Skip to content

ci(actions): optimize main CI lanes#51912

Merged
vincentkoc merged 5 commits intomainfrom
ci/main-ci-optimizations
Mar 21, 2026
Merged

ci(actions): optimize main CI lanes#51912
vincentkoc merged 5 commits intomainfrom
ci/main-ci-optimizations

Conversation

@vincentkoc
Copy link
Copy Markdown
Member

@vincentkoc vincentkoc commented Mar 21, 2026
edited
Loading

Summary

  • Problem: main CI is doing redundant work, the Bun lane emits a GitHub Actions Node 20 deprecation warning, and the legacy secrets lane appears unused.
  • Why it matters: The longest main push lane is the Node 22 compatibility lane, the Bun setup warning becomes a reliability risk before the June 2, 2026 GitHub Actions cutoff, and an unused lane adds noise and maintenance surface.
  • What changed: updated the shared Bun setup action, narrowed the Node 22 lane to compatibility/release smoke, reused the existing dist-build artifact for build-smoke on push, and removed the secrets job from ci.yml.
  • What did NOT change (scope boundary): Windows sharding, channel/extension test coverage, and PR-required workflow structure.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Closes #
  • Related #

User-visible / Behavior Changes

None.

Security Impact (required)

  • New permissions/capabilities? (Yes/No): No
  • Secrets/tokens handling changed? (Yes/No): No
  • New/changed network calls? (Yes/No): No
  • Command/tool execution surface changed? (Yes/No): No
  • Data access scope changed? (Yes/No): No
  • If any Yes, explain risk + mitigation:

Repro + Verification

Environment

  • OS: macOS arm64
  • Runtime/container: local repo worktree
  • Model/provider: n/a
  • Integration/channel (if any): GitHub Actions
  • Relevant config (redacted): n/a

Steps

  1. Inspect the latest successful main CI run (23390388316) and identify the critical-path jobs.
  2. Update .github/actions/setup-node-env/action.yml and .github/workflows/ci.yml to remove the Bun deprecation warning, trim redundant main work, and drop the unused secrets lane.
  3. Validate workflow syntax and repo workflow guard checks locally.

Expected

  • The Bun test lane no longer relies on a Node 20-only action.
  • main CI keeps coverage, but the Node 22 lane becomes compatibility smoke instead of a second full Linux test run.
  • build-smoke reuses the existing dist-build artifact on push instead of rebuilding it again.
  • The unused secrets lane no longer runs.

Actual

  • Matches expected in local validation.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Reference run analyzed: https://github.com/openclaw/openclaw/actions/runs/23390388316
Latest upstream Bun action release used: https://github.com/oven-sh/setup-bun/releases/tag/v2.2.0

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: actionlint on .github/workflows/ci.yml; python3 scripts/check-composite-action-input-interpolation.py; repo scripts/committer on touched files.
  • Edge cases checked: build-smoke only downloads artifacts on push, still builds locally on PRs; compat-node22 still exercises build + CLI startup + release packaging surface under Node 22; removing secrets leaves no downstream needs references.
  • What you did not verify: a live GitHub-hosted run of the new workflow matrix after merge.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No): Yes
  • Config/env changes? (Yes/No): No
  • Migration needed? (Yes/No): No
  • If yes, exact upgrade steps:

Failure Recovery (if this breaks)

  • How to disable/revert this change quickly: revert this PR to restore the previous CI behavior.
  • Files/config to restore: .github/actions/setup-node-env/action.yml, .github/workflows/ci.yml
  • Known bad symptoms reviewers should watch for: missing Bun installation on the Bun unit lane, build-smoke failing to find dist-build on push, or a missing check that someone still expected from the removed secrets lane.

Risks and Mitigations

  • Risk: Narrowing the Node 22 lane could miss failures only exposed by the full pnpm test suite on Node 22.
    • Mitigation: Keep build, CLI smoke, bundled plugin singleton, and release-check coverage in the Node 22 lane while full Linux tests continue on the primary Node lanes.
  • Risk: build-smoke artifact reuse on push could drift from PR behavior.
    • Mitigation: PRs still perform a local pnpm build; only push reuses the artifact already produced by build-artifacts.
  • Risk: A hidden dependency on the removed secrets job still exists outside the workflow file.
    • Mitigation: No in-workflow dependencies remain; verify the first PR/main runs for any required-check expectations tied to the old job name.

AI Assistance

  • AI-assisted
  • Testing: locally validated with workflow lint and repo commit wrapper checks

@openclaw-barnacle openclaw-barnacle bot added size: XS maintainer Maintainer-authored PR labels Mar 21, 2026
@vincentkoc vincentkoc marked this pull request as ready for review March 21, 2026 23:01
@aisle-research-bot
Copy link
Copy Markdown

aisle-research-bot bot commented Mar 21, 2026
edited
Loading

🔒 Aisle Security Analysis

We found 2 potential security issue(s) in this PR:

# Severity Title
1 🟡 Medium GitHub Action dependency not pinned to commit SHA (oven-sh/setup-bun)
2 🔵 Low CI security regression: secret-scanning, workflow audit (zizmor), and dependency audit removed from GitHub Actions CI

1. 🟡 GitHub Action dependency not pinned to commit SHA (oven-sh/setup-bun)

Property Value
Severity Medium
CWE CWE-829
Location .github/actions/setup-node-env/action.yml:64-68

Description

The composite action .github/actions/setup-node-env/action.yml uses a third-party GitHub Action by mutable tag rather than pinning to an immutable commit SHA.

  • The uses: oven-sh/setup-bun@​v2.2.0 reference can be retagged upstream (intentionally or after compromise)
  • If retagged, CI would execute attacker-controlled code with the workflow's token/permissions and runner environment
  • The change updates the tag from v2.1.3 to v2.2.0 but still does not pin to a specific commit digest

Vulnerable code:

- name: Setup Bun
  if: inputs.install-bun == 'true'
  uses: oven-sh/setup-bun@​v2.2.0

Recommendation

Pin third-party actions to an immutable commit SHA, and keep the human-readable tag in a comment for maintenance.

Example:

- name: Setup Bun
  if: inputs.install-bun == 'true'
  # v2.2.0
  uses: oven-sh/setup-bun@<40-char-commit-sha>
  with:
    bun-version: "1.3.9"

Additionally:

  • Use a tool like pinact to automate pinning
  • Enable Dependabot updates for github-actions to keep pinned SHAs updated safely
  • Review the upstream release/commit before bumping versions

2. 🔵 CI security regression: secret-scanning, workflow audit (zizmor), and dependency audit removed from GitHub Actions CI

Property Value
Severity Low
CWE CWE-358
Location .github/workflows/ci.yml:469-495

Description

The .github/workflows/ci.yml workflow removed the entire secrets job that previously performed security checks in CI:

  • Secret scanning / key detection: pre-commit ... detect-private-key
  • Workflow security auditing: pre-commit ... zizmor on changed workflow files
  • Production dependency vulnerability auditing: pre-commit ... pnpm-audit-prod (runs pnpm audit --prod --audit-level=high)

With this job removed, these checks are no longer enforced on CI runs (push/PR). While the hooks still exist in .pre-commit-config.yaml, they are now developer-optional rather than CI-enforced, reducing detection of committed secrets, insecure workflow modifications, and vulnerable production dependencies.

Relevant removed CI block (from this change):

  secrets:
    ...
      - name: Detect committed private keys
        run: pre-commit run --all-files detect-private-key

      - name: Audit changed GitHub workflows with zizmor
        ...
        run: |
          ...
          pre-commit run zizmor --files "${workflow_files[@]}"

      - name: Audit production dependencies
        run: pre-commit run --all-files pnpm-audit-prod

No equivalent checks appear elsewhere in the GitHub workflows after this change (search across .github/workflows/*.yml|*.yaml found no remaining usage of detect-private-key, zizmor, or pnpm-audit-prod).

Recommendation

Re-introduce CI enforcement for these security checks (either restore the secrets job in ci.yml or move it into a dedicated security workflow that runs on pull_request and push).

Example (restore a dedicated job):

secrets:
  if: github.event_name != 'pull_request' || !github.event.pull_request.draft
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@​v6
      with:
        fetch-depth: 0

    - uses: actions/setup-python@​v6
      with:
        python-version: '3.12'

    - name: Install pre-commit
      run: |
        python -m pip install --upgrade pip
        python -m pip install pre-commit

    - name: Detect committed private keys
      run: pre-commit run --all-files detect-private-key

    - name: Audit changed workflows with zizmor
      env:
        BASE_SHA: ${{ github.event.pull_request.base.sha || github.event.before }}
      run: |
        set -euo pipefail
        mapfile -t workflow_files < <(git diff --name-only "${BASE_SHA}" HEAD -- '.github/workflows/*.yml' '.github/workflows/*.yaml')
        [ ${#workflow_files[@]} -eq 0 ] || pre-commit run zizmor --files "${workflow_files[@]}"

    - name: Audit production dependencies
      run: pre-commit run --all-files pnpm-audit-prod

Also consider making CodeQL run on a schedule and/or on push/PR (it currently appears to be workflow_dispatch only).

Analyzed PR: #51912 at commit 499c36a

Last updated on: 2026-03-22T00:12:52Z

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc46e01a48

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 21, 2026

Greptile Summary

This PR makes two targeted CI optimizations: bumps oven-sh/setup-bun from v2.1.3 to v2.2.0 to eliminate the Node 20 deprecation warning before the June 2026 GitHub Actions cutoff, and narrows the compat-node22 matrix lane from a full pnpm test run to a focused CLI smoke + singleton + release-check suite, while making build-smoke reuse the artifact uploaded by build-artifacts on push events instead of rebuilding from scratch.

Key changes:

  • setup-node-env/action.yml: [email protected]v2.2.0 — straightforward upstream version pin to resolve the pending deprecation warning.
  • compat-node22 lane: replaces pnpm test with node openclaw.mjs --help, node openclaw.mjs status --json --timeout 1, pnpm test:build:singleton, node scripts/stage-bundled-plugin-runtime-deps.mjs, and node --import tsx scripts/release-check.ts. Full test coverage continues on the primary Node lanes; Node 22 is now a compatibility + release smoke check.
  • build-smoke artifact reuse: adds build-artifacts to needs with an explicit needs.build-artifacts.result == 'success' guard in the if condition. On push, a download-artifact@v8 step provides the already-built dist/; on pull_request, the original pnpm build still runs. The build-artifacts in needs is correctly handled for PRs because the explicit needs.build-artifacts.result reference in the if expression causes GitHub Actions to evaluate the condition (rather than auto-skip the job) when build-artifacts is itself skipped.

Confidence Score: 5/5

  • Safe to merge; changes are narrowly scoped CI optimizations with correct conditional logic and no behavioral impact on the application.
  • Both changed files contain targeted, well-reasoned CI configuration updates. The build-artifacts/build-smoke dependency logic is correct: the explicit needs.build-artifacts.result reference in the if expression ensures GitHub Actions evaluates the condition (rather than auto-skipping) when build-artifacts is skipped on PRs. The compat-node22 command change reduces redundant work while keeping the coverage that matters for Node 22 compatibility. The setup-bun version bump is a routine maintenance update. No application code is touched.
  • No files require special attention.

Last reviewed commit: "Merge branch 'main' ..."

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 74ad0521ab

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@openclaw-barnacle openclaw-barnacle bot added the cli CLI command changes label Mar 21, 2026
@vincentkoc vincentkoc merged commit 9854466 into main Mar 21, 2026
1 check passed
@vincentkoc vincentkoc deleted the ci/main-ci-optimizations branch March 21, 2026 23:16
@openclaw-barnacle openclaw-barnacle bot removed the cli CLI command changes label Mar 21, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 499c36a72f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/ci.yml
Comment on lines 492 to 495
- name: Test skill Python scripts
run: python -m pytest -q skills

secrets:
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
runs-on: blacksmith-16vcpu-ubuntu-2404
steps:
- name: Checkout
uses: actions/checkout@v6
with:
submodules: false

- name: Ensure secrets base commit
uses: ./.github/actions/ensure-base-commit
with:
base-sha: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
fetch-ref: ${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}

- name: Setup Node environment
uses: ./.github/actions/setup-node-env
with:
install-bun: "false"
use-sticky-disk: "false"
install-deps: "false"

- name: Setup Python
id: setup-python
uses: actions/setup-python@v6
with:
python-version: "3.12"
cache: "pip"
cache-dependency-path: |
pyproject.toml
.pre-commit-config.yaml
.github/workflows/ci.yml

- name: Restore pre-commit cache
uses: actions/cache@v5
with:
path: ~/.cache/pre-commit
key: pre-commit-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}

- name: Install pre-commit
run: |
python -m pip install --upgrade pip
python -m pip install pre-commit

- name: Detect committed private keys
run: pre-commit run --all-files detect-private-key

- name: Audit changed GitHub workflows with zizmor
env:
BASE_SHA: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
run: |
set -euo pipefail

if [ -z "${BASE_SHA:-}" ] || [ "${BASE_SHA}" = "0000000000000000000000000000000000000000" ]; then
echo "No usable base SHA detected; skipping zizmor."
exit 0
fi

if ! git cat-file -e "${BASE_SHA}^{commit}" 2>/dev/null; then
echo "Base SHA ${BASE_SHA} is unavailable; skipping zizmor."
exit 0
fi

mapfile -t workflow_files < <(
git diff --name-only "${BASE_SHA}" HEAD -- '.github/workflows/*.yml' '.github/workflows/*.yaml'
)
if [ "${#workflow_files[@]}" -eq 0 ]; then
echo "No workflow changes detected; skipping zizmor."
exit 0
fi

printf 'Auditing workflow files:\n%s\n' "${workflow_files[@]}"
pre-commit run zizmor --files "${workflow_files[@]}"

- name: Audit production dependencies
run: pre-commit run --all-files pnpm-audit-prod

checks-windows:
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore secret and dependency audit lane

Removing the secrets job drops all CI enforcement for detect-private-key, zizmor, and pnpm-audit-prod; after this commit, those checks are no longer run anywhere in .github/workflows (I checked workflow definitions), so PRs and pushes can merge with committed private keys, risky workflow changes, or vulnerable production dependencies that CI previously blocked. If the goal is to reduce runtime, this lane should be narrowed, not removed without an equivalent replacement.

Useful? React with 👍 / 👎.

@vincentkoc vincentkoc mentioned this pull request Mar 21, 2026
Merged
21 tasks
@github-actions github-actions bot mentioned this pull request Mar 22, 2026
Open
JohnJAS pushed a commit to JohnJAS/openclaw that referenced this pull request Mar 22, 2026
@vincentkoc @JohnJAS
ci(actions): optimize main CI lanes (openclaw#51912)
9ffa846 
* ci(actions): optimize main ci lanes

* ci(actions): drop unused secrets lane

* ci(actions): keep build-smoke on prs
pholpaphankorn pushed a commit to pholpaphankorn/openclaw that referenced this pull request Mar 22, 2026
@vincentkoc @pholpaphankorn
ci(actions): optimize main CI lanes (openclaw#51912)
38bf8e0 
* ci(actions): optimize main ci lanes

* ci(actions): drop unused secrets lane

* ci(actions): keep build-smoke on prs
MaheshBhushan pushed a commit to MaheshBhushan/openclaw that referenced this pull request Mar 22, 2026
@vincentkoc @MaheshBhushan
ci(actions): optimize main CI lanes (openclaw#51912)
1867cd1 
* ci(actions): optimize main ci lanes

* ci(actions): drop unused secrets lane

* ci(actions): keep build-smoke on prs
frankekn pushed a commit to artwalker/openclaw that referenced this pull request Mar 23, 2026
@vincentkoc @frankekn
ci(actions): optimize main CI lanes (openclaw#51912)
db0811c 
* ci(actions): optimize main ci lanes

* ci(actions): drop unused secrets lane

* ci(actions): keep build-smoke on prs
@alexey-pelykh alexey-pelykh mentioned this pull request Mar 23, 2026
Closed
furaul pushed a commit to furaul/openclaw that referenced this pull request Mar 24, 2026
@vincentkoc @furaul
ci(actions): optimize main CI lanes (openclaw#51912)
c818d7a 
* ci(actions): optimize main ci lanes

* ci(actions): drop unused secrets lane

* ci(actions): keep build-smoke on prs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

maintainer Maintainer-authored PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vincentkoc