mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-22 01:41:20 +03:00
chore: update NVD/GHSA advisories - 27 NVD new, 20 NVD updated (#274)
* chore: update NVD/GHSA advisories - 27 NVD new, 20 NVD updated Automated update from NVD CVE and GHSA advisory feeds. Keywords: openclaw, nanoclaw, hermes, picoclaw Poll window: 2026-06-14T07:33:37Z to 2026-06-17T07:44:37.000Z * fix(skill-release): ignore generated advisory mirror updates --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: David Abutbul <David.a@prompt.security>
This commit is contained in:
github-actions[bot]
committed by
GitHub
GitHub
parent
4a4b547b92
commit
8648aad6d7
@@ -143,6 +143,8 @@ function changedSkillDirs({ root, base, head }) {
|
||||
`${base}...${head}`,
|
||||
"--",
|
||||
"skills/*/**",
|
||||
":(exclude)skills/clawsec-feed/advisories/feed.json",
|
||||
":(exclude)skills/clawsec-feed/advisories/feed.json.sig",
|
||||
":(exclude)skills/*/test/**",
|
||||
":(exclude)skills/*/tests/**",
|
||||
],
|
||||
|
||||
@@ -3,10 +3,12 @@ import { readFile } from 'node:fs/promises';
|
||||
|
||||
const workflowPath = new URL('../.github/workflows/skill-release.yml', import.meta.url);
|
||||
const ciWorkflowPath = new URL('../.github/workflows/ci.yml', import.meta.url);
|
||||
const validateSkillInstallDocsPath = new URL('./ci/validate_skill_install_docs.mjs', import.meta.url);
|
||||
const installClawhubCliPath = new URL('./ci/install_clawhub_cli.sh', import.meta.url);
|
||||
const patchClawhubPayloadPath = new URL('./ci/patch_clawhub_publish_payload.mjs', import.meta.url);
|
||||
const workflow = await readFile(workflowPath, 'utf8');
|
||||
const ciWorkflow = await readFile(ciWorkflowPath, 'utf8');
|
||||
const validateSkillInstallDocs = await readFile(validateSkillInstallDocsPath, 'utf8');
|
||||
const installClawhubCli = await readFile(installClawhubCliPath, 'utf8');
|
||||
const patchClawhubPayload = await readFile(patchClawhubPayloadPath, 'utf8');
|
||||
|
||||
@@ -16,6 +18,16 @@ assert.match(
|
||||
'Skill release workflow must run when any skill package file changes',
|
||||
);
|
||||
|
||||
for (const generatedFeedPath of [
|
||||
'skills/clawsec-feed/advisories/feed.json',
|
||||
'skills/clawsec-feed/advisories/feed.json.sig',
|
||||
]) {
|
||||
assert.ok(
|
||||
workflow.includes(` - '!${generatedFeedPath}'`),
|
||||
`Skill release workflow must not run for generated advisory mirror-only changes to ${generatedFeedPath}`,
|
||||
);
|
||||
}
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/pull_request:[\s\S]*paths:[\s\S]*- '\.github\/workflows\/skill-release\.yml'[\s\S]*- 'scripts\/ci\/\*\*'/,
|
||||
@@ -34,10 +46,20 @@ assert.ok(
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
|
||||
'Skill release validation must ignore test-only skill changes while inspecting release-relevant skill files',
|
||||
/git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json\.sig'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
|
||||
'Skill release validation must ignore generated clawsec-feed advisory mirror and test-only changes while inspecting release-relevant skill files',
|
||||
);
|
||||
|
||||
for (const generatedFeedPath of [
|
||||
':(exclude)skills/clawsec-feed/advisories/feed.json',
|
||||
':(exclude)skills/clawsec-feed/advisories/feed.json.sig',
|
||||
]) {
|
||||
assert.ok(
|
||||
validateSkillInstallDocs.includes(`"${generatedFeedPath}"`),
|
||||
`Install-doc validation changed-skill detection must ignore generated advisory mirror-only changes to ${generatedFeedPath}`,
|
||||
);
|
||||
}
|
||||
|
||||
assert.ok(
|
||||
workflow.includes('name = tolower($NF)')
|
||||
&& workflow.includes('name ~ /^(test|spec)[_-]/')
|
||||
@@ -137,8 +159,8 @@ assert.match(
|
||||
|
||||
assert.match(
|
||||
workflow,
|
||||
/Run release dry-run for changed skills[\s\S]*git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
|
||||
'PR dry-run SkillSpector scan must run when any release-relevant skill package file changes',
|
||||
/Run release dry-run for changed skills[\s\S]*git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json\.sig'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
|
||||
'PR dry-run SkillSpector scan must run when any release-relevant skill package file changes except generated advisory mirror files',
|
||||
);
|
||||
|
||||
assert.ok(
|
||||
|
||||
Reference in New Issue
Block a user