Summary:
- The PR deletes the standalone `Parity gate` workflow, renames QA parity wording from gate to lane, routes docs toward QA/release validation, and adjusts the Docker E2E boundary guard for package-backed live lanes.
- Reproducibility: not applicable. as a CI/docs refactor. The high-confidence review path is static comparison of the repaired PR diff against current workflow/docs code plus exact-head check status.
ClawSweeper fixups:
- Included follow-up commit: ci: fold parity into QA release validation
- Ran the ClawSweeper repair loop before final review.
Validation:
- ClawSweeper review passed for head 3482654058.
- Required merge gates passed before the squash merge.
Prepared head SHA: 3482654058
Review: https://github.com/openclaw/openclaw/pull/74622#issuecomment-4359168336
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
Summary:
- The PR adds a 2026.5.2 doctor repair pass for actively used configured downloadable plugins, prefers ClawHub ... pm fallback, records installed plugin state, extends upgrade-survivor coverage, and updates docs/changelog.
- Reproducibility: yes. Static inspection of current main and the PR head gives a high-confidence reproduction ... d-plugin install pass, while the PR tests the new repair-only path, success stamping, and warning behavior.
ClawSweeper fixups:
- Included follow-up commit: test: cover configured plugin install update path
- Included follow-up commit: test: isolate channel option metadata cache
- Included follow-up commit: fix: keep configured plugin repair scoped
Validation:
- ClawSweeper review passed for head d3519ce42c.
- Required merge gates passed before the squash merge.
Prepared head SHA: d3519ce42c
Review: https://github.com/openclaw/openclaw/pull/76129#issuecomment-4364120658
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Simplify plugin installation and runtime loading around package-manager-owned dependencies, with Jiti reserved for local/TS fallback paths.
Also scans npm plugin install roots so hoisted transitive dependencies are covered by dependency denylist and node_modules symlink checks.
Adds the memory runtime quality shard to the PR CodeQL guard while preserving provider/plugin overlap only for the memory files that share those contracts.
Adds the Plugin SDK reply runtime quality shard to the PR CodeQL guard while keeping reply runtime changes on the existing plugin and package-contract shards.
Splits the previous wall-of-prose docs/ci.md into discoverable sections
while preserving every operator-relevant detail:
- Lead orientation paragraph kept; cross-links to umbrella and prerelease
- Pipeline overview anchors the job table at the top
- Fail-fast order tightened; superseded-run/concurrency notes folded in
- Scope and routing surfaces ci-changed-scope.mjs, the routing-only fast
path, the Windows scope rule, Vitest shard balancing, the Android
dual-flavor rule, and the check-dependencies (Knip + unused-file
allowlist) pass that was buried in the lead
- Manual dispatches groups examples + include_android + target_ref
- Runners and Local equivalents tables/blocks preserved
- Full Release Validation: release_profile and rerun_group bulleted;
verifier-only rerun guidance and the shared release-package-under-test
artifact called out
- Live and E2E shards: native-live shard names listed, live-media-runner
image and openclaw-live-test:<sha> with OPENCLAW_SKIP_DOCKER_BUILD=1
broken out
- Package Acceptance split into Jobs / Candidate sources / Suite profiles
/ Legacy compatibility windows / Examples / debugging
- Install smoke: fast vs full paths, main-push policy, Bun gate
- Local Docker E2E: scheduler tunables in a table, reusable workflow
flow, release-path chunks list, rerun helpers
- Plugin Prerelease, QA Lab, CodeQL each get their own discoverable
sections; CodeQL uses tables for security and quality categories
instead of paragraph walls (kept the new provider-runtime-boundary
shard in the PR-quality-guard list)
- Maintenance workflows groups Docs Agent, Test Performance Agent, and
Duplicate PRs After Merge
- Local check gates and changed routing turn boundary lane rules into
bullets and keep the explicit-mapping prose
- Testbox validation kept; Related links preserved
Audited every workflow name and CodeQL category against
.github/workflows/ — no stale references. File goes from 527 to 413
lines while preserving shard names, env vars, profiles, chunks, and
legacy-compat windows. Layout obeys oxfmt.
Adds the provider runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and fixes selector overlap for Plugin SDK/package-contract paths.
Adds the gateway runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and documents the shard selector behavior.
Adds the focused MCP/process/tool-execution CodeQL security shard and documents it in CI docs.
Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25132942030 passed on 9d8ca2bae7.
- New mcp-process-tool-boundary analysis 1200250367 returned 0 results.
- Branch open CodeQL alerts: none.
- Workflow Sanity, Blacksmith Testbox, Blacksmith Build Artifacts Testbox, and OpenGrep PR Diff passed.
