


















@@ -2,7 +2,7 @@ import { readFileSync } from "node:fs";
22import { describe, expect, it } from "vitest";
33import { parse } from "yaml";
445-const WORKFLOW = ".github/workflows/dependency-change-awareness.yml";
5+const WORKFLOW = ".github/workflows/dependency-guard.yml";
66const CODEOWNERS = ".github/CODEOWNERS";
7788type WorkflowStep = {
@@ -13,19 +13,29 @@ type WorkflowStep = {
1313};
14141515type WorkflowJob = {
16+name?: string;
1617steps?: WorkflowStep[];
1718};
18191920type Workflow = {
2021jobs?: Record<string, WorkflowJob>;
22+name?: string;
2123permissions?: Record<string, string>;
2224};
23252426function readWorkflow(): Workflow {
2527return parse(readFileSync(WORKFLOW, "utf8")) as Workflow;
2628}
272928-describe("dependency change awareness workflow", () => {
30+describe("dependency guard workflow", () => {
31+it("uses the dependency guard check name", () => {
32+const parsed = readWorkflow();
33+34+expect(parsed.name).toBe("Dependency Guard");
35+expect(parsed.jobs).toHaveProperty("dependency-guard");
36+expect(parsed.jobs?.["dependency-guard"]?.name).toBeUndefined();
37+});
38+2939it("uses a metadata-only pull_request_target workflow with minimal write permissions", () => {
3040const workflow = readFileSync(WORKFLOW, "utf8");
3141const parsed = readWorkflow();
@@ -57,29 +67,29 @@ describe("dependency change awareness workflow", () => {
5767expect(workflow).not.toContain(snippet);
5868}
596960-const steps = readWorkflow().jobs?.["dependency-change-awareness"]?.steps ?? [];
70+const steps = readWorkflow().jobs?.["dependency-guard"]?.steps ?? [];
6171expect(steps).toHaveLength(2);
6272expect(steps[0].uses).toBe("actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd");
6373expect(steps[0].with?.ref).toBe("${{ github.event.pull_request.base.sha }}");
6474expect(steps[0].with?.["persist-credentials"]).toBe(false);
65-expect(steps[1].run).toBe("node scripts/github/dependency-change-awareness.mjs");
75+expect(steps[1].run).toBe("node scripts/github/dependency-guard.mjs");
6676});
67776878it("uses a dedicated checked-in script and bounded sticky comments", () => {
6979const workflow = readFileSync(WORKFLOW, "utf8");
70-const steps = readWorkflow().jobs?.["dependency-change-awareness"]?.steps ?? [];
80+const steps = readWorkflow().jobs?.["dependency-guard"]?.steps ?? [];
7181const runStep = steps[1];
72-const script = readFileSync("scripts/github/dependency-change-awareness.mjs", "utf8");
82+const script = readFileSync("scripts/github/dependency-guard.mjs", "utf8");
73837484expect(runStep.env?.OPENCLAW_SECURITY_TEAM_SLUG).toBe("openclaw-secops");
7585expect(runStep.env?.OPENCLAW_SECURITY_APPROVERS).toBe("vincentkoc,steipete,joshavant");
76-expect(workflow).toContain("scripts/github/dependency-change-awareness.mjs");
86+expect(workflow).toContain("scripts/github/dependency-guard.mjs");
7787expect(script).toContain('"dependencies-changed"');
7888expect(script).not.toContain('"blocked: dependencies"');
7989});
80908191it("detects the intended dependency-related file surfaces", () => {
82-const script = readFileSync("scripts/github/dependency-change-awareness.mjs", "utf8");
92+const script = readFileSync("scripts/github/dependency-guard.mjs", "utf8");
8393expect(script).toContain('filename.endsWith("package.json")');
8494expect(script).toContain('filename.endsWith("package-lock.json")');
8595expect(script).toContain('filename.endsWith("npm-shrinkwrap.json")');
@@ -90,7 +100,7 @@ describe("dependency change awareness workflow", () => {
90100});
9110192102it("blocks package lockfile and manifest graph changes unless secops approves the current head sha", () => {
93-const script = readFileSync("scripts/github/dependency-change-awareness.mjs", "utf8");
103+const script = readFileSync("scripts/github/dependency-guard.mjs", "utf8");
94104expect(script).toContain('filename.endsWith("pnpm-lock.yaml")');
95105expect(script).toContain('filename.endsWith("package-lock.json")');
96106expect(script).toContain('filename.endsWith("npm-shrinkwrap.json")');
@@ -110,13 +120,13 @@ describe("dependency change awareness workflow", () => {
110120it("requires secops review for future workflow or guard changes", () => {
111121const codeowners = readFileSync(CODEOWNERS, "utf8");
112122expect(codeowners).toContain(
113-"/.github/workflows/dependency-change-awareness.yml @openclaw/openclaw-secops",
123+"/.github/workflows/dependency-guard.yml @openclaw/openclaw-secops",
114124);
115125expect(codeowners).toContain(
116-"/test/scripts/dependency-change-awareness-workflow.test.ts @openclaw/openclaw-secops",
126+"/test/scripts/dependency-guard-workflow.test.ts @openclaw/openclaw-secops",
117127);
118128expect(codeowners).toContain(
119-"/scripts/github/dependency-change-awareness.mjs @openclaw/openclaw-secops",
129+"/scripts/github/dependency-guard.mjs @openclaw/openclaw-secops",
120130);
121131expect(codeowners).toContain("/package-lock.json @openclaw/openclaw-secops");
122132expect(codeowners).toContain("/npm-shrinkwrap.json @openclaw/openclaw-secops");
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。