: cover extra codex sandbox wording * CI: extend cli backend cron retry budget * CI: match codex models fallbacks by predicate * CI: accept configured-models live fallback * CI: relax OpenAI websocket warmup timeout * CI: accept extra codex model fallback wording * CI: generalize codex model fallback matching * CI: retry cron verify cancellation wording * CI: accept interactive codex model entrypoint fallback * Agents: stabilize Claude bundle skill command test * CI: prestage live Docker auth homes * Tests: accept current Codex models wording * CI: stabilize remaining live lanes * Tests: widen CLI backend live timeout * Tests: accept current Codex model summary wording * CI: disable codex-cli image probe in Docker lane * Tests: respect CLI override for Codex Docker login * Tests: accept current Codex session models header * CI: stabilize remaining live validation lanes * CI: preserve Gemini ACP coverage in auth fallback * CI: fix final live validation blockers * CI: restore Codex auth for CLI backend lane * CI: drop local Codex config in live Docker lane * Tests: tolerate Codex cron and model reply drift * Tests: accept current Codex live replies * Tests: retry more Codex cron retry wording * Tests: accept environment-cancelled Codex cron retries * Tests: retry blank Codex cron probe replies * Tests: broaden Codex cron retry wording * Tests: require explicit Codex cron retry replies * Tests: accept current Codex models environment wording * CI: restore trusted Codex config in live lane * CI: bypass nested Codex sandbox in docker * CI: instrument live codex cron lane * CI: forward live CLI resume args * Tests: accept interactive Codex model selection * Tests: bound websocket warm-up live lane * CI: close live lane review gaps * Tests: lazy-load gateway live server * Tests: avoid gateway live loader regression * CI: scope reusable workflow secrets * Tests: tighten codex models live assertion * Tests: normalize OpenAI speech live text
211 lines
7.8 KiB
Bash
211 lines
7.8 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
source "$ROOT_DIR/scripts/lib/live-docker-auth.sh"
|
|
IMAGE_NAME="${OPENCLAW_IMAGE:-openclaw:local}"
|
|
LIVE_IMAGE_NAME="${OPENCLAW_LIVE_IMAGE:-${IMAGE_NAME}-live}"
|
|
CONFIG_DIR="${OPENCLAW_CONFIG_DIR:-$HOME/.openclaw}"
|
|
WORKSPACE_DIR="${OPENCLAW_WORKSPACE_DIR:-$HOME/.openclaw/workspace}"
|
|
PROFILE_FILE="${OPENCLAW_PROFILE_FILE:-$HOME/.profile}"
|
|
CODEX_HARNESS_AUTH_MODE="${OPENCLAW_LIVE_CODEX_HARNESS_AUTH:-codex-auth}"
|
|
TEMP_DIRS=()
|
|
DOCKER_USER="${OPENCLAW_DOCKER_USER:-node}"
|
|
DOCKER_HOME_MOUNT=()
|
|
DOCKER_EXTRA_ENV_FILES=()
|
|
DOCKER_AUTH_PRESTAGED=0
|
|
|
|
case "$CODEX_HARNESS_AUTH_MODE" in
|
|
codex-auth | api-key)
|
|
;;
|
|
*)
|
|
echo "ERROR: OPENCLAW_LIVE_CODEX_HARNESS_AUTH must be one of: codex-auth, api-key." >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
if [[ "$CODEX_HARNESS_AUTH_MODE" == "api-key" && -z "${OPENAI_API_KEY:-}" ]]; then
|
|
echo "ERROR: OPENCLAW_LIVE_CODEX_HARNESS_AUTH=api-key requires OPENAI_API_KEY." >&2
|
|
exit 1
|
|
fi
|
|
|
|
cleanup_temp_dirs() {
|
|
if ((${#TEMP_DIRS[@]} > 0)); then
|
|
rm -rf "${TEMP_DIRS[@]}"
|
|
fi
|
|
}
|
|
trap cleanup_temp_dirs EXIT
|
|
|
|
if [[ -n "${OPENCLAW_DOCKER_CLI_TOOLS_DIR:-}" ]]; then
|
|
CLI_TOOLS_DIR="${OPENCLAW_DOCKER_CLI_TOOLS_DIR}"
|
|
elif [[ "${CI:-}" == "true" || "${GITHUB_ACTIONS:-}" == "true" ]]; then
|
|
CLI_TOOLS_DIR="$(mktemp -d "${RUNNER_TEMP:-/tmp}/openclaw-docker-cli-tools.XXXXXX")"
|
|
TEMP_DIRS+=("$CLI_TOOLS_DIR")
|
|
else
|
|
CLI_TOOLS_DIR="$HOME/.cache/openclaw/docker-cli-tools"
|
|
fi
|
|
if [[ -n "${OPENCLAW_DOCKER_CACHE_HOME_DIR:-}" ]]; then
|
|
CACHE_HOME_DIR="${OPENCLAW_DOCKER_CACHE_HOME_DIR}"
|
|
elif [[ "${CI:-}" == "true" || "${GITHUB_ACTIONS:-}" == "true" ]]; then
|
|
CACHE_HOME_DIR="$(mktemp -d "${RUNNER_TEMP:-/tmp}/openclaw-docker-cache.XXXXXX")"
|
|
TEMP_DIRS+=("$CACHE_HOME_DIR")
|
|
else
|
|
CACHE_HOME_DIR="$HOME/.cache/openclaw/docker-cache"
|
|
fi
|
|
|
|
mkdir -p "$CLI_TOOLS_DIR"
|
|
mkdir -p "$CACHE_HOME_DIR"
|
|
if [[ "${CI:-}" == "true" || "${GITHUB_ACTIONS:-}" == "true" ]]; then
|
|
DOCKER_USER="$(id -u):$(id -g)"
|
|
DOCKER_HOME_DIR="$(mktemp -d "${RUNNER_TEMP:-/tmp}/openclaw-docker-home.XXXXXX")"
|
|
TEMP_DIRS+=("$DOCKER_HOME_DIR")
|
|
DOCKER_HOME_MOUNT=(-v "$DOCKER_HOME_DIR":/home/node)
|
|
fi
|
|
|
|
PROFILE_MOUNT=()
|
|
if [[ -f "$PROFILE_FILE" && -r "$PROFILE_FILE" ]]; then
|
|
PROFILE_MOUNT=(-v "$PROFILE_FILE":/home/node/.profile:ro)
|
|
fi
|
|
|
|
AUTH_FILES=()
|
|
if [[ "$CODEX_HARNESS_AUTH_MODE" != "api-key" ]]; then
|
|
while IFS= read -r auth_file; do
|
|
[[ -n "$auth_file" ]] || continue
|
|
AUTH_FILES+=("$auth_file")
|
|
done < <(openclaw_live_collect_auth_files_from_csv "openai-codex")
|
|
fi
|
|
|
|
AUTH_FILES_CSV=""
|
|
if ((${#AUTH_FILES[@]} > 0)); then
|
|
AUTH_FILES_CSV="$(openclaw_live_join_csv "${AUTH_FILES[@]}")"
|
|
fi
|
|
|
|
if [[ -n "${DOCKER_HOME_DIR:-}" ]]; then
|
|
openclaw_live_stage_auth_into_home "$DOCKER_HOME_DIR" --files "${AUTH_FILES[@]}"
|
|
DOCKER_AUTH_PRESTAGED=1
|
|
fi
|
|
|
|
EXTERNAL_AUTH_MOUNTS=()
|
|
if ((${#AUTH_FILES[@]} > 0)); then
|
|
for auth_file in "${AUTH_FILES[@]}"; do
|
|
auth_file="$(openclaw_live_validate_relative_home_path "$auth_file")"
|
|
host_path="$HOME/$auth_file"
|
|
if [[ -f "$host_path" ]]; then
|
|
EXTERNAL_AUTH_MOUNTS+=(-v "$host_path":/host-auth-files/"$auth_file":ro)
|
|
fi
|
|
done
|
|
fi
|
|
|
|
DOCKER_AUTH_ENV=()
|
|
if [[ "$CODEX_HARNESS_AUTH_MODE" == "api-key" ]]; then
|
|
docker_env_dir="$(mktemp -d "${RUNNER_TEMP:-/tmp}/openclaw-codex-harness-env.XXXXXX")"
|
|
TEMP_DIRS+=("$docker_env_dir")
|
|
docker_env_file="$docker_env_dir/openai.env"
|
|
{
|
|
printf 'OPENAI_API_KEY=%s\n' "${OPENAI_API_KEY}"
|
|
if [[ -n "${OPENAI_BASE_URL:-}" ]]; then
|
|
printf 'OPENAI_BASE_URL=%s\n' "${OPENAI_BASE_URL}"
|
|
fi
|
|
} >"$docker_env_file"
|
|
DOCKER_EXTRA_ENV_FILES+=(--env-file "$docker_env_file")
|
|
fi
|
|
|
|
read -r -d '' LIVE_TEST_CMD <<'EOF' || true
|
|
set -euo pipefail
|
|
[ -f "$HOME/.profile" ] && [ -r "$HOME/.profile" ] && source "$HOME/.profile" || true
|
|
export NPM_CONFIG_PREFIX="${NPM_CONFIG_PREFIX:-$HOME/.npm-global}"
|
|
export npm_config_prefix="$NPM_CONFIG_PREFIX"
|
|
export XDG_CACHE_HOME="${XDG_CACHE_HOME:-$HOME/.cache}"
|
|
export COREPACK_HOME="${COREPACK_HOME:-$XDG_CACHE_HOME/node/corepack}"
|
|
export NPM_CONFIG_CACHE="${NPM_CONFIG_CACHE:-$XDG_CACHE_HOME/npm}"
|
|
export npm_config_cache="$NPM_CONFIG_CACHE"
|
|
# Force the Codex harness to use the staged `~/.codex` auth files. This lane
|
|
# is not meant to exercise raw OpenAI API-key routing unless the lane
|
|
# explicitly opts into API-key auth for CI.
|
|
if [ "${OPENCLAW_LIVE_CODEX_HARNESS_AUTH:-codex-auth}" != "api-key" ]; then
|
|
unset OPENAI_API_KEY OPENAI_BASE_URL
|
|
fi
|
|
mkdir -p "$NPM_CONFIG_PREFIX" "$XDG_CACHE_HOME" "$COREPACK_HOME" "$NPM_CONFIG_CACHE"
|
|
chmod 700 "$XDG_CACHE_HOME" "$COREPACK_HOME" "$NPM_CONFIG_CACHE" || true
|
|
export PATH="$NPM_CONFIG_PREFIX/bin:$PATH"
|
|
if [ "${OPENCLAW_DOCKER_AUTH_PRESTAGED:-0}" != "1" ]; then
|
|
IFS=',' read -r -a auth_files <<<"${OPENCLAW_DOCKER_AUTH_FILES_RESOLVED:-}"
|
|
if ((${#auth_files[@]} > 0)); then
|
|
for auth_file in "${auth_files[@]}"; do
|
|
[ -n "$auth_file" ] || continue
|
|
if [ -f "/host-auth-files/$auth_file" ]; then
|
|
mkdir -p "$(dirname "$HOME/$auth_file")"
|
|
cp "/host-auth-files/$auth_file" "$HOME/$auth_file"
|
|
chmod u+rw "$HOME/$auth_file" || true
|
|
fi
|
|
done
|
|
fi
|
|
fi
|
|
if [ "${OPENCLAW_LIVE_CODEX_HARNESS_AUTH:-codex-auth}" != "api-key" ] && [ ! -s "$HOME/.codex/auth.json" ]; then
|
|
echo "ERROR: missing ~/.codex/auth.json for Codex harness live test." >&2
|
|
exit 1
|
|
fi
|
|
if [ ! -x "$NPM_CONFIG_PREFIX/bin/codex" ]; then
|
|
npm install -g @openai/codex
|
|
fi
|
|
if [ "${OPENCLAW_LIVE_CODEX_HARNESS_AUTH:-codex-auth}" = "api-key" ]; then
|
|
printf '%s\n' "$OPENAI_API_KEY" | "$NPM_CONFIG_PREFIX/bin/codex" login --with-api-key >/dev/null
|
|
fi
|
|
tmp_dir="$(mktemp -d)"
|
|
cleanup() {
|
|
rm -rf "$tmp_dir"
|
|
}
|
|
trap cleanup EXIT
|
|
source /src/scripts/lib/live-docker-stage.sh
|
|
openclaw_live_stage_source_tree "$tmp_dir"
|
|
mkdir -p "$tmp_dir/node_modules"
|
|
cp -aRs /app/node_modules/. "$tmp_dir/node_modules"
|
|
rm -rf "$tmp_dir/node_modules/.vite-temp"
|
|
mkdir -p "$tmp_dir/node_modules/.vite-temp"
|
|
openclaw_live_link_runtime_tree "$tmp_dir"
|
|
openclaw_live_stage_state_dir "$tmp_dir/.openclaw-state"
|
|
openclaw_live_prepare_staged_config
|
|
cd "$tmp_dir"
|
|
pnpm test:live src/gateway/gateway-codex-harness.live.test.ts
|
|
EOF
|
|
|
|
"$ROOT_DIR/scripts/test-live-build-docker.sh"
|
|
|
|
echo "==> Run Codex harness live test in Docker"
|
|
echo "==> Model: ${OPENCLAW_LIVE_CODEX_HARNESS_MODEL:-codex/gpt-5.4}"
|
|
echo "==> Image probe: ${OPENCLAW_LIVE_CODEX_HARNESS_IMAGE_PROBE:-1}"
|
|
echo "==> MCP probe: ${OPENCLAW_LIVE_CODEX_HARNESS_MCP_PROBE:-1}"
|
|
echo "==> Auth mode: $CODEX_HARNESS_AUTH_MODE"
|
|
echo "==> Harness fallback: none"
|
|
echo "==> Auth files: ${AUTH_FILES_CSV:-none}"
|
|
docker run --rm -t \
|
|
-u "$DOCKER_USER" \
|
|
--entrypoint bash \
|
|
-e COREPACK_ENABLE_DOWNLOAD_PROMPT=0 \
|
|
-e HOME=/home/node \
|
|
-e NODE_OPTIONS=--disable-warning=ExperimentalWarning \
|
|
-e OPENCLAW_AGENT_HARNESS_FALLBACK=none \
|
|
-e OPENCLAW_DOCKER_AUTH_PRESTAGED="$DOCKER_AUTH_PRESTAGED" \
|
|
-e OPENCLAW_CODEX_APP_SERVER_BIN="${OPENCLAW_CODEX_APP_SERVER_BIN:-codex}" \
|
|
-e OPENCLAW_DOCKER_AUTH_FILES_RESOLVED="$AUTH_FILES_CSV" \
|
|
-e OPENCLAW_LIVE_CODEX_HARNESS_AUTH="$CODEX_HARNESS_AUTH_MODE" \
|
|
-e OPENCLAW_LIVE_CODEX_HARNESS=1 \
|
|
-e OPENCLAW_LIVE_CODEX_HARNESS_DEBUG="${OPENCLAW_LIVE_CODEX_HARNESS_DEBUG:-}" \
|
|
-e OPENCLAW_LIVE_CODEX_HARNESS_IMAGE_PROBE="${OPENCLAW_LIVE_CODEX_HARNESS_IMAGE_PROBE:-1}" \
|
|
-e OPENCLAW_LIVE_CODEX_HARNESS_MCP_PROBE="${OPENCLAW_LIVE_CODEX_HARNESS_MCP_PROBE:-1}" \
|
|
-e OPENCLAW_LIVE_CODEX_HARNESS_MODEL="${OPENCLAW_LIVE_CODEX_HARNESS_MODEL:-codex/gpt-5.4}" \
|
|
-e OPENCLAW_LIVE_TEST=1 \
|
|
-e OPENCLAW_VITEST_FS_MODULE_CACHE=0 \
|
|
"${DOCKER_AUTH_ENV[@]}" \
|
|
"${DOCKER_EXTRA_ENV_FILES[@]}" \
|
|
"${DOCKER_HOME_MOUNT[@]}" \
|
|
-v "$CACHE_HOME_DIR":/home/node/.cache \
|
|
-v "$ROOT_DIR":/src:ro \
|
|
-v "$CONFIG_DIR":/home/node/.openclaw \
|
|
-v "$WORKSPACE_DIR":/home/node/.openclaw/workspace \
|
|
-v "$CLI_TOOLS_DIR":/home/node/.npm-global \
|
|
"${EXTERNAL_AUTH_MOUNTS[@]}" \
|
|
"${PROFILE_MOUNT[@]}" \
|
|
"$LIVE_IMAGE_NAME" \
|
|
-lc "$LIVE_TEST_CMD"
|