docs: support release branch workflow

2026-05-06 10:00:42 +00:00 · 2026-04-21 05:33:10 +01:00
parent 1a3bde17a6
commit b485ee7e36
4 changed files with 158 additions and 95 deletions
--- a/.github/workflows/openclaw-npm-release.yml
+++ b/.github/workflows/openclaw-npm-release.yml
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
    inputs:
      tag:
-        description: Release tag to publish, or a full 40-character main commit SHA for validation-only preflight (for example v2026.3.22 or 0123456789abcdef0123456789abcdef01234567)
+        description: Release tag to publish, or a full 40-character workflow-branch commit SHA for validation-only preflight (for example v2026.3.22 or 0123456789abcdef0123456789abcdef01234567)
        required: true
        type: string
      preflight_only:
@@ -131,19 +131,20 @@ jobs:
          OPENCLAW_NPM_RELEASE_SKIP_PACK_CHECK: "1"
          RELEASE_REF: ${{ inputs.tag }}
          PREFLIGHT_ONLY: ${{ inputs.preflight_only }}
-          RELEASE_MAIN_REF: origin/main
+          WORKFLOW_REF_NAME: ${{ github.ref_name }}
          OPENCLAW_NPM_PUBLISH_TAG: ${{ inputs.npm_dist_tag }}
        run: |
          set -euo pipefail
          RELEASE_SHA=$(git rev-parse HEAD)
-          export RELEASE_SHA RELEASE_MAIN_REF
-          # Fetch the full main ref so merge-base ancestry checks keep working
-          # for older tagged commits that are still contained in main.
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
+          RELEASE_BRANCH_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
+          export RELEASE_SHA RELEASE_BRANCH_REF
+          # Fetch the workflow branch so merge-base ancestry checks keep working
+          # for older tagged commits contained in a release branch.
+          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
          if [[ "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            MAIN_SHA="$(git rev-parse origin/main)"
-            if [[ "${RELEASE_SHA}" != "${MAIN_SHA}" ]]; then
-              echo "Validation-only SHA mode only supports the current origin/main HEAD." >&2
+            BRANCH_SHA="$(git rev-parse "${RELEASE_BRANCH_REF}")"
+            if [[ "${RELEASE_SHA}" != "${BRANCH_SHA}" ]]; then
+              echo "Validation-only SHA mode only supports the current ${WORKFLOW_REF_NAME} HEAD." >&2
              exit 1
            fi
            RELEASE_TAG="v$(node -p "require('./package.json').version")"
@@ -153,6 +154,8 @@ jobs:
            RELEASE_TAG="${RELEASE_REF}"
            export RELEASE_TAG
          fi
+          RELEASE_MAIN_REF="${RELEASE_BRANCH_REF}"
+          export RELEASE_MAIN_REF
          pnpm release:openclaw:npm:check

      # KEEP THIS LANE LIMITED TO FAST, REPEATABLE RELEASE READINESS CHECKS.
@@ -253,13 +256,13 @@ jobs:
    permissions:
      contents: read
    steps:
-      - name: Require main workflow ref for publish
+      - name: Require main or release workflow ref for publish
        env:
          WORKFLOW_REF: ${{ github.ref }}
        run: |
          set -euo pipefail
-          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]]; then
-            echo "Real publish runs must be dispatched from main. Use preflight_only=true for branch validation."
+          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
+            echo "Real publish runs must be dispatched from main or release/YYYY.M.D. Use preflight_only=true for other branch validation."
            exit 1
          fi

@@ -329,10 +332,11 @@ jobs:
        env:
          GH_TOKEN: ${{ github.token }}
          PREFLIGHT_RUN_ID: ${{ inputs.preflight_run_id }}
+          EXPECTED_PREFLIGHT_BRANCH: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          RUN_JSON="$(gh run view "$PREFLIGHT_RUN_ID" --repo "$GITHUB_REPOSITORY" --json workflowName,headBranch,event,conclusion,url)"
-          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "OpenClaw NPM Release"], ["headBranch", "main"], ["event", "workflow_dispatch"], ["conclusion", "success"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced npm preflight run ${process.env.PREFLIGHT_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } console.log(`Using npm preflight run ${process.env.PREFLIGHT_RUN_ID}: ${run.url}`);'
+          printf '%s' "$RUN_JSON" | node -e 'const fs = require("node:fs"); const run = JSON.parse(fs.readFileSync(0, "utf8")); const checks = [["workflowName", "OpenClaw NPM Release"], ["headBranch", process.env.EXPECTED_PREFLIGHT_BRANCH], ["event", "workflow_dispatch"], ["conclusion", "success"]]; for (const [key, expected] of checks) { if (run[key] !== expected) { console.error(`Referenced npm preflight run ${process.env.PREFLIGHT_RUN_ID} must have ${key}=${expected}, got ${run[key] ?? "<missing>"}.`); process.exit(1); } } console.log(`Using npm preflight run ${process.env.PREFLIGHT_RUN_ID}: ${run.url}`);'

      - name: Download prepared npm tarball
        uses: actions/download-artifact@v8
@@ -348,14 +352,15 @@ jobs:
        env:
          OPENCLAW_NPM_RELEASE_SKIP_PACK_CHECK: "1"
          RELEASE_TAG: ${{ inputs.tag }}
-          RELEASE_MAIN_REF: origin/main
+          WORKFLOW_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          RELEASE_SHA=$(git rev-parse HEAD)
+          RELEASE_MAIN_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
-          # Fetch the full main ref so merge-base ancestry checks keep working
-          # for older tagged commits that are still contained in main.
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
+          # Fetch the workflow branch so merge-base ancestry checks keep working
+          # for older tagged commits contained in a release branch.
+          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
          pnpm release:openclaw:npm:check

      - name: Verify prepared tarball provenance
--- a/.github/workflows/openclaw-release-checks.yml
+++ b/.github/workflows/openclaw-release-checks.yml
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
    inputs:
      ref:
-        description: Existing release tag or current full 40-character main commit SHA to validate (for example v2026.4.12 or 0123456789abcdef0123456789abcdef01234567)
+        description: Existing release tag or current full 40-character workflow-branch commit SHA to validate (for example v2026.4.12 or 0123456789abcdef0123456789abcdef01234567)
        required: true
        type: string
      provider:
@@ -45,13 +45,13 @@ jobs:
      provider: ${{ steps.inputs.outputs.provider }}
      mode: ${{ steps.inputs.outputs.mode }}
    steps:
-      - name: Require main workflow ref for release checks
+      - name: Require main or release workflow ref for release checks
        env:
          WORKFLOW_REF: ${{ github.ref }}
        run: |
          set -euo pipefail
-          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]]; then
-            echo "Release checks must be dispatched from main so the workflow logic and secrets stay canonical." >&2
+          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]] && [[ ! "${WORKFLOW_REF}" =~ ^refs/heads/release/[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*$ ]]; then
+            echo "Release checks must be dispatched from main or release/YYYY.M.D so workflow logic and secrets stay controlled." >&2
            exit 1
          fi

@@ -61,7 +61,7 @@ jobs:
        run: |
          set -euo pipefail
          if [[ ! "${RELEASE_REF}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]] && [[ ! "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            echo "Expected an existing release tag or current full 40-character main commit SHA, got: ${RELEASE_REF}" >&2
+            echo "Expected an existing release tag or current full 40-character workflow-branch commit SHA, got: ${RELEASE_REF}" >&2
            exit 1
          fi

@@ -75,20 +75,22 @@ jobs:
        id: ref
        run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"

-      - name: Validate selected ref is on main
+      - name: Validate selected ref is on workflow branch
        env:
          RELEASE_REF: ${{ inputs.ref }}
+          WORKFLOW_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
-          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
+          RELEASE_BRANCH_REF="refs/remotes/origin/${WORKFLOW_REF_NAME}"
+          git fetch --no-tags origin "+refs/heads/${WORKFLOW_REF_NAME}:refs/remotes/origin/${WORKFLOW_REF_NAME}"
          if [[ "${RELEASE_REF}" =~ ^[0-9a-fA-F]{40}$ ]]; then
-            MAIN_SHA="$(git rev-parse origin/main)"
-            if [[ "$(git rev-parse HEAD)" != "${MAIN_SHA}" ]]; then
-              echo "Commit SHA mode only supports the current origin/main HEAD. Use a release tag for older commits." >&2
+            BRANCH_SHA="$(git rev-parse "${RELEASE_BRANCH_REF}")"
+            if [[ "$(git rev-parse HEAD)" != "${BRANCH_SHA}" ]]; then
+              echo "Commit SHA mode only supports the current ${WORKFLOW_REF_NAME} HEAD. Use a release tag for older commits." >&2
              exit 1
            fi
          else
-            git merge-base --is-ancestor HEAD origin/main
+            git merge-base --is-ancestor HEAD "${RELEASE_BRANCH_REF}"
          fi

      - name: Capture selected inputs