@@ -60,14 +60,11 @@ jobs:
6060 plugin_contracts_matrix : ${{ steps.manifest.outputs.plugin_contracts_matrix }}
6161 channel_contracts_matrix : ${{ steps.manifest.outputs.channel_contracts_matrix }}
6262 run_checks : ${{ steps.manifest.outputs.run_checks }}
63- checks_matrix : ${{ steps.manifest.outputs.checks_matrix }}
6463 run_checks_node_core_nondist : ${{ steps.manifest.outputs.run_checks_node_core_nondist }}
6564 checks_node_core_nondist_matrix : ${{ steps.manifest.outputs.checks_node_core_nondist_matrix }}
6665 run_checks_node_core_dist : ${{ steps.manifest.outputs.run_checks_node_core_dist }}
67- checks_node_core_dist_matrix : ${{ steps.manifest.outputs.checks_node_core_dist_matrix }}
6866 run_check : ${{ steps.manifest.outputs.run_check }}
6967 run_check_additional : ${{ steps.manifest.outputs.run_check_additional }}
70- run_build_smoke : ${{ steps.manifest.outputs.run_build_smoke }}
7168 run_check_docs : ${{ steps.manifest.outputs.run_check_docs }}
7269 run_control_ui_i18n : ${{ steps.manifest.outputs.run_control_ui_i18n }}
7370 run_checks_windows : ${{ steps.manifest.outputs.run_checks_windows }}
@@ -134,6 +131,7 @@ jobs:
134131 OPENCLAW_CI_RUN_CONTROL_UI_I18N : ${{ github.event_name == 'workflow_dispatch' && 'true' || steps.changed_scope.outputs.run_control_ui_i18n || 'false' }}
135132 OPENCLAW_CI_CHECKOUT_REVISION : ${{ steps.checkout_ref.outputs.sha }}
136133 OPENCLAW_CI_REPOSITORY : ${{ github.repository }}
134+ OPENCLAW_CI_EVENT_NAME : ${{ github.event_name }}
137135 run : |
138136 node --input-type=module <<'EOF'
139137 import { appendFileSync } from "node:fs";
@@ -175,6 +173,7 @@ jobs:
175173 const isCanonicalRepository = process.env.OPENCLAW_CI_REPOSITORY === "openclaw/openclaw";
176174 const docsOnly = parseBoolean(process.env.OPENCLAW_CI_DOCS_ONLY);
177175 const docsChanged = parseBoolean(process.env.OPENCLAW_CI_DOCS_CHANGED);
176+ const eventName = process.env.OPENCLAW_CI_EVENT_NAME ?? "";
178177 const runNode = parseBoolean(process.env.OPENCLAW_CI_RUN_NODE) && !docsOnly;
179178 const runNodeFastOnly =
180179 runNode && parseBoolean(process.env.OPENCLAW_CI_RUN_NODE_FAST_ONLY);
@@ -199,7 +198,7 @@ jobs:
199198 const checksFastCoreTasks = [];
200199 if (runNodeFull) {
201200 checksFastCoreTasks.push(
202- { check_name: "checks-fast-bundled", runtime: "node", task: "bundled" },
201+ { check_name: "checks-fast-bundled-protocol ", runtime: "node", task: "bundled-protocol " },
203202 );
204203 } else {
205204 if (runNodeFastCiRouting) {
@@ -248,21 +247,12 @@ jobs:
248247 runNodeFull ? createChannelContractTestShards() : [],
249248 ),
250249 run_checks: runNodeFull,
251- checks_matrix: createMatrix(
252- runNodeFull
253- ? [
254- { check_name: "checks-node-channels", runtime: "node", task: "channels" },
255- ]
256- : [],
257- ),
258250 run_checks_node_core_nondist: nodeTestNonDistShards.length > 0,
259251 checks_node_core_nondist_matrix: createMatrix(nodeTestNonDistShards),
260252 run_checks_node_core_dist: nodeTestDistShards.length > 0,
261- checks_node_core_dist_matrix: createMatrix(nodeTestDistShards),
262253 run_check: runNodeFull,
263254 run_check_additional: runNodeFull,
264- run_build_smoke: runNodeFull,
265- run_check_docs: docsChanged,
255+ run_check_docs: docsChanged && eventName !== "push",
266256 run_control_ui_i18n: runControlUiI18n,
267257 run_skills_python_job: runSkillsPython,
268258 run_checks_windows: runWindows,
@@ -297,9 +287,9 @@ jobs:
297287 }
298288 EOF
299289
300- # Run the fast security/SCM checks in parallel with scope detection so the
290+ # Run dependency-free security checks in parallel with scope detection so the
301291 # main Node jobs do not have to wait for Python/pre-commit setup.
302- security-scm- fast :
292+ security-fast :
303293 permissions :
304294 contents : read
305295 if : github.event_name != 'pull_request' || !github.event.pull_request.draft
@@ -392,22 +382,6 @@ jobs:
392382 printf 'Auditing workflow files:\n%s\n' "${workflow_files[@]}"
393383 pre-commit run --config "${PRE_COMMIT_CONFIG_PATH:-.pre-commit-config.yaml}" zizmor --files "${workflow_files[@]}"
394384
395- security-dependency-audit :
396- permissions :
397- contents : read
398- if : github.event_name != 'pull_request' || !github.event.pull_request.draft
399- runs-on : ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04') }}
400- timeout-minutes : 10
401- steps :
402- - name : Checkout
403- uses : actions/checkout@v6
404- with :
405- ref : ${{ inputs.target_ref || github.sha }}
406- fetch-depth : 1
407- fetch-tags : false
408- persist-credentials : false
409- submodules : false
410-
411385name : Setup Node.js
412386 uses : actions/setup-node@v6
413387 with :
@@ -417,35 +391,6 @@ jobs:
417391 - name : Audit production dependencies
418392 run : node scripts/pre-commit/pnpm-audit-prod.mjs --audit-level=high
419393
420- security-fast :
421- permissions : {}
422- needs : [security-scm-fast, security-dependency-audit]
423- if : ${{ !cancelled() && always() && (github.event_name != 'pull_request' || !github.event.pull_request.draft) }}
424- runs-on : ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04') }}
425- timeout-minutes : 5
426- steps :
427- - name : Verify fast security jobs
428- env :
429- DEPENDENCY_AUDIT_RESULT : ${{ needs.security-dependency-audit.result }}
430- SCM_RESULT : ${{ needs.security-scm-fast.result }}
431- run : |
432- set -euo pipefail
433- failed=0
434-
435- for result in \
436- "security-scm-fast=${SCM_RESULT}" \
437- "security-dependency-audit=${DEPENDENCY_AUDIT_RESULT}"
438- do
439- job="${result%%=*}"
440- status="${result#*=}"
441- if [ "$status" != "success" ]; then
442- echo "::error::${job} ended with ${status}"
443- failed=1
444- fi
445- done
446-
447- exit "$failed"
448-
449394 # Build dist once for Node-relevant changes and share it with downstream jobs.
450395 # Keep this overlapping with the fast correctness lanes so green PRs get heavy
451396 # test/build feedback sooner instead of waiting behind a full `check` pass.
@@ -733,14 +678,9 @@ jobs:
733678 run : |
734679 set -euo pipefail
735680 case "$TASK" in
736- bundled)
681+ bundled-protocol )
737682 pnpm test:bundled
738- ;;
739- contracts-channels)
740- pnpm test:contracts:channels
741- ;;
742- contracts-plugins)
743- pnpm test:contracts:plugins
683+ pnpm protocol:check
744684 ;;
745685 contracts-plugins-ci-routing)
746686 pnpm test:contracts:plugins
@@ -923,71 +863,6 @@ jobs:
923863 EOF
924864 OPENCLAW_VITEST_INCLUDE_FILE="$include_file" pnpm test:contracts:channels
925865
926- checks-fast-protocol :
927- permissions :
928- contents : read
929- name : " checks-fast-protocol"
930- needs : [preflight]
931- if : needs.preflight.outputs.run_checks_fast == 'true'
932- runs-on : ${{ github.event_name == 'workflow_dispatch' && 'ubuntu-24.04' || (github.repository == 'openclaw/openclaw' && 'blacksmith-4vcpu-ubuntu-2404' || 'ubuntu-24.04') }}
933- timeout-minutes : 30
934- steps :
935- - name : Checkout
936- shell : bash
937- env :
938- CHECKOUT_REPO : ${{ github.repository }}
939- CHECKOUT_SHA : ${{ needs.preflight.outputs.checkout_revision }}
940- CHECKOUT_TOKEN : ${{ github.token }}
941- run : |
942- set -euo pipefail
943-
944- workdir="$GITHUB_WORKSPACE"
945- auth_header="$(printf 'x-access-token:%s' "$CHECKOUT_TOKEN" | base64 | tr -d '\n')"
946-
947- reset_checkout_dir() {
948- mkdir -p "$workdir"
949- find "$workdir" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
950- }
951-
952- checkout_attempt() {
953- local attempt="$1"
954-
955- reset_checkout_dir
956- git init "$workdir" >/dev/null
957- git config --global --add safe.directory "$workdir"
958- git -C "$workdir" remote add origin "https://github.com/${CHECKOUT_REPO}"
959- git -C "$workdir" config gc.auto 0
960-
961- timeout --signal=TERM 30s git -C "$workdir" \
962- -c protocol.version=2 \
963- -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth_header}" \
964- fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
965- "+${CHECKOUT_SHA}:refs/remotes/origin/ci-target" || return 1
966-
967- git -C "$workdir" checkout --force --detach "$CHECKOUT_SHA" || return 1
968- test -f "$workdir/.github/actions/setup-node-env/action.yml" || return 1
969- echo "checkout attempt ${attempt}/5 succeeded"
970- }
971-
972- for attempt in 1 2 3 4 5; do
973- if checkout_attempt "$attempt"; then
974- exit 0
975- fi
976- echo "checkout attempt ${attempt}/5 failed"
977- sleep $((attempt * 5))
978- done
979-
980- echo "checkout failed after 5 attempts" >&2
981- exit 1
982-
983- name : Setup Node environment
984- uses : ./.github/actions/setup-node-env
985- with :
986- install-bun : " false"
987-
988- - name : Run protocol check
989- run : pnpm protocol:check
990-
991866checks-node-compat :
992867 permissions :
993868 contents : read
@@ -1188,8 +1063,8 @@ jobs:
11881063 fail-fast : false
11891064 matrix :
11901065 include :
1191- - check_name : check-preflight- guards
1192- task : preflight- guards
1066+ - check_name : check-guards
1067+ task : guards
11931068 runner : blacksmith-4vcpu-ubuntu-2404
11941069 - check_name : check-prod-types
11951070 task : prod-types
@@ -1200,15 +1075,9 @@ jobs:
12001075 - check_name : check-dependencies
12011076 task : dependencies
12021077 runner : blacksmith-8vcpu-ubuntu-2404
1203- - check_name : check-policy-guards
1204- task : policy-guards
1205- runner : blacksmith-4vcpu-ubuntu-2404
12061078 - check_name : check-test-types
12071079 task : test-types
12081080 runner : blacksmith-4vcpu-ubuntu-2404
1209- - check_name : check-strict-smoke
1210- task : strict-smoke
1211- runner : blacksmith-4vcpu-ubuntu-2404
12121081 steps :
12131082 - name : Checkout
12141083 shell : bash
@@ -1271,12 +1140,18 @@ jobs:
12711140 run : |
12721141 set -euo pipefail
12731142 case "$TASK" in
1274- preflight- guards)
1143+ guards)
12751144 pnpm check:no-conflict-markers
12761145 pnpm tool-display:check
12771146 pnpm check:host-env-policy:swift
12781147 pnpm dup:check:coverage
12791148 pnpm deps:patches:check
1149+ pnpm lint:webhook:no-low-level-body-read
1150+ pnpm lint:auth:no-pairing-store-group
1151+ pnpm lint:auth:pairing-account-scope
1152+ pnpm check:import-cycles
1153+ # build-artifacts already runs the tsdown/runtime build for the same Node-relevant changes.
1154+ pnpm build:plugin-sdk:strict-smoke
12801155 ;;
12811156 prod-types)
12821157 pnpm tsgo:prod
@@ -1293,19 +1168,9 @@ jobs:
12931168 pnpm deadcode:ci
12941169 fi
12951170 ;;
1296- policy-guards)
1297- pnpm lint:webhook:no-low-level-body-read
1298- pnpm lint:auth:no-pairing-store-group
1299- pnpm lint:auth:pairing-account-scope
1300- pnpm check:import-cycles
1301- ;;
13021171 test-types)
13031172 pnpm check:test-types
13041173 ;;
1305- strict-smoke)
1306- # build-artifacts already runs the tsdown/runtime build for the same Node-relevant changes.
1307- pnpm build:plugin-sdk:strict-smoke
1308- ;;
13091174 *)
13101175 echo "Unsupported check task: $TASK" >&2
13111176 exit 1
@@ -1335,15 +1200,9 @@ jobs:
13351200 - check_name : check-additional-boundaries-a
13361201 group : boundaries
13371202 boundary_shard : 1/4
1338- - check_name : check-additional-boundaries-b
1339- group : boundaries
1340- boundary_shard : 2/4
1341- - check_name : check-additional-boundaries-c
1342- group : boundaries
1343- boundary_shard : 3/4
1344- - check_name : check-additional-boundaries-d
1203+ - check_name : check-additional-boundaries-bcd
13451204 group : boundaries
1346- boundary_shard : 4/4
1205+ boundary_shard : 2/4,3/4, 4/4
13471206 - check_name : check-additional-extension-channels
13481207 group : extension-channels
13491208 - check_name : check-additional-extension-bundled
0 commit comments