fix(ci): reject fork PR heads for secret-bearing Mantis proof job by BunsDev · Pull Request #80744 · openclaw/openclaw

BunsDev · 2026-05-11T18:41:57Z

Prevent untrusted fork PR heads from running inside the secret-bearing Mantis Telegram proof job, which could allow lifecycle/build scripts in forked code to exfiltrate CI secrets.
The prior implementation relied on an agent prompt and in-process sanitization for downstream child processes, which did not protect earlier pnpm install/build steps in the job.

Update ref validation in .github/workflows/mantis-telegram-desktop-proof.yml to reject fork PR heads during validate_refs and fail the job if the candidate is from a fork, and set candidate_trust="repo-pr-head" for accepted refs.
Remove the prompt-only fork-sandbox claim from .github/codex/prompts/mantis-telegram-desktop-proof.md and document that fork heads are rejected prior to agent-run candidate install/build commands.
Adjust the workflow unit test test/scripts/mantis-telegram-desktop-proof-workflow.test.ts to assert fork PR heads are rejected and that the prompt no longer instructs prompt-only sandboxing.
Commit message: fix(ci): reject fork mantis proof heads.

Ran the focused Vitest test: pnpm test test/scripts/mantis-telegram-desktop-proof-workflow.test.ts -- --reporter=verbose, and the test file passed (8 tests, all green).
Ran workflow lint/sanity: pnpm check:workflows, which completed without errors.
Ran git diff --check to validate no interpolation issues, which returned clean.

fix(ci): reject fork mantis proof heads

b5f2886

BunsDev added codex aardvark labels May 11, 2026 — with ChatGPT Codex Connector

BunsDev added the codex label May 11, 2026

BunsDev closed this May 11, 2026

openclaw-barnacle Bot added size: XS maintainer Maintainer-authored PR labels May 11, 2026

BunsDev deleted the codex/fix-ci-secrets-exposure-in-fork-prs branch May 11, 2026 18:42

Provide feedback