From 6b6f0feb3c1ba0ad7f6105c9e09ed603ca700eb1 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Mon, 13 Apr 2026 14:03:01 +0100 Subject: [PATCH] docs: clarify npm dist-tag auth --- .agents/skills/openclaw-release-maintainer/SKILL.md | 5 ++++- docs/reference/RELEASING.md | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.agents/skills/openclaw-release-maintainer/SKILL.md b/.agents/skills/openclaw-release-maintainer/SKILL.md index 38953426191..9fa3c20baaa 100644 --- a/.agents/skills/openclaw-release-maintainer/SKILL.md +++ b/.agents/skills/openclaw-release-maintainer/SKILL.md @@ -182,7 +182,10 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts plan does not yet support required reviewers there, do not assume the environment alone is the approval boundary; rely on private repo access and CODEOWNERS until those settings can be enabled. -- Do not use `NPM_TOKEN` or the plugin OTP flow for OpenClaw releases. +- Do not use `NPM_TOKEN` or the plugin OTP flow for the OpenClaw package + publish path; package publishing uses trusted publishing. +- Use `NPM_TOKEN` only for explicit npm dist-tag management modes, because npm + does not support trusted publishing for `npm dist-tag add`. - `@openclaw/*` plugin publishes use a separate maintainer-only flow. - Only publish plugins that already exist on npm; bundled disk-tree-only plugins stay unpublished. diff --git a/docs/reference/RELEASING.md b/docs/reference/RELEASING.md index 97432a7fa22..85224dbaddb 100644 --- a/docs/reference/RELEASING.md +++ b/docs/reference/RELEASING.md @@ -136,9 +136,9 @@ Rules: - Dist-tag sync mode must use a stable or correction tag, `preflight_only=false`, an empty `preflight_run_id`, `npm_dist_tag=latest`, and `promote_beta_to_latest=false` -- Promotion and dist-tag sync modes also require a valid `NPM_TOKEN` in the - `npm-release` environment because `npm dist-tag add` still needs regular npm - auth +- Promotion and dist-tag sync modes also require a valid `NPM_TOKEN` because + `npm dist-tag add` still needs regular npm auth; trusted publishing covers + the package publish path only ## Stable npm release sequence @@ -166,7 +166,7 @@ When cutting a stable npm release: `preflight_only=false`, `preflight_run_id` empty, and `npm_dist_tag=latest` The promotion and dist-tag sync modes still require the `npm-release` -environment approval and a valid `NPM_TOKEN` in that environment. +environment approval and a valid `NPM_TOKEN` accessible to that workflow run. That keeps the direct publish path and the beta-first promotion path both documented and operator-visible.