CI: remove npm release preview workflow (#52825)

* CI: remove npm release preview workflow * Docs: align release maintainer skill with manual publish * Docs: expand release maintainer skill flow
2026-03-27 09:21:35 +07:00 · 2026-03-23 13:35:57 +01:00
parent 41850c3880
commit cd7d49b48e
3 changed files with 39 additions and 114 deletions
--- a/.agents/skills/openclaw-release-maintainer/SKILL.md
+++ b/.agents/skills/openclaw-release-maintainer/SKILL.md
@@ -11,7 +11,9 @@ Use this skill for release and publish-time workflow. Keep ordinary development

 - Do not change version numbers without explicit operator approval.
 - Ask permission before any npm publish or release step.
- Use the private maintainer release docs for the actual runbook and `docs/reference/RELEASING.md` for public policy.
+- This skill should be sufficient to drive the normal release flow end-to-end.
+- Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
+- Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.

 ## Keep release channel naming aligned

@@ -31,6 +33,8 @@ Use this skill for release and publish-time workflow. Keep ordinary development
  - `apps/macos/Sources/OpenClaw/Resources/Info.plist`
  - `docs/install/updating.md`
  - Peekaboo Xcode project and plist version fields
+- Before creating a release tag, make every version location above match the version encoded by that tag.
+- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
 - “Bump version everywhere” means all version locations above except `appcast.xml`.
 - Release signing and notary credentials live outside the repo in the private maintainer docs.

@@ -62,13 +66,45 @@ For a non-root smoke path:
 OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke
 ```

+## Check all relevant release builds
+
+- Always validate the core npm release path before creating the tag.
+- Default core release checks:
+  - `pnpm check`
+  - `pnpm build`
+  - `node --import tsx scripts/release-check.ts`
+  - `pnpm release:check`
+  - `OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke`
+- Check all release-related build surfaces touched by the release, not only the npm package.
+- Include mac release readiness in preflight:
+  - if the release includes mac artifacts, run or inspect the mac packaging/notary/appcast flow
+  - if the release does not include mac artifacts, explicitly confirm that exception before continuing
+- For stable releases, confirm the latest beta already passed the broader release workflows before cutting stable.
+- If any required build, packaging step, or release workflow is red, do not say the release is ready.
+
 ## Use the right auth flow

 - Core `openclaw` publish uses GitHub trusted publishing.
+- The publish run must be started manually with `workflow_dispatch`.
+- The `npm-release` environment must be approved by `@openclaw/openclaw-release-managers` before publish continues.
 - Do not use `NPM_TOKEN` or the plugin OTP flow for core releases.
 - `@openclaw/*` plugin publishes use a separate maintainer-only flow.
 - Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.

+## Run the release sequence
+
+1. Confirm the operator explicitly wants to cut a release.
+2. Choose the exact target version and git tag.
+3. Make every repo version location match that tag before creating it.
+4. Update `CHANGELOG.md` and assemble the matching GitHub release notes.
+5. Run the full preflight for all relevant release builds, including mac readiness when applicable.
+6. Confirm the target npm version is not already published.
+7. Create and push the git tag.
+8. Create or refresh the matching GitHub release.
+9. Start `.github/workflows/openclaw-npm-release.yml` with `workflow_dispatch` and the same tag.
+10. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
+11. After publish, verify npm and any attached release artifacts.
+
 ## GHSA advisory work

 - Use `openclaw-ghsa-maintainer` for GHSA advisory inspection, patch/publish flow, private-fork validation, and GHSA API-specific publish checks.
--- a/.github/workflows/openclaw-npm-release.yml
+++ b/.github/workflows/openclaw-npm-release.yml
@@ -1,9 +1,6 @@
 name: OpenClaw NPM Release

 on:
-  push:
-    tags:
-      - "v*"
  workflow_dispatch:
    inputs:
      tag:
@@ -21,111 +18,7 @@ env:
  PNPM_VERSION: "10.23.0"

 jobs:
-  preview_openclaw_npm:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node environment
-        uses: ./.github/actions/setup-node-env
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          pnpm-version: ${{ env.PNPM_VERSION }}
-          install-bun: "false"
-          use-sticky-disk: "false"
-
-      - name: Print release plan
-        env:
-          RELEASE_TAG: ${{ github.ref_name }}
-        run: |
-          set -euo pipefail
-          RELEASE_SHA=$(git rev-parse HEAD)
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          if [[ "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*-[1-9][0-9]*$ ]]; then
-            TAG_KIND="fallback correction"
-          else
-            TAG_KIND="standard"
-          fi
-          echo "Release plan for ${RELEASE_TAG}:"
-          echo "Resolved release SHA: ${RELEASE_SHA}"
-          echo "Resolved package version: ${PACKAGE_VERSION}"
-          echo "Resolved tag kind: ${TAG_KIND}"
-          if [[ "${TAG_KIND}" == "fallback correction" ]]; then
-            echo "Correction tag note: npm version remains ${PACKAGE_VERSION}"
-          fi
-          echo "Would run: git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main"
-          echo "Would run with env: RELEASE_SHA=${RELEASE_SHA} RELEASE_TAG=${RELEASE_TAG} RELEASE_MAIN_REF=origin/main pnpm release:openclaw:npm:check"
-          echo "Would run: npm view openclaw@${PACKAGE_VERSION} version"
-          echo "Would run: pnpm check"
-          echo "Would run: pnpm build"
-          echo "Would run: pnpm release:check"
-
-      - name: Validate release tag and package metadata
-        env:
-          RELEASE_TAG: ${{ github.ref_name }}
-          RELEASE_MAIN_REF: origin/main
-        run: |
-          set -euxo pipefail
-          RELEASE_SHA=$(git rev-parse HEAD)
-          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
-          # Fetch the full main ref so merge-base ancestry checks keep working
-          # for older tagged commits that are still contained in main.
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
-          pnpm release:openclaw:npm:check
-
-      - name: Ensure version is not already published
-        env:
-          RELEASE_TAG: ${{ github.ref_name }}
-        run: |
-          set -euxo pipefail
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          IS_CORRECTION_TAG=0
-          if [[ "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*-[1-9][0-9]*$ ]]; then
-            IS_CORRECTION_TAG=1
-          fi
-
-          if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
-            if [[ "${IS_CORRECTION_TAG}" == "1" ]]; then
-              echo "openclaw@${PACKAGE_VERSION} is already published on npm."
-              echo "Correction tag ${RELEASE_TAG} is allowed as a fallback release tag, so preview will continue without treating this as an error."
-              exit 0
-            fi
-            echo "openclaw@${PACKAGE_VERSION} is already published on npm."
-            exit 1
-          fi
-
-          if [[ "${IS_CORRECTION_TAG}" == "1" ]]; then
-            echo "Previewing fallback correction tag ${RELEASE_TAG} for npm version openclaw@${PACKAGE_VERSION}"
-          else
-            echo "Previewing openclaw@${PACKAGE_VERSION}"
-          fi
-
-      - name: Check
-        run: |
-          set -euxo pipefail
-          pnpm check
-
-      - name: Build
-        run: |
-          set -euxo pipefail
-          pnpm build
-
-      - name: Verify release contents
-        run: |
-          set -euxo pipefail
-          pnpm release:check
-
-      - name: Preview publish command
-        run: bash scripts/openclaw-npm-publish.sh --dry-run
-
  publish_openclaw_npm:
-    if: github.event_name == 'workflow_dispatch'
    # npm trusted publishing + provenance requires a GitHub-hosted runner.
    runs-on: ubuntu-latest
    environment: npm-release
--- a/scripts/openclaw-npm-publish.sh
+++ b/scripts/openclaw-npm-publish.sh
@@ -4,8 +4,8 @@ set -euo pipefail

 mode="${1:-}"

-if [[ "${mode}" != "--dry-run" && "${mode}" != "--publish" ]]; then
-  echo "usage: bash scripts/openclaw-npm-publish.sh [--dry-run|--publish]" >&2
+if [[ "${mode}" != "--publish" ]]; then
+  echo "usage: bash scripts/openclaw-npm-publish.sh --publish" >&2
  exit 2
 fi

@@ -26,8 +26,4 @@ printf 'Publish command:'
 printf ' %q' "${publish_cmd[@]}"
 printf '\n'

-if [[ "${mode}" == "--dry-run" ]]; then
-  exit 0
-fi
-
 "${publish_cmd[@]}"