






















@@ -14,20 +14,96 @@ concurrency:
1414cancel-in-progress: true
15151616jobs:
17-dependency-guard:
17+dependency-guard-detect:
1818if: ${{ !github.event.pull_request.draft }}
1919runs-on: ubuntu-24.04
2020timeout-minutes: 5
21+outputs:
22+autoscrub: ${{ steps.guard.outputs.autoscrub }}
23+autoscrub-owner: ${{ steps.guard.outputs.autoscrub-owner }}
24+autoscrub-repository: ${{ steps.guard.outputs.autoscrub-repository }}
25+steps:
26+ - name: Check out trusted base workflow scripts
27+uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
28+with:
29+ref: ${{ github.event.pull_request.base.sha }}
30+persist-credentials: false
31+32+ - name: Detect dependency changes
33+id: guard
34+env:
35+GITHUB_TOKEN: ${{ github.token }}
36+OPENCLAW_DEPENDENCY_GUARD_MODE: detect
37+OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
38+OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
39+run: node scripts/github/dependency-guard.mjs
40+41+dependency-guard-autoscrub:
42+if: ${{ !github.event.pull_request.draft && needs.dependency-guard-detect.outputs.autoscrub == 'true' }}
43+needs: dependency-guard-detect
44+runs-on: ubuntu-24.04
45+timeout-minutes: 5
46+permissions:
47+contents: read
48+issues: write
49+pull-requests: read
50+steps:
51+ - name: Check out trusted base workflow scripts
52+uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
53+with:
54+ref: ${{ github.event.pull_request.base.sha }}
55+persist-credentials: false
56+57+ - name: Create autoscrub app token
58+id: app-token
59+continue-on-error: true
60+uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
61+with:
62+app-id: "2729701"
63+private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
64+owner: ${{ needs.dependency-guard-detect.outputs.autoscrub-owner }}
65+repositories: ${{ needs.dependency-guard-detect.outputs.autoscrub-repository }}
66+permission-contents: write
67+68+ - name: Create fallback autoscrub app token
69+id: app-token-fallback
70+continue-on-error: true
71+if: steps.app-token.outcome == 'failure'
72+uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
73+with:
74+app-id: "2971289"
75+private-key: ${{ secrets.GH_APP_PRIVATE_KEY_FALLBACK }}
76+owner: ${{ needs.dependency-guard-detect.outputs.autoscrub-owner }}
77+repositories: ${{ needs.dependency-guard-detect.outputs.autoscrub-repository }}
78+permission-contents: write
79+80+ - name: Remove package lockfile changes
81+env:
82+GITHUB_TOKEN: ${{ github.token }}
83+OPENCLAW_DEPENDENCY_GUARD_AUTOSCRUB_TOKEN: ${{ steps.app-token.outputs.token || steps.app-token-fallback.outputs.token }}
84+OPENCLAW_DEPENDENCY_GUARD_MODE: autoscrub
85+OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
86+OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
87+run: node scripts/github/dependency-guard.mjs
88+89+dependency-guard:
90+if: ${{ !github.event.pull_request.draft && always() }}
91+needs:
92+ - dependency-guard-detect
93+ - dependency-guard-autoscrub
94+runs-on: ubuntu-24.04
95+timeout-minutes: 5
2196steps:
2297 - name: Check out trusted base workflow scripts
2398uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
2499with:
25100ref: ${{ github.event.pull_request.base.sha }}
26101persist-credentials: false
2710228- - name: Label, comment, and guard dependency changes
103+ - name: Enforce dependency guard
29104env:
30105GITHUB_TOKEN: ${{ github.token }}
106+OPENCLAW_DEPENDENCY_GUARD_MODE: enforce
31107OPENCLAW_SECURITY_APPROVERS: vincentkoc,steipete,joshavant
32108OPENCLAW_SECURITY_TEAM_SLUG: openclaw-secops
33109run: node scripts/github/dependency-guard.mjs
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。