1+name: Security Sensitive Guard
2+3+on:
4+pull_request_target: # zizmor: ignore[dangerous-triggers] checks trusted base script only; never checks out PR head
5+types: [opened, reopened, synchronize, ready_for_review]
6+7+permissions:
8+contents: read
9+pull-requests: write
10+issues: write
11+12+concurrency:
13+group: security-sensitive-guard-${{ github.event.pull_request.number }}
14+cancel-in-progress: true
15+16+jobs:
17+security-sensitive-guard-detect:
18+if: ${{ !github.event.pull_request.draft }}
19+runs-on: ubuntu-24.04
20+timeout-minutes: 5
21+steps:
22+ - name: Check out trusted base workflow scripts
23+uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
24+with:
25+ref: ${{ github.event.pull_request.base.sha }}
26+persist-credentials: false
27+28+ - name: Detect security-sensitive changes
29+env:
30+GITHUB_TOKEN: ${{ github.token }}
31+OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
32+OPENCLAW_SECURITY_SENSITIVE_GUARD_MODE: detect
33+OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
34+run: node scripts/github/security-sensitive-guard.mjs
35+36+security-sensitive-guard:
37+if: ${{ !github.event.pull_request.draft && always() }}
38+needs:
39+ - security-sensitive-guard-detect
40+runs-on: ubuntu-24.04
41+timeout-minutes: 5
42+steps:
43+ - name: Check out trusted base workflow scripts
44+uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
45+with:
46+ref: ${{ github.event.pull_request.base.sha }}
47+persist-credentials: false
48+49+ - name: Enforce security-sensitive guard
50+env:
51+GITHUB_TOKEN: ${{ github.token }}
52+OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
53+OPENCLAW_SECURITY_SENSITIVE_GUARD_MODE: enforce
54+OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
55+run: node scripts/github/security-sensitive-guard.mjs
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。