diff --git a/.github/workflows/ci-build-artifacts-testbox.yml b/.github/workflows/ci-build-artifacts-testbox.yml index 55027c00..9ed0cf9f 100644 --- a/.github/workflows/ci-build-artifacts-testbox.yml +++ b/.github/workflows/ci-build-artifacts-testbox.yml @@ -135,7 +135,7 @@ jobs: - name: Restore dist build cache id: dist-cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@v5.0.5 with: path: | .artifacts/build-all-cache/ @@ -168,7 +168,7 @@ jobs: - name: Save dist build cache if: steps.dist-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v5 + uses: actions/cache/save@v5.0.5 with: path: | .artifacts/build-all-cache/ diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cace64ac..75e69e61 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -359,7 +359,7 @@ jobs: python-version: "3.12" - name: Restore pre-commit cache - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: .cache/pre-commit-security-fast key: pre-commit-security-fast-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }} @@ -582,7 +582,7 @@ jobs: run: pnpm ui:i18n:check - name: Cache dist build - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: | dist/ @@ -1553,7 +1553,7 @@ jobs: - name: Cache extension package boundary artifacts id: extension-package-boundary-cache if: matrix.group == 'extension-package-boundary' - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: | dist/plugin-sdk @@ -1871,7 +1871,7 @@ jobs: - name: Save pnpm store cache if: steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v5 + uses: actions/cache/save@v5.0.5 continue-on-error: true with: path: ${{ steps.pnpm-cache.outputs.store-path }} @@ -1968,7 +1968,7 @@ jobs: echo "key=$toolchain_key" >> "$GITHUB_OUTPUT" - name: Cache SwiftPM - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: ~/Library/Caches/org.swift.swiftpm key: ${{ runner.os }}-swiftpm-${{ hashFiles('apps/macos/Package.resolved') }} @@ -1977,7 +1977,7 @@ jobs: - name: Cache Swift build directory id: swift-build-cache - uses: actions/cache@v5 + uses: actions/cache@v5.0.5 with: path: apps/macos/.build key: ${{ runner.os }}-swift-build-v2-${{ steps.swift-toolchain.outputs.key }}-${{ hashFiles('apps/macos/Package.swift', 'apps/macos/Package.resolved', 'apps/macos/Sources/**', 'apps/macos/Tests/**', 'apps/shared/OpenClawKit/Package.swift', 'apps/shared/OpenClawKit/Sources/**', 'Swabble/Package.swift', 'Swabble/Sources/**') }} diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 93806f47..60b35528 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -82,10 +82,10 @@ jobs: fetch-depth: 0 - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -147,7 +147,7 @@ jobs: - name: Build and push amd64 image id: build # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: linux/amd64 @@ -180,10 +180,10 @@ jobs: fetch-depth: 0 - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -245,7 +245,7 @@ jobs: - name: Build and push arm64 image id: build # WARNING: KEEP THE OFFICIAL DOCKER ACTION HERE; DO NOT SWITCH THIS BACK TO BLACKSMITH BLINDLY. - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: . platforms: linux/arm64 @@ -276,7 +276,7 @@ jobs: fetch-depth: 0 - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} @@ -349,10 +349,10 @@ jobs: fetch-depth: 1 - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ${{ env.REGISTRY }} username: ${{ github.repository_owner }} diff --git a/.github/workflows/docs-agent.yml b/.github/workflows/docs-agent.yml index ff439956..a2d8c3dd 100644 --- a/.github/workflows/docs-agent.yml +++ b/.github/workflows/docs-agent.yml @@ -149,7 +149,7 @@ jobs: - name: Run Codex docs agent if: steps.gate.outputs.run_agent == 'true' - uses: openai/codex-action@v1 + uses: openai/codex-action@v1.8 env: DOCS_AGENT_BASE_SHA: ${{ steps.gate.outputs.review_base_sha }} DOCS_AGENT_HEAD_SHA: ${{ steps.gate.outputs.review_head_sha }} diff --git a/.github/workflows/install-smoke.yml b/.github/workflows/install-smoke.yml index 14d9e620..4eaad7a7 100644 --- a/.github/workflows/install-smoke.yml +++ b/.github/workflows/install-smoke.yml @@ -103,12 +103,12 @@ jobs: ref: ${{ inputs.ref || github.ref }} - name: Set up Blacksmith Docker Builder - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 # Blacksmith's builder owns the Docker layer cache; keep smoke builds off # explicit gha cache directives so local tags still load cleanly. - name: Build root Dockerfile smoke image - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: . file: ./Dockerfile @@ -210,7 +210,7 @@ jobs: ref: ${{ inputs.ref || github.ref }} - name: Set up Blacksmith Docker Builder - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 # Blacksmith's builder owns the Docker layer cache; keep smoke builds off # explicit gha cache directives so local tags still load cleanly. @@ -222,7 +222,7 @@ jobs: # Build once with the matrix extension and tag both smoke names. This # keeps the build-arg coverage without a second Blacksmith build action. - name: Build root Dockerfile smoke image - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: . file: ./Dockerfile @@ -297,7 +297,7 @@ jobs: ' - name: Build installer smoke image - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: ./scripts/docker file: ./scripts/docker/install-sh-smoke/Dockerfile @@ -307,7 +307,7 @@ jobs: provenance: false - name: Build installer non-root image - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: ./scripts/docker file: ./scripts/docker/install-sh-nonroot/Dockerfile @@ -360,7 +360,7 @@ jobs: ref: ${{ inputs.ref || github.ref }} - name: Set up Blacksmith Docker Builder - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 - name: Setup Node environment for package smoke uses: ./.github/actions/setup-node-env diff --git a/.github/workflows/npm-telegram-beta-e2e.yml b/.github/workflows/npm-telegram-beta-e2e.yml index 2dd18804..c5ef5a06 100644 --- a/.github/workflows/npm-telegram-beta-e2e.yml +++ b/.github/workflows/npm-telegram-beta-e2e.yml @@ -105,12 +105,12 @@ jobs: fetch-depth: 1 - name: Set up Blacksmith Docker Builder - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 with: max-cache-size-mb: 800000 - name: Build Docker E2E image - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: . file: ./scripts/e2e/Dockerfile diff --git a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml index b8fedfcc..16aa5d6d 100644 --- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml +++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml @@ -503,7 +503,7 @@ jobs: fetch-depth: 1 - name: Log in to GHCR for shared Docker E2E image - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -685,7 +685,7 @@ jobs: fetch-depth: 1 - name: Log in to GHCR for shared Docker E2E image - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -823,7 +823,7 @@ jobs: fetch-depth: 1 - name: Log in to GHCR for shared Docker E2E image - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -1063,7 +1063,7 @@ jobs: - name: Log in to GHCR if: steps.plan.outputs.needs_e2e_image == '1' - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -1112,11 +1112,11 @@ jobs: - name: Setup Docker builder if: steps.image_exists.outputs.needs_build == '1' - uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1 + uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1 - name: Build and push bare Docker E2E image if: steps.plan.outputs.needs_bare_image == '1' && steps.image_exists.outputs.bare_exists != '1' - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: . file: ./scripts/e2e/Dockerfile @@ -1129,7 +1129,7 @@ jobs: - name: Build and push functional Docker E2E image if: steps.plan.outputs.needs_functional_image == '1' && steps.image_exists.outputs.functional_exists != '1' - uses: useblacksmith/build-push-action@cbd1f60d194a98cb3be5523b15134501eaf0fbf3 # v2 + uses: useblacksmith/build-push-action@fb9e3e6a9299c78462bfadd0d93352c316adc9b8 # v2 with: context: . file: ./scripts/e2e/Dockerfile diff --git a/.github/workflows/sandbox-common-smoke.yml b/.github/workflows/sandbox-common-smoke.yml index 54ff9275..084867eb 100644 --- a/.github/workflows/sandbox-common-smoke.yml +++ b/.github/workflows/sandbox-common-smoke.yml @@ -35,7 +35,7 @@ jobs: submodules: false - name: Set up Docker Builder - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4 - name: Build minimal sandbox base (USER sandbox) shell: bash diff --git a/.github/workflows/test-performance-agent.yml b/.github/workflows/test-performance-agent.yml index dbf29b83..627c42bb 100644 --- a/.github/workflows/test-performance-agent.yml +++ b/.github/workflows/test-performance-agent.yml @@ -129,7 +129,7 @@ jobs: - name: Run Codex test performance agent if: steps.gate.outputs.run_agent == 'true' - uses: openai/codex-action@v1 + uses: openai/codex-action@v1.8 with: openai-api-key: ${{ secrets.OPENCLAW_TEST_PERF_AGENT_OPENAI_API_KEY || secrets.OPENAI_API_KEY }} prompt-file: .github/codex/prompts/test-performance-agent.md