Added dynamic skill-catalog discovery in clawsec-suite (#26)

* feat(clawsec-suite): integrate audit-watchdog and add email-gated setup * fix(clawsec-suite): escape shell env assignments in watchdog setup * fix(lint): remove unnecessary escapes in watchdog exec template * clawsec-suite: add dynamic remote skill catalog discovery with fallback * clawsec-suite: align signed feed defaults and checksum key compatibility * fix(lint): use globalThis fetch/AbortController in catalog script * Revert "fix(lint): remove unnecessary escapes in watchdog exec template" This reverts commit 09e40d2a8861e2d179137467c9ba938776609a56. * Revert "fix(clawsec-suite): escape shell env assignments in watchdog setup" This reverts commit 54d97653a6f8ac14c125ef14c59bca7532cfee15. * Revert "feat(clawsec-suite): integrate audit-watchdog and add email-gated setup" This reverts commit 1ba55dd69ecb7a248a53123277158ce27474d5f7. * fix(openclaw-audit-watchdog): escape shell env interpolation in setup_cron * ci(signing): enforce key consistency across docs, repo, and generated assets * docs(readme): document signing key consistency CI guardrails * chore(clawsec-suite): bump to 0.1.0 and record release changelog * chore(changelog): update to version 0.1.1 and enhance signing key drift control documentation * chore(clawsec-suite): bump version to 0.1.1
2026-06-24 10:51:22 +03:00 · 2026-02-16 13:47:32 +01:00
parent 76778b8bb6
commit 51532bc753
16 changed files with 903 additions and 82 deletions
@@ -25,6 +25,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

+      - name: Verify signing key consistency (repo + docs)
+        run: ./scripts/ci/verify_signing_key_consistency.sh
+
      - name: Auto-discover skills from releases
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -274,6 +277,18 @@ jobs:
          input_file: public/checksums.json
          signature_file: public/checksums.sig

+      - name: Verify generated public signing key matches canonical key
+        run: |
+          set -euo pipefail
+          CANONICAL_FPR=$(openssl pkey -pubin -in clawsec-signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          GENERATED_FPR=$(openssl pkey -pubin -in public/signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          echo "Canonical key fingerprint: $CANONICAL_FPR"
+          echo "Generated key fingerprint: $GENERATED_FPR"
+          if [ "$CANONICAL_FPR" != "$GENERATED_FPR" ]; then
+            echo "::error::public/signing-public.pem fingerprint mismatch vs clawsec-signing-public.pem"
+            exit 1
+          fi
+
      - name: Copy public key to advisory directory
        run: |
          # Clients expect the public key at advisories/feed-signing-public.pem
@@ -36,6 +36,9 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Verify signing key consistency (repo + docs)
+        run: ./scripts/ci/verify_signing_key_consistency.sh
+
      - name: Validate version parity for bumped skills
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
@@ -526,6 +529,9 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

+      - name: Verify signing key consistency (repo + docs)
+        run: ./scripts/ci/verify_signing_key_consistency.sh
+
      - name: Validate skill exists
        run: |
          SKILL_PATH="${{ steps.parse.outputs.skill_path }}"
@@ -782,6 +788,18 @@ jobs:
          signature_file: release-assets/checksums.sig
          public_key_output: release-assets/signing-public.pem

+      - name: Verify generated release signing key matches canonical key
+        run: |
+          set -euo pipefail
+          CANONICAL_FPR=$(openssl pkey -pubin -in clawsec-signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          GENERATED_FPR=$(openssl pkey -pubin -in release-assets/signing-public.pem -outform DER | sha256sum | awk '{print $1}')
+          echo "Canonical key fingerprint: $CANONICAL_FPR"
+          echo "Generated key fingerprint: $GENERATED_FPR"
+          if [ "$CANONICAL_FPR" != "$GENERATED_FPR" ]; then
+            echo "::error::release-assets/signing-public.pem fingerprint mismatch vs clawsec-signing-public.pem"
+            exit 1
+          fi
+
      - name: Show signed release assets
        run: |
          echo "Signed and verified release-assets/checksums.json"