Commit Graph

77 Commits

Author SHA1 Message Date
Peter Steinberger
fece8c9f54 fix(release): keep validation evidence immutable across reruns (#103906)
* fix(release): bind validation evidence to exact attempts

* test(release): cover exact validation attempts
2026-07-10 20:16:19 +01:00
Peter Steinberger
fde42b5eea perf(ci): reuse npm preflight build outputs on same-SHA re-runs
The preflight ran 61 times at ~14 minutes during 2026.7.1, redoing the
full build and Control UI build after every late-step failure. Restore
dist outputs from an actions/cache keyed on the resolved target SHA and
lockfile hash (mirroring ci.yml's dist-build cache) so re-runs skip only
the build producers; every validation step still runs against the
restored artifacts.
2026-07-10 03:09:08 -07:00
Vincent Koc
0535679083 fix(release): validate exact prepared npm package sets (#102759)
* fix(release): validate prepared npm package sets

Forward-port the beta3 package-set preflight, Telegram, and Parallels validation to main while preserving main's existing Bun install smoke. Recompute decoded proxy response lengths and require artifact tarballs to exactly match the verified manifest.

* fix(release): lock fixture registry proxy origin
2026-07-09 05:19:24 -07:00
Kevin Lin
9eeebf7cb1 feat(release): preflight all extended-stable npm packages (#101757)
* feat(release): preflight all extended-stable npm packages

* fix(release): install packed ai runtime in smoke

* fix(release): install sibling tarballs before core

* fix(release): verify unpublished tarballs locally

* fix(release): declare local preflight dependencies

* fix(release): pack workspace dependencies for smoke

* fix(release): accept pnpm pack artifact path

* fix(release): seed ai in sdk smoke

* fix(release): preserve prepublish verifier compatibility
2026-07-08 08:01:00 -07:00
Kevin Lin
72ca911e3c fix(release): allow SHA-only extended-stable preflight (#101466) 2026-07-07 07:45:55 -07:00
Kevin Lin
9d2d517296 feat: publish plugins with extended-stable releases (#100448)
* feat(release): publish plugins on extended-stable

* feat(plugins): align extended-stable with core

* docs: explain extended-stable plugin alignment

* fix(release): make plugin convergence recoverable

* fix(plugins): preserve extended-stable fallback intent

* fix(release): keep plugin tag mutation credential-isolated
2026-07-05 16:16:26 -07:00
Peter Steinberger
062f88e3e3 refactor: extract reusable AI runtime package (#99059)
* refactor: extract reusable AI runtime package

* refactor: complete AI provider relocation

* refactor: keep llm core internal

* refactor(ai): make @openclaw/ai self-contained with host policy ports

Move pure transport helpers (tool projections, strict-schema normalization,
prompt-cache boundary, stream guards, anthropic/openai compat, request
activity) from src into packages/ai; move utf16-slice into
normalization-core. Inject host policy (guarded fetch, redaction,
strict-tool defaults, diagnostics logging) through AiTransportHost with
inert library defaults installed by src/llm/stream.ts. Narrow the public
barrel to instance-scoped createApiRegistry/createLlmRuntime; the
process-default runtime moves behind internal/ and
registerBuiltInApiProviders takes an explicit registry. Delete the
src/llm/api-registry re-export facade.

* fix(ai): teach node, jiti, and vite resolvers the @openclaw/ai and utf16-slice subpaths

The workspace alias tables in root-alias.cjs, plugin-sdk-native-resolver,
sdk-alias, the shared vitest config, and the Control UI vite config only
knew @openclaw/llm-core; Node-side plugin loading resolved @openclaw/ai
through the pnpm symlink to the unbuilt dist (checks-node-compact CI
failures), and the Control UI build broke on the new
normalization-core/utf16-slice subpath.

* chore(ui): drop leftover service-worker debug logging

* build(release): ship @openclaw/ai with its own shrinkwrap and honest dependency set

packages/ai declares only its six real runtime deps (kysely, chalk, json5,
tslog, zod, fs-safe, and proxyline were never imported); orphaned root deps
removed. generate-npm-shrinkwrap now treats publishable packages/* like
publishable plugins so the AI tarball pins its transitive tree even though
workspace deps are omitted from the root shrinkwrap. knip learns the
package entry points; the tsdown dts neverBundle option moves to its
documented deps.dts home; the README documents the no-semver internal/*
contract and host ports.

* docs(ai): add minimal external-consumer example app

examples/ai-chat consumes only the public @openclaw/ai surface (built dist
via the workspace link): isolated runtime, built-in provider registration,
one streamed completion. Supports Anthropic/OpenAI via env keys and a
keyless local Ollama target; live-verified against Ollama.

* docs(ai): document the @openclaw/ai package and workspace shrinkwrap boundary

* chore(check): include examples/ in duplicate-scan targets

* fix: emit normalization package subpaths

* fix: complete AI package boundary artifacts

* fix: align AI package boundary contracts

* fix(ci): stabilize package release contracts

* test: align documentation contract checks

* test: keep cron docs guard aligned

* test: align restored docs contract guards

* test: follow upstream docs contracts

* docs: drop superseded talk wording
2026-07-05 01:56:40 -04:00
Kevin Lin
ba7b5db74c feat(release): add monthly npm extended-stable publication (#99352)
* feat(release): add npm stable publication

* fix(release): allow stable full validation

* feat(release): add stable guard test bypass

* fix(release): allow stable maintenance after month rollover

* docs: refresh release documentation map

* refactor(release): rename monthly channel to extended-stable

* fix(release): repair extended-stable selector forward

* docs(release): fix extended-stable link
2026-07-04 08:22:39 -07:00
Vincent Koc
abb6f04e0c ci(release): harden release controls
One-time maintainer-authorized bootstrap merge for the release-gate verifier policy. Exact hosted CI and all supporting workflow gates passed on 66133de419.
2026-06-18 03:11:20 +08:00
Vincent Koc
2333137d83 fix(release): keep npm preflight pack names local 2026-06-17 03:40:19 +02:00
Vincent Koc
f5a7f613ee fix(release): use monthly patch versions
Switch release train handling to YYYY.M.PATCH monthly patch numbering, preserve pre-transition compatibility, and pin the June 2026 stable/beta floor at 2026.6.5 after the published beta.

Verification:
- node scripts/run-vitest.mjs run test/appcast.test.ts test/release-check.test.ts test/scripts/package-mac-app.test.ts test/scripts/package-mac-dist.test.ts test/openclaw-npm-release-check.test.ts test/npm-publish-plan.test.ts src/infra/npm-registry-spec.test.ts src/infra/clawhub.test.ts src/plugins/clawhub.test.ts test/plugin-npm-release.test.ts test/scripts/ios-version.test.ts test/scripts/ios-pin-version.test.ts
- node --import tsx scripts/plugin-npm-release-check.ts --base-ref origin/main --head-ref HEAD
- node --import tsx scripts/plugin-clawhub-release-check.ts --base-ref origin/main --head-ref HEAD
- git diff --check origin/main...HEAD
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --no-web-search
2026-06-06 12:26:32 -07:00
zhang-guiping
2fbddce881 fix(cli): avoid catalog validation in agents add (#88314)
Fixes #76284.

Thanks @zhangguiping-xydt.

Co-authored-by: 张贵萍0668001030 <zhang.guiping@xydigit.com>
2026-05-31 19:22:16 +01:00
Peter Steinberger
7d8fdef995 ci(release): run npm preflight on larger runner 2026-05-31 11:37:04 +01:00
Peter Steinberger
427df01d4e ci(release): checkout approval helper 2026-05-30 21:13:19 +01:00
Peter Steinberger
50b7a2ffa1 ci(release): allow direct publish recovery 2026-05-30 21:13:19 +01:00
Peter Steinberger
910354b07f docs: point release process at public evidence repo 2026-05-28 15:04:33 +01:00
Peter Steinberger
7439d78297 fix(release): accept sha-verified publish evidence 2026-05-24 04:17:40 +01:00
Peter Steinberger
9c26b87114 ci(release): isolate npm publish concurrency 2026-05-23 13:39:43 +01:00
Peter Steinberger
0e3726305b ci(release): allow beta publish after npm preflight 2026-05-23 13:39:43 +01:00
Peter Steinberger
a0702e195d build(pnpm): use packageManager as pnpm source
Recreated from #85108 because the original branch could not be updated by maintainers.

Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install.

Co-authored-by: Altay <altay@hey.com>
2026-05-22 19:17:43 +01:00
Peter Steinberger
0604d25101 ci(release): preserve direct repair publishes 2026-05-21 07:58:15 +01:00
Peter Steinberger
1c5fda115f ci(release): streamline beta publish verification 2026-05-21 07:58:15 +01:00
Peter Steinberger
d7896ed4c9 ci: retry release artifact downloads 2026-05-20 01:59:34 +01:00
Peter Steinberger
375afbad2d ci: cancel duplicate Tideclaw alpha release runs 2026-05-20 00:42:39 +01:00
Peter Steinberger
451563b950 ci: allow Tideclaw alpha release workflows 2026-05-17 07:00:53 +01:00
Peter Steinberger
c4d8e0be18 ci: harden release validation flow 2026-05-17 06:34:58 +01:00
Peter Steinberger
55c275b00a ci(release): require full validation before npm publish 2026-05-15 17:33:28 +01:00
Peter Steinberger
6330fe607d fix(release): verify npm tarball before publish 2026-05-15 17:33:28 +01:00
Josh Avant
bd4db5ee62 Add dependency release safety evidence and PR awareness (#81325)
* test: cover dependency pin guard

* build: add dependency vulnerability gate

* build: add dependency risk report

* build: add dependency drift reports

* build: include dependency ownership surface evidence

* build: rename dependency report commands

* build: respect release age exclusions in risk report

* build: clarify transitive risk accounting

* build: remove transitive risk exception registry

* build: clarify transitive risk signal wording

* ci: attach dependency evidence to release preflight

* ci: extract dependency release evidence generator

* build: rename ownership surface dependency report

* ci: clarify release evidence naming

* build: clarify recently published risk report

* build: reorder transitive risk report sections

* build: fix ownership surface pluralization

* ci: surface dependency changes on PRs

* ci: harden dependency change awareness

* ci: use dependency changed PR label

* build: fix dependency report lint

* docs: add dependency safety changelog
2026-05-13 03:05:09 -05:00
Altay
8b95270cc9 ci(pnpm): use pnpm 11 in workflows 2026-05-11 00:48:14 +01:00
Peter Steinberger
18997be120 ci: speed up release validation reruns 2026-05-11 00:22:19 +01:00
Peter Steinberger
b52773870f ci: speed up release validation profiles 2026-05-10 15:55:24 +01:00
Peter Steinberger
bb294bcd20 feat: support alpha releases 2026-05-02 18:29:13 +01:00
Peter Steinberger
64fc449591 ci(release): use github runner for npm release gate 2026-04-23 16:49:53 +01:00
Peter Steinberger
c07b388f77 ci: keep pnpm alignment scoped to CI 2026-04-22 05:58:50 +01:00
Peter Steinberger
fbddef34bd perf(ci): trim provider catalog test setup 2026-04-22 05:57:22 +01:00
Peter Steinberger
b485ee7e36 docs: support release branch workflow 2026-04-21 05:33:21 +01:00
Peter Steinberger
24644e3c27 ci: remove sticky disk cache plumbing 2026-04-20 16:03:55 +01:00
Peter Steinberger
3ecb713b00 perf: speed local checks and warm builds 2026-04-20 15:08:41 +01:00
Peter Steinberger
91d31197be ci: run architecture check before release 2026-04-20 13:24:49 +01:00
Viz
c778562379 ci(security): harden workflow steps against template-injection (#68431)
zizmor v1.24.1 reports 8 template-injection findings across three workflow files where GitHub Actions ${{ ... }} expressions are interpolated directly into shell run: blocks. Applies the canonical fix pattern: hoist every dynamic value into a step-level env: block and reference it as a shell variable ("${VAR}") from the script.

Files changed:

- control-ui-locale-refresh.yml: move matrix.locale into env as LOCALE (1 site)

- docker-release.yml: hoist steps.tags.outputs.{value,slim} plus the four needs.build-{amd64,arm64}.outputs.{digest,slim-digest} values into env for both manifest-creation steps (6 sites)

- openclaw-npm-release.yml: hoist steps.publish_tarball.outputs.path into env as PUBLISH_TARBALL_PATH in the Publish step (1 site)

Verified locally with zizmor --persona regular on the three files: 'No findings to report. Good job!'. pnpm format:check and pnpm lint pass.

Refs #68428. Complements #66884, which covers the remaining 12 sites in openclaw-cross-os-release-checks-reusable.yml.
2026-04-18 02:04:55 -04:00
Onur Solmaz
27b14124d0 Release: move npm dist-tag ops private (#66660) 2026-04-14 18:18:27 +02:00
Peter Steinberger
8f0628d43b ci: use scoped npm auth for dist-tag sync 2026-04-14 15:43:24 +01:00
Peter Steinberger
c4b8d6d5ab ci: add stable npm dist-tag sync 2026-04-13 13:58:04 +01:00
Onur Solmaz
82865ad480 CI: use 32vCPU Blacksmith release runners 2026-04-13 00:52:45 +02:00
Onur
cdcdb4bb93 Release: separate release checks workflow (#65552)
* Release: separate live cache validation

* Docs: restore live validation secret details

* Release: rename live validation to release checks

* Release: document release check split rationale

* Release: tone down workflow warning

* Release: require full sha for release checks

* CI: use larger runners for release checks

* CI: keep release promotion on github runner

* CI: document github-hosted release jobs

* Release: allow sha validation-only preflight
2026-04-12 23:58:56 +02:00
Peter Steinberger
dfd4e9f8a1 fix(release): write npm auth for latest promotion 2026-04-11 04:29:25 +01:00
Peter Steinberger
b27918007a ci: tolerate noisy npm pack json output 2026-04-09 02:42:03 +01:00
Peter Steinberger
f3d73628ad fix: install bun in npm release preflight 2026-04-06 04:19:20 +01:00
Peter Steinberger
6e6b4f6004 ci: gate releases on live cache floors 2026-04-04 15:44:34 +09:00