fix: fail release performance when reports do not publish (#103126)

* fix(ci): harden performance report publishing

* ci: use scoped app token for reports

* ci: pin Kova readiness probe fix

* ci: pin latest Kova readiness checks

* ci: pin Kova startup sequencing fix

* ci: pin calibrated Kova release policy
This commit is contained in:
Peter Steinberger
2026-07-10 01:27:26 +01:00
committed by GitHub
parent e26a850fbd
commit d8624a4e1b
4 changed files with 789 additions and 167 deletions

View File

@@ -234,7 +234,7 @@ The workflow installs OCM from a pinned release and Kova from `openclaw/Kova` at
The mock-provider lane also runs OpenClaw-native source probes after the Kova pass: gateway boot timing and memory across default, skipped-channel, internal-hook, and fifty-plugin startup cases; bundled plugin import RSS, repeated mock-OpenAI `channel-chat-baseline` hello loops, CLI startup commands against the booted gateway, and the SQLite state smoke performance probe. When the previous published mock-provider source report is available for the tested ref, the source summary compares current RSS and heap values against that baseline and marks large RSS increases as `watch`. The source probe Markdown summary lives at `source/index.md` in the report bundle, with raw JSON beside it.
Every lane uploads GitHub artifacts. When `CLAWGRIT_REPORTS_TOKEN` is configured, the workflow also commits `report.json`, `report.md`, bundles, `index.md`, and source-probe artifacts into `openclaw/clawgrit-reports` under `openclaw-performance/<tested-ref>/<run-id>-<attempt>/<lane>/`. The current tested-ref pointer is written as `openclaw-performance/<tested-ref>/latest-<lane>.json`.
Every lane uploads GitHub artifacts. A separate publisher job downloads and validates those artifacts, then mints a short-lived ClawSweeper GitHub App token scoped only to `openclaw/clawgrit-reports` contents and passes it only to the Git push step. It commits `report.json`, `report.md`, bundles, `index.md`, and source-probe artifacts under `openclaw-performance/<tested-ref>/<run-id>-<attempt>/<lane>/`; the current tested-ref pointer is `openclaw-performance/<tested-ref>/latest-<lane>.json`. Scheduled runs and `profile=release` dispatches fail if app-token creation or report publication fails. Manual non-release dispatches keep publication advisory and retain the GitHub artifacts when authentication or publishing fails. The previous source baseline is fetched anonymously from the public reports repository, so a successful baseline fetch does not prove publisher authentication.
## Full Release Validation

View File

@@ -86,10 +86,13 @@ When debugging real providers/models (requires real creds):
- Runtime performance reports: dispatch `OpenClaw Performance` with
`live_openai_candidate=true` for a real `openai/gpt-5.5` agent turn or
`deep_profile=true` for Kova CPU/heap/trace artifacts. Daily scheduled runs
publish mock-provider, deep-profile, and GPT 5.5 lane artifacts to
`openclaw/clawgrit-reports` when `CLAWGRIT_REPORTS_TOKEN` is configured. The
mock-provider report also includes source-level gateway boot, memory,
plugin-pressure, repeated fake-model hello-loop, and CLI startup numbers.
publish mock-provider, deep-profile, and GPT 5.5 lane reports to
`openclaw/clawgrit-reports` from a separate artifact-consuming publisher job;
missing or invalid publisher authentication fails scheduled and
`profile=release` runs. Manual non-release dispatches keep the GitHub artifacts
and treat report publication as advisory. The mock-provider report also
includes source-level gateway boot, memory, plugin-pressure, repeated
fake-model hello-loop, and CLI startup numbers.
- Docker live model sweep: `pnpm test:docker:live-models`
- Each selected model runs a text turn plus a small file-read-style probe.
Models whose metadata advertises `image` input also run a tiny image turn.