security: Command injection risk in verify.sh openclaw port check #2157
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trigger Discovery | |
| on: | |
| schedule: | |
| - cron: '0 0 */3 * *' | |
| issues: | |
| types: [opened, reopened, labeled] | |
| workflow_dispatch: | |
| jobs: | |
| trigger: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 2 | |
| # Only trigger on issues with safe-to-work AND (cloud-request or agent-request) labels, or schedule/manual | |
| if: >- | |
| github.event_name != 'issues' || | |
| (contains(github.event.issue.labels.*.name, 'safe-to-work') && | |
| (contains(github.event.issue.labels.*.name, 'cloud-request') || | |
| contains(github.event.issue.labels.*.name, 'agent-request'))) | |
| steps: | |
| - name: Trigger discovery cycle | |
| env: | |
| SPRITE_URL: ${{ secrets.DISCOVERY_SPRITE_URL }} | |
| TRIGGER_SECRET: ${{ secrets.DISCOVERY_TRIGGER_SECRET }} | |
| run: | | |
| HTTP_CODE=$(curl -sS --connect-timeout 15 --max-time 30 \ | |
| -o /tmp/response.json -w "%{http_code}" -X POST \ | |
| "${SPRITE_URL}/trigger?reason=${{ github.event_name }}&issue=${{ github.event.issue.number || '' }}" \ | |
| -H "Authorization: Bearer ${TRIGGER_SECRET}") | |
| BODY=$(cat /tmp/response.json 2>/dev/null || echo '{}') | |
| echo "$BODY" | |
| case "$HTTP_CODE" in | |
| 2*) | |
| echo "::notice::Trigger accepted (HTTP $HTTP_CODE)" | |
| ;; | |
| 409) | |
| echo "::notice::Run already in progress — this is expected (HTTP 409)" | |
| ;; | |
| 429) | |
| echo "::warning::Server at capacity (HTTP 429)" | |
| ;; | |
| *) | |
| echo "::error::Trigger failed (HTTP $HTTP_CODE)" | |
| exit 1 | |
| ;; | |
| esac |