Summary

• Problem: the CI secrets audit lane needs to remain active, and Docker Release currently has no explicit cross-run Buildx cache.
• Why it matters: removing secrets drops detect-private-key, zizmor, and pnpm-audit-prod; missing Docker layer cache leaves the expensive image builds cold on each run.
• What changed: restored the secrets job in ci.yml and added GitHub Actions Buildx cache scopes to docker-release.yml for amd64 and arm64 image builds.
• What did NOT change (scope boundary): branch-protection policy, Docker tags/manifest flow, and the rest of the CI matrix.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related ci(actions): optimize main CI lanes #51912

User-visible / Behavior Changes

None.

Security Impact (required)

• New permissions/capabilities? (Yes/No): No
• Secrets/tokens handling changed? (Yes/No): No
• New/changed network calls? (Yes/No): No
• Command/tool execution surface changed? (Yes/No): No
• Data access scope changed? (Yes/No): No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS arm64
• Runtime/container: local repo worktree
• Model/provider: n/a
• Integration/channel (if any): GitHub Actions
• Relevant config (redacted): n/a

Steps

1. Restore the secrets audit job in .github/workflows/ci.yml.
2. Add type=gha Buildx cache scopes in .github/workflows/docker-release.yml for amd64 and arm64 image builds.
3. Validate the workflow files locally.

Expected

• CI keeps the private-key, workflow, and production dependency audit coverage.
• Docker Release can reuse GitHub-hosted Buildx cache across runs per architecture.

Actual

• Matches expected in local validation.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Referenced runs:

• Docker Release run inspected: https://github.com/openclaw/openclaw/actions/runs/23391043932

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: actionlint on .github/workflows/ci.yml and .github/workflows/docker-release.yml; repo scripts/committer on touched files.
• Edge cases checked: audit lane restored exactly; Docker cache scopes split by architecture so amd64 and arm64 caches do not collide.
• What you did not verify: a live completed Docker Release run after the cache change lands.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No): Yes
• Config/env changes? (Yes/No): No
• Migration needed? (Yes/No): No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert this PR.
• Files/config to restore: .github/workflows/ci.yml, .github/workflows/docker-release.yml
• Known bad symptoms reviewers should watch for: missing secrets check, or Docker Release builds failing to read/write Buildx cache.

Risks and Mitigations

• Risk: GitHub Actions cache for Buildx can be flaky under cache pressure.
  • Mitigation: cache is additive only; the build still works without hits.
• Risk: restored secrets lane increases CI time slightly.
  • Mitigation: it restores previously required audit coverage and remains lightweight compared with test lanes.

AI Assistance

• AI-assisted
• Testing: locally validated with workflow lint and repo commit wrapper checks