From 0931a1f11ea52a759ff81cf97345cf4ada7a2bc4 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 27 Apr 2026 13:31:30 +0100
Subject: [PATCH] ci: fix release validation dispatch and protocol drift

---
 .agents/skills/openclaw-testing/SKILL.md      |  6 +++-
 .github/workflows/full-release-validation.yml | 31 +++++++------------
 docs/reference/RELEASING.md                   |  8 ++---
 .../package-acceptance-workflow.test.ts       | 13 ++++++++
 4 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/.agents/skills/openclaw-testing/SKILL.md b/.agents/skills/openclaw-testing/SKILL.md
index b0e932e2dd3..5fdbf1537ba 100644
--- a/.agents/skills/openclaw-testing/SKILL.md
+++ b/.agents/skills/openclaw-testing/SKILL.md
@@ -122,11 +122,15 @@ gh workflow run full-release-validation.yml \
   --repo openclaw/openclaw \
   --ref main \
   -f ref=<branch-or-sha> \
-  -f workflow_ref=main \
   -f provider=openai \
   -f mode=both
 ```
 
+Run the workflow itself from the trusted current ref, normally `--ref main`;
+child workflows are dispatched from that same ref even when `ref` points at an
+older release branch or tag. Full Release Validation has no separate child
+workflow ref input; choose the trusted harness by choosing the workflow run ref.
+
 If a full run is already active on a newer `origin/main`, prefer watching that
 run over dispatching a duplicate. If you accidentally dispatch a stale duplicate,
 cancel it and monitor the current run.
diff --git a/.github/workflows/full-release-validation.yml b/.github/workflows/full-release-validation.yml
index ee63ab7f330..d1013b7d1f4 100644
--- a/.github/workflows/full-release-validation.yml
+++ b/.github/workflows/full-release-validation.yml
@@ -8,11 +8,6 @@ on:
         required: true
         default: main
         type: string
-      workflow_ref:
-        description: Trusted workflow ref used to run child workflows
-        required: false
-        default: main
-        type: string
       provider:
         description: Provider lane for cross-OS onboarding and the end-to-end agent turn
         required: false
@@ -86,7 +81,7 @@ jobs:
         env:
           TARGET_REF: ${{ inputs.ref }}
           TARGET_SHA: ${{ steps.resolve.outputs.sha }}
-          WORKFLOW_REF: ${{ inputs.workflow_ref }}
+          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
           NPM_TELEGRAM_PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
         run: |
           {
@@ -94,7 +89,7 @@ jobs:
             echo
             echo "- Target ref: \`${TARGET_REF}\`"
             echo "- Target SHA: \`${TARGET_SHA}\`"
-            echo "- Child workflow ref: \`${WORKFLOW_REF}\`"
+            echo "- Child workflow ref: \`${CHILD_WORKFLOW_REF}\`"
             echo "- Normal CI: \`CI\` with \`target_ref=${TARGET_SHA}\`"
             echo "- Release/live/Docker/package/QA: \`OpenClaw Release Checks\`"
             if [[ -n "${NPM_TELEGRAM_PACKAGE_SPEC// }" ]]; then
@@ -120,19 +115,18 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           TARGET_REF: ${{ inputs.ref }}
           TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          WORKFLOW_REF: ${{ inputs.workflow_ref }}
+          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
         run: |
           set -euo pipefail
 
           dispatch_and_wait() {
             local workflow="$1"
-            local workflow_ref="$2"
-            shift 2
+            shift
 
             local before_json run_id status conclusion url
             before_json="$(gh run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
 
-            gh workflow run "$workflow" --ref "$workflow_ref" "$@"
+            gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@"
 
             for _ in $(seq 1 60); do
               run_id="$(
@@ -178,7 +172,7 @@ jobs:
             echo "- Target SHA: \`${TARGET_SHA}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
-          dispatch_and_wait ci.yml "$WORKFLOW_REF" -f target_ref="$TARGET_SHA"
+          dispatch_and_wait ci.yml -f target_ref="$TARGET_SHA"
 
   release_checks:
     name: Run release/live/Docker/QA validation
@@ -196,7 +190,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           TARGET_REF: ${{ inputs.ref }}
           TARGET_SHA: ${{ needs.resolve_target.outputs.sha }}
-          WORKFLOW_REF: ${{ inputs.workflow_ref }}
+          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
           PROVIDER: ${{ inputs.provider }}
           MODE: ${{ inputs.mode }}
         run: |
@@ -204,13 +198,12 @@ jobs:
 
           dispatch_and_wait() {
             local workflow="$1"
-            local workflow_ref="$2"
-            shift 2
+            shift
 
             local before_json run_id status conclusion url
             before_json="$(gh run list --workflow "$workflow" --event workflow_dispatch --limit 100 --json databaseId --jq '[.[].databaseId]')"
 
-            gh workflow run "$workflow" --ref "$workflow_ref" "$@"
+            gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@"
 
             for _ in $(seq 1 60); do
               run_id="$(
@@ -258,7 +251,7 @@ jobs:
             echo "- Cross-OS mode: \`${MODE}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
-          dispatch_and_wait openclaw-release-checks.yml "$WORKFLOW_REF" \
+          dispatch_and_wait openclaw-release-checks.yml \
             -f ref="$TARGET_SHA" \
             -f provider="$PROVIDER" \
             -f mode="$MODE"
@@ -278,7 +271,7 @@ jobs:
         id: dispatch
         env:
           GH_TOKEN: ${{ github.token }}
-          WORKFLOW_REF: ${{ inputs.workflow_ref }}
+          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
           PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
           PROVIDER_MODE: ${{ inputs.npm_telegram_provider_mode }}
           SCENARIO: ${{ inputs.npm_telegram_scenario }}
@@ -292,7 +285,7 @@ jobs:
             args+=(-f scenario="$SCENARIO")
           fi
 
-          gh workflow run npm-telegram-beta-e2e.yml --ref "$WORKFLOW_REF" "${args[@]}"
+          gh workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}"
 
           run_id=""
           for _ in $(seq 1 60); do
diff --git a/docs/reference/RELEASING.md b/docs/reference/RELEASING.md
index 6c95469fb12..871d0740a42 100644
--- a/docs/reference/RELEASING.md
+++ b/docs/reference/RELEASING.md
@@ -232,7 +232,6 @@ branch, tag, or full commit SHA as `ref`:
 gh workflow run full-release-validation.yml \
   --ref main \
   -f ref=release/YYYY.M.D \
-  -f workflow_ref=main \
   -f provider=openai \
   -f mode=both
 ```
@@ -246,6 +245,10 @@ Package Acceptance with Telegram package QA, QA Lab parity, live Matrix, and
 live Telegram. A full run is only acceptable when the `Full Release Validation`
 summary shows `normal_ci` and `release_checks` as successful, and any optional
 `npm_telegram` child is either successful or intentionally skipped.
+Child workflows are dispatched from the trusted ref that runs `Full Release
+Validation`, normally `--ref main`, even when the target `ref` points at an
+older release branch or tag. There is no separate Full Release Validation
+workflow-ref input; choose the trusted harness by choosing the workflow run ref.
 
 Use these variants depending on release stage:
 
@@ -254,7 +257,6 @@ Use these variants depending on release stage:
 gh workflow run full-release-validation.yml \
   --ref main \
   -f ref=release/YYYY.M.D \
-  -f workflow_ref=main \
   -f provider=openai \
   -f mode=both
 
@@ -262,7 +264,6 @@ gh workflow run full-release-validation.yml \
 gh workflow run full-release-validation.yml \
   --ref main \
   -f ref=<40-char-sha> \
-  -f workflow_ref=main \
   -f provider=openai \
   -f mode=both
 
@@ -270,7 +271,6 @@ gh workflow run full-release-validation.yml \
 gh workflow run full-release-validation.yml \
   --ref main \
   -f ref=release/YYYY.M.D \
-  -f workflow_ref=main \
   -f provider=openai \
   -f mode=both \
   -f npm_telegram_package_spec=openclaw@YYYY.M.D-beta.N \
diff --git a/test/scripts/package-acceptance-workflow.test.ts b/test/scripts/package-acceptance-workflow.test.ts
index 7575d02e6e0..7081665ff48 100644
--- a/test/scripts/package-acceptance-workflow.test.ts
+++ b/test/scripts/package-acceptance-workflow.test.ts
@@ -6,6 +6,7 @@ const LIVE_E2E_WORKFLOW = ".github/workflows/openclaw-live-and-e2e-checks-reusab
 const DOCKER_E2E_PLAN_ACTION = ".github/actions/docker-e2e-plan/action.yml";
 const NPM_TELEGRAM_WORKFLOW = ".github/workflows/npm-telegram-beta-e2e.yml";
 const RELEASE_CHECKS_WORKFLOW = ".github/workflows/openclaw-release-checks.yml";
+const FULL_RELEASE_VALIDATION_WORKFLOW = ".github/workflows/full-release-validation.yml";
 
 describe("package acceptance workflow", () => {
   it("resolves candidate package sources before reusing Docker E2E lanes", () => {
@@ -132,4 +133,16 @@ describe("package artifact reuse", () => {
     expect(workflow).toContain("package_telegram=${PACKAGE_TELEGRAM_RESULT}");
     expect(workflow).not.toContain("npm_telegram:");
   });
+
+  it("runs full release children from the trusted workflow ref", () => {
+    const workflow = readFileSync(FULL_RELEASE_VALIDATION_WORKFLOW, "utf8");
+
+    expect(workflow).toContain("CHILD_WORKFLOW_REF: ${{ github.ref_name }}");
+    expect(workflow).toContain('gh workflow run "$workflow" --ref "$CHILD_WORKFLOW_REF" "$@"');
+    expect(workflow).toContain(
+      'gh workflow run npm-telegram-beta-e2e.yml --ref "$CHILD_WORKFLOW_REF" "${args[@]}"',
+    );
+    expect(workflow).not.toContain("workflow_ref:");
+    expect(workflow).not.toContain("inputs.workflow_ref");
+  });
 });