centersl/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-03-27 09:21:35 +07:00
Code Issues Packages Projects Releases Wiki Activity

CI: remove npm release preview workflow (#52825)

Browse Source 
* CI: remove npm release preview workflow

* Docs: align release maintainer skill with manual publish

* Docs: expand release maintainer skill flow
This commit is contained in:
Onur Solmaz
2026-03-23 13:35:57 +01:00
committed by GitHub
parent 41850c3880
commit cd7d49b48e
3 changed files with 39 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.agents/skills/openclaw-release-maintainer/SKILL.md
View File

@@ -11,7 +11,9 @@ Use this skill for release and publish-time workflow. Keep ordinary development
- Do not change version numbers without explicit operator approval. - Do not change version numbers without explicit operator approval.
- Ask permission before any npm publish or release step. - Ask permission before any npm publish or release step.
- Use the private maintainer release docs for the actual runbook and `docs/reference/RELEASING.md` for public policy. - This skill should be sufficient to drive the normal release flow end-to-end.
- Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy.
- Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself.
## Keep release channel naming aligned ## Keep release channel naming aligned
@@ -31,6 +33,8 @@ Use this skill for release and publish-time workflow. Keep ordinary development
- `apps/macos/Sources/OpenClaw/Resources/Info.plist` - `apps/macos/Sources/OpenClaw/Resources/Info.plist`
- `docs/install/updating.md` - `docs/install/updating.md`
- Peekaboo Xcode project and plist version fields - Peekaboo Xcode project and plist version fields
- Before creating a release tag, make every version location above match the version encoded by that tag.
- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
- “Bump version everywhere” means all version locations above except `appcast.xml`. - “Bump version everywhere” means all version locations above except `appcast.xml`.
- Release signing and notary credentials live outside the repo in the private maintainer docs. - Release signing and notary credentials live outside the repo in the private maintainer docs.
@@ -62,13 +66,45 @@ For a non-root smoke path:
OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke
``` ```
## Check all relevant release builds
- Always validate the core npm release path before creating the tag.
- Default core release checks:
- `pnpm check`
- `pnpm build`
- `node --import tsx scripts/release-check.ts`
- `pnpm release:check`
- `OPENCLAW_INSTALL_SMOKE_SKIP_NONROOT=1 pnpm test:install:smoke`
- Check all release-related build surfaces touched by the release, not only the npm package.
- Include mac release readiness in preflight:
- if the release includes mac artifacts, run or inspect the mac packaging/notary/appcast flow
- if the release does not include mac artifacts, explicitly confirm that exception before continuing
- For stable releases, confirm the latest beta already passed the broader release workflows before cutting stable.
- If any required build, packaging step, or release workflow is red, do not say the release is ready.
## Use the right auth flow ## Use the right auth flow
- Core `openclaw` publish uses GitHub trusted publishing. - Core `openclaw` publish uses GitHub trusted publishing.
- The publish run must be started manually with `workflow_dispatch`.
- The `npm-release` environment must be approved by `@openclaw/openclaw-release-managers` before publish continues.
- Do not use `NPM_TOKEN` or the plugin OTP flow for core releases. - Do not use `NPM_TOKEN` or the plugin OTP flow for core releases.
- `@openclaw/*` plugin publishes use a separate maintainer-only flow. - `@openclaw/*` plugin publishes use a separate maintainer-only flow.
- Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished. - Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished.
## Run the release sequence
1. Confirm the operator explicitly wants to cut a release.
2. Choose the exact target version and git tag.
3. Make every repo version location match that tag before creating it.
4. Update `CHANGELOG.md` and assemble the matching GitHub release notes.
5. Run the full preflight for all relevant release builds, including mac readiness when applicable.
6. Confirm the target npm version is not already published.
7. Create and push the git tag.
8. Create or refresh the matching GitHub release.
9. Start `.github/workflows/openclaw-npm-release.yml` with `workflow_dispatch` and the same tag.
10. Wait for `npm-release` approval from `@openclaw/openclaw-release-managers`.
11. After publish, verify npm and any attached release artifacts.
## GHSA advisory work ## GHSA advisory work
- Use `openclaw-ghsa-maintainer` for GHSA advisory inspection, patch/publish flow, private-fork validation, and GHSA API-specific publish checks. - Use `openclaw-ghsa-maintainer` for GHSA advisory inspection, patch/publish flow, private-fork validation, and GHSA API-specific publish checks.

107
.github/workflows/openclaw-npm-release.yml vendored
View File

@@ -1,9 +1,6 @@
name: OpenClaw NPM Release name: OpenClaw NPM Release
on: on:
push:
tags:
- "v*"
workflow_dispatch: workflow_dispatch:
inputs: inputs:
tag: tag:
@@ -21,111 +18,7 @@ env:
PNPM_VERSION: "10.23.0" PNPM_VERSION: "10.23.0"
jobs: jobs:
preview_openclaw_npm:
if: github.event_name == 'push'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Node environment
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
use-sticky-disk: "false"
- name: Print release plan
env:
RELEASE_TAG: ${{ github.ref_name }}
run: |
set -euo pipefail
RELEASE_SHA=$(git rev-parse HEAD)
PACKAGE_VERSION=$(node -p "require('./package.json').version")
if [[ "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*-[1-9][0-9]*$ ]]; then
TAG_KIND="fallback correction"
else
TAG_KIND="standard"
fi
echo "Release plan for ${RELEASE_TAG}:"
echo "Resolved release SHA: ${RELEASE_SHA}"
echo "Resolved package version: ${PACKAGE_VERSION}"
echo "Resolved tag kind: ${TAG_KIND}"
if [[ "${TAG_KIND}" == "fallback correction" ]]; then
echo "Correction tag note: npm version remains ${PACKAGE_VERSION}"
fi
echo "Would run: git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main"
echo "Would run with env: RELEASE_SHA=${RELEASE_SHA} RELEASE_TAG=${RELEASE_TAG} RELEASE_MAIN_REF=origin/main pnpm release:openclaw:npm:check"
echo "Would run: npm view openclaw@${PACKAGE_VERSION} version"
echo "Would run: pnpm check"
echo "Would run: pnpm build"
echo "Would run: pnpm release:check"
- name: Validate release tag and package metadata
env:
RELEASE_TAG: ${{ github.ref_name }}
RELEASE_MAIN_REF: origin/main
run: |
set -euxo pipefail
RELEASE_SHA=$(git rev-parse HEAD)
export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
# Fetch the full main ref so merge-base ancestry checks keep working
# for older tagged commits that are still contained in main.
git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
pnpm release:openclaw:npm:check
- name: Ensure version is not already published
env:
RELEASE_TAG: ${{ github.ref_name }}
run: |
set -euxo pipefail
PACKAGE_VERSION=$(node -p "require('./package.json').version")
IS_CORRECTION_TAG=0
if [[ "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*-[1-9][0-9]*$ ]]; then
IS_CORRECTION_TAG=1
fi
if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
if [[ "${IS_CORRECTION_TAG}" == "1" ]]; then
echo "openclaw@${PACKAGE_VERSION} is already published on npm."
echo "Correction tag ${RELEASE_TAG} is allowed as a fallback release tag, so preview will continue without treating this as an error."
exit 0
fi
echo "openclaw@${PACKAGE_VERSION} is already published on npm."
exit 1
fi
if [[ "${IS_CORRECTION_TAG}" == "1" ]]; then
echo "Previewing fallback correction tag ${RELEASE_TAG} for npm version openclaw@${PACKAGE_VERSION}"
else
echo "Previewing openclaw@${PACKAGE_VERSION}"
fi
- name: Check
run: |
set -euxo pipefail
pnpm check
- name: Build
run: |
set -euxo pipefail
pnpm build
- name: Verify release contents
run: |
set -euxo pipefail
pnpm release:check
- name: Preview publish command
run: bash scripts/openclaw-npm-publish.sh --dry-run
publish_openclaw_npm: publish_openclaw_npm:
if: github.event_name == 'workflow_dispatch'
# npm trusted publishing + provenance requires a GitHub-hosted runner. # npm trusted publishing + provenance requires a GitHub-hosted runner.
runs-on: ubuntu-latest runs-on: ubuntu-latest
environment: npm-release environment: npm-release

8
scripts/openclaw-npm-publish.sh
View File

@@ -4,8 +4,8 @@ set -euo pipefail
mode="${1:-}" mode="${1:-}"
if [[ "${mode}" != "--dry-run" && "${mode}" != "--publish" ]]; then if [[ "${mode}" != "--publish" ]]; then
echo "usage: bash scripts/openclaw-npm-publish.sh [--dry-run|--publish]" >&2 echo "usage: bash scripts/openclaw-npm-publish.sh --publish" >&2
exit 2 exit 2
fi fi
@@ -26,8 +26,4 @@ printf 'Publish command:'
printf ' %q' "${publish_cmd[@]}" printf ' %q' "${publish_cmd[@]}"
printf '\n' printf '\n'
if [[ "${mode}" == "--dry-run" ]]; then
exit 0
fi
"${publish_cmd[@]}" "${publish_cmd[@]}"