mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-16 10:00:00 +00:00
c778562379
zizmor v1.24.1 reports 8 template-injection findings across three workflow files where GitHub Actions ${{ ... }} expressions are interpolated directly into shell run: blocks. Applies the canonical fix pattern: hoist every dynamic value into a step-level env: block and reference it as a shell variable ("${VAR}") from the script.
Files changed:
- control-ui-locale-refresh.yml: move matrix.locale into env as LOCALE (1 site)
- docker-release.yml: hoist steps.tags.outputs.{value,slim} plus the four needs.build-{amd64,arm64}.outputs.{digest,slim-digest} values into env for both manifest-creation steps (6 sites)
- openclaw-npm-release.yml: hoist steps.publish_tarball.outputs.path into env as PUBLISH_TARBALL_PATH in the Publish step (1 site)
Verified locally with zizmor --persona regular on the three files: 'No findings to report. Good job!'. pnpm format:check and pnpm lint pass.
Refs #68428. Complements #66884, which covers the remaining 12 sites in openclaw-cross-os-release-checks-reusable.yml.
|
||
|---|---|---|
| .. | ||
| auto-response.yml | ||
| ci.yml | ||
| codeql.yml | ||
| control-ui-locale-refresh.yml | ||
| docker-release.yml | ||
| docs-sync-publish.yml | ||
| docs-translate-trigger-release.yml | ||
| install-smoke.yml | ||
| labeler.yml | ||
| macos-release.yml | ||
| openclaw-cross-os-release-checks-reusable.yml | ||
| openclaw-live-and-e2e-checks-reusable.yml | ||
| openclaw-npm-release.yml | ||
| openclaw-release-checks.yml | ||
| openclaw-scheduled-live-checks.yml | ||
| parity-gate.yml | ||
| plugin-clawhub-release.yml | ||
| plugin-npm-release.yml | ||
| sandbox-common-smoke.yml | ||
| stale.yml | ||
| workflow-sanity.yml | ||