Skip to content

Commit 24f2122

Browse files
Sdvegas21claude
andcommitted
ci: set a dummy QSEAL_SECRET for the test jobs (fail-closed allow-paths need a signing secret)
Since the 0.4.x hardening, an allow-path that cannot sign its witness refuses (POLICY_BLOCK) rather than run unsigned — by design. The suite's documented invocation sets QSEAL_SECRET; CI never did, so test_langchain_tool_allows_safe_read went red on the first CI exposure of the fail-closed era. Bisected: same wheels pass with the secret set, fail without it, on both PyPI-installed and repo code. Value is a CI-only dummy, not a credential. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent 28697ce commit 24f2122

2 files changed

Lines changed: 10 additions & 0 deletions

File tree

.github/workflows/clawzero-ci.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,11 @@ jobs:
1818
fail-fast: false
1919
matrix:
2020
python-version: ["3.10", "3.11", "3.12"]
21+
env:
22+
# Since the 0.4.x fail-closed hardening, allow-paths refuse rather than
23+
# run unsigned when no QSEAL secret is present (by design). The suite's
24+
# documented invocation sets one; this is a CI-only dummy, not a secret.
25+
QSEAL_SECRET: ci-only-dummy-qseal-secret
2126

2227
steps:
2328
- uses: actions/checkout@v5
@@ -48,6 +53,8 @@ jobs:
4853
name: Attack Pack Validation
4954
runs-on: ubuntu-latest
5055
needs: test
56+
env:
57+
QSEAL_SECRET: ci-only-dummy-qseal-secret
5158

5259
steps:
5360
- uses: actions/checkout@v5

.github/workflows/test.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ jobs:
1313
matrix:
1414
os: [ubuntu-latest, macos-latest]
1515
python-version: ["3.10", "3.11", "3.12", "3.13"]
16+
env:
17+
# Fail-closed allow-paths need a signing secret; CI-only dummy value.
18+
QSEAL_SECRET: ci-only-dummy-qseal-secret
1619

1720
steps:
1821
- name: Checkout

0 commit comments

Comments
 (0)