fix(ci): scope secrets scan to branch changes

2026-04-21 05:32:53 +00:00 · 2026-03-08 22:11:38 +02:00
parent 0ecfd37b44
commit dadd7f99cd
6 changed files with 25 additions and 16 deletions
--- a/src/agents/models-config.applies-config-env-vars.test.ts
+++ b/src/agents/models-config.applies-config-env-vars.test.ts
@@ -22,7 +22,7 @@ describe("models-config", () => {
          models: { providers: {} },
          env: {
            vars: {
-              OPENROUTER_API_KEY: "from-config",
+              OPENROUTER_API_KEY: "from-config", // pragma: allowlist secret
              [TEST_ENV_VAR]: "from-config",
            },
          },
@@ -44,13 +44,13 @@ describe("models-config", () => {
  it("does not overwrite already-set host env vars while ensuring models.json", async () => {
    await withTempHome(async () => {
      await withTempEnv(["OPENROUTER_API_KEY", TEST_ENV_VAR], async () => {
-        process.env.OPENROUTER_API_KEY = "from-host";
+        process.env.OPENROUTER_API_KEY = "from-host"; // pragma: allowlist secret
        process.env[TEST_ENV_VAR] = "from-host";
        const cfg: OpenClawConfig = {
          models: { providers: {} },
          env: {
            vars: {
-              OPENROUTER_API_KEY: "from-config",
+              OPENROUTER_API_KEY: "from-config", // pragma: allowlist secret
              [TEST_ENV_VAR]: "from-config",
            },
          },
--- a/src/agents/models-config.providers.matrix.test.ts
+++ b/src/agents/models-config.providers.matrix.test.ts
@@ -39,7 +39,7 @@ async function writeAuthProfiles(
 const MATRIX_CASES: MatrixCase[] = [
  {
    name: "env api key injects a simple provider",
-    env: { NVIDIA_API_KEY: "test-nvidia-key" },
+    env: { NVIDIA_API_KEY: "test-nvidia-key" }, // pragma: allowlist secret
    assertProviders(providers) {
      expect(providers?.nvidia?.apiKey).toBe("NVIDIA_API_KEY");
      expect(providers?.nvidia?.baseUrl).toBe("https://integrate.api.nvidia.com/v1");
@@ -48,7 +48,7 @@ const MATRIX_CASES: MatrixCase[] = [
  },
  {
    name: "env api key injects paired plan providers",
-    env: { VOLCANO_ENGINE_API_KEY: "test-volcengine-key" },
+    env: { VOLCANO_ENGINE_API_KEY: "test-volcengine-key" }, // pragma: allowlist secret
    assertProviders(providers) {
      expect(providers?.volcengine?.apiKey).toBe("VOLCANO_ENGINE_API_KEY");
      expect(providers?.["volcengine-plan"]?.apiKey).toBe("VOLCANO_ENGINE_API_KEY");
@@ -116,7 +116,7 @@ const MATRIX_CASES: MatrixCase[] = [
  },
  {
    name: "explicit vllm config suppresses implicit vllm injection",
-    env: { VLLM_API_KEY: "test-vllm-key" },
+    env: { VLLM_API_KEY: "test-vllm-key" }, // pragma: allowlist secret
    explicitProviders: {
      vllm: {
        baseUrl: "http://127.0.0.1:8000/v1",