fix(release): verify npm tarball before publish

2026-05-18 13:54:47 +00:00 · 2026-05-15 12:42:56 +01:00
parent e79e5dbbdf
commit 6330fe607d
4 changed files with 218 additions and 0 deletions
--- a/.github/workflows/openclaw-npm-release.yml
+++ b/.github/workflows/openclaw-npm-release.yml
@@ -287,6 +287,20 @@ jobs:
          NODE
          echo "dir=$ARTIFACT_DIR" >> "$GITHUB_OUTPUT"

+      - name: Verify prepared npm tarball install
+        env:
+          PREFLIGHT_ARTIFACT_DIR: ${{ steps.packed_tarball.outputs.dir }}
+        run: |
+          set -euo pipefail
+          TARBALL_PATH="$(find "$PREFLIGHT_ARTIFACT_DIR" -maxdepth 1 -type f -name '*.tgz' -print | sort | tail -n 1)"
+          if [[ -z "$TARBALL_PATH" ]]; then
+            echo "Prepared preflight tarball not found." >&2
+            ls -la "$PREFLIGHT_ARTIFACT_DIR" >&2 || true
+            exit 1
+          fi
+          PACKAGE_VERSION="$(node -p "require('./package.json').version")"
+          node --import tsx scripts/openclaw-npm-prepublish-verify.ts "$TARBALL_PATH" "$PACKAGE_VERSION"
+
      - name: Upload dependency release evidence
        uses: actions/upload-artifact@v7
        with: