Commit Graph

48 Commits

Author SHA1 Message Date
Vincent Koc
c47ceb0f3d improve(release): reuse exact-SHA validation evidence (#104162)
* perf(release): share changelog verification snapshots

* perf(release): reuse exact-SHA validation evidence

* feat(release): checkpoint candidate workflow state

* feat(release): watch CI transitions compactly

* fix(testbox): rotate stale reusable leases

* refactor(release): move CI verifier into scripts

* fix(release): preserve verifier executable mode

* fix(testbox): force noninteractive remote hydration

* perf(testbox): skip sync for proven clean heads

* fix(testbox): keep changed gates synchronized

* fix(testbox): isolate git state probes

* fix(testbox): isolate wrapper git commands

* fix(testbox): preserve git command contracts

* fix(release): validate reused SHA evidence

* fix(release): resume serialized plugin selections

* fix(testbox): sync source on every lease reuse

* fix(release): verify from trusted workflow checkout

* fix(release): gate evidence reuse on trusted lineage

* fix(release): support legacy verifier checkouts

* fix(testbox): export CI across shell snippets

* fix(release): revalidate reused evidence before publish

* fix(release): reject untrusted reuse before lookup

* fix(release): reuse SHA-pinned root evidence

* fix(ci): allow unreleased notes in QA packages

* fix(release): satisfy script lint contracts

* fix(release): handle Unicode workflow refs safely
2026-07-11 12:48:27 +08:00
Vincent Koc
b0e3c85a61 fix(release): bind publish children to trusted SHAs (#103913)
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-07-10 23:25:26 +01:00
Vincent Koc
54cc90b1b1 fix(release): publish ClawHub bootstrap artifacts immutably (#103809)
* fix(release): harden ClawHub bootstrap

* fix(release): centralize publication artifact verification

* fix(release): harden publication artifact verification

* fix(release): lock ClawHub bootstrap toolchain

* test(release): assert locked ClawHub binary

* fix(release): pack with trusted ClawHub harness

* fix(release): bound beta verifier artifact reads

* fix(release): bind target and tooling identities

* fix(release): stabilize signed package ordering

* fix(release): bind ClawHub pretag proof

* fix(release): bind ClawHub OIDC readback

* fix(release): bind ClawHub OIDC readback
2026-07-10 13:33:20 -07:00
Peter Steinberger
fece8c9f54 fix(release): keep validation evidence immutable across reruns (#103906)
* fix(release): bind validation evidence to exact attempts

* test(release): cover exact validation attempts
2026-07-10 20:16:19 +01:00
Peter Steinberger
f1b75bf5fa fix(release): leave canonical public release pages untouched on resume
Codex review: the early draft-page creation could rewrite an
already-public release with the proofless prepublish body, stripping its
verification section until the proof append re-ran — a failed resume
would leave the public page proofless. create_or_update now no-ops when
the existing page is public and already canonical (the state
guard_existing_public_release vetted); drafts still get refreshed
notes.
2026-07-10 03:09:10 -07:00
Peter Steinberger
8d66e47773 fix(release): prove registry tarball identity before resuming a publish
Codex review: version existence alone does not prove the npm registry
serves the tarball this tag's preflight built — the same version could
have been published from a different artifact and npm versions are
immutable. The resume resolver now downloads the preflight manifest,
requires its releaseSha to match the target, and compares the published
registry tarball's sha256 against the manifest before skipping the core
dispatch; mismatches abort with correction-tag guidance.
2026-07-10 03:09:10 -07:00
Peter Steinberger
cb350ad333 fix(release): guard asset-contract verifiers for if-predicate use
The retry short-circuits call the Android/Windows verifiers as if
predicates, where bash suppresses errexit inside the function; a failed
gh attestation verify would have fallen through to the summary echo and
classified an unverified APK as promoted. Every failure-capable command
in both verifiers now returns explicitly.
2026-07-10 03:09:09 -07:00
Peter Steinberger
a8d16113f6 fix(release): keep retry evidence stable and scope ClawHub verification skips
Codex review on the resumable publish chain: postpublish evidence embeds
the current run id, so retries regenerated different bytes and wedged on
the byte-identity asset check — the evidence json and its checksum now
replace the release asset (latest verification wins; prior copies stay
as workflow artifacts) while content-stable manifest and dependency
evidence remain byte-verified. ClawHub verification is now skipped only
when ClawHub itself failed, not when an unrelated Windows/Android
promotion flake set the aggregate failure flag.
2026-07-10 03:09:09 -07:00
Peter Steinberger
ef22e77f0b perf(release): make publish reruns resumable and promote assets concurrently
The 2026.7.1 retro measured ~13h tag-to-published for beta.2 and stable
2026.6.11; any post-npm failure previously hard-aborted retries because
the already-published guard refused the whole run.

- resolve_openclaw_npm_publish_state replaces the abort guard: an
  already-published core version skips the core npm dispatch and resumes
  the remaining stages; verify_published_release still proves the
  registry state matches the tag before the page leaves draft.
- Windows and Android promotion runs concurrently with the core npm
  publish (their only shared prerequisite is the draft release page,
  which is now created before the dispatch) and each promotion
  short-circuits when the release already carries its verified asset
  contract, so retries only redo failed stages.
- The release proof cites the core npm run only when this run dispatched
  one; resumed publishes rely on the registry package check.
2026-07-10 03:09:09 -07:00
Peter Steinberger
c2b4ac02da fix(release): align correction sections, retries, and merged ledger semantics
Codex review + test findings on the pipeline convergence:
- candidate changelog provenance now validates the same section the
  renderer publishes (correction tags may carry their own heading) via a
  shared correctionVersionForTag helper
- guard_existing_public_release accepts a canonical proofless body with
  intact dependency evidence, matching the renderer's documented
  proof-omitted-at-limit state; retries re-append the proof
- ledgerFor regains main's noteReferences threading so prose-cited PRs
  keep their contribution-record rows, and the ledger/verify tests pin
  the merged entry shape (externalReferences) and highlight gate
2026-07-10 02:06:52 -07:00
Peter Steinberger
336e43c314 fix(release): converge on the render-github-release-notes pipeline
Two competing release-notes pipelines existed: the release branch's
hardened render/verify/provenance pipeline (a486f3ab08 + dcee1da876,
battle-tested by 2026.7.1) and main's lighter prepare-github-release-notes
size gate (#103222). Repo policy is one canonical path; the release-branch
pipeline wins and main's unique value is grafted in:

- scripts/render-github-release-notes.mjs becomes the canonical release
  body renderer (full/compact 125k char+byte modes, tag-pinned record
  link, verification tail, canonical shipped-baseline format), now also
  preferring a correction tag's dedicated changelog section (from
  prepare's heading matrix).
- verify-release-notes.mjs is a three-way merge: release's --shipped-ref
  cumulative baselines, provenance checks, highlights gate, and the
  excluded-record rewrite fix, plus main's compact contribution rows,
  externalReferences threading, and both-heading parser compat.
- release-candidate-checklist.mjs gains validateCandidateCheckout and
  changelog-provenance gates that run before any dispatch.
- openclaw-release-publish.yml keeps main's fail-before-mutation early
  notes gate (retargeted to the renderer) and adopts release's
  render/verify_release_tag_target/canonical_release_body_matches flow.
- scripts/prepare-github-release-notes.mjs and its test are deleted;
  release-notes-ledger.test.ts stays and pins the merged verify exports.
- .gitignore tracks every repo skill for Git-aware syncs; SKILL.md
  runbooks and RELEASING.md document the converged contract.
2026-07-10 02:06:52 -07:00
Peter Steinberger
31f76b9792 fix(release): validate GitHub notes before publish (#103222) 2026-07-10 02:33:23 +01:00
Peter Steinberger
054e3675e1 feat(android): publish signed APKs with stable releases (#101212)
* feat(android): publish signed release APKs

* fix(android): preserve fallback corrections

* test(android): isolate APK signer fixtures

* docs: refresh generated docs map
2026-07-07 00:39:59 +01:00
Vincent Koc
78a8caef38 fix(release): require postpublish evidence artifact 2026-06-23 14:53:14 +08:00
Vincent Koc
1c3da22bcd fix(release): require exact publish child runs 2026-06-20 10:29:42 +02:00
Vincent Koc
abb6f04e0c ci(release): harden release controls
One-time maintainer-authorized bootstrap merge for the release-gate verifier policy. Exact hosted CI and all supporting workflow gates passed on 66133de419.
2026-06-18 03:11:20 +08:00
Vincent Koc
e71cf0ffcb fix(release): tolerate npm propagation after publish 2026-06-16 09:51:47 +08:00
Jason (Json)
8ae1adfdcc ci: gate stable releases on Windows companion assets (#92555)
* ci: gate stable releases on Windows companion assets

* fix(release): reject malformed Windows checksum manifests

* fix(release): make Windows recovery fail closed

* fix(release): tighten Windows asset identity checks

* fix(release): validate prepared candidate tarballs

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-06-13 19:33:33 -07:00
Patrick Erichsen
6cf06e8e7e ci: split plugin ClawHub publishing paths
* feat: partition clawhub plugin release candidates

* fix: read clawhub trusted publisher config endpoint

* feat: split clawhub plugin bootstrap workflow

* ci: split plugin clawhub publish paths

* ci: pin clawhub package publish workflow

* ci: keep clawhub bootstrap token out of builds

* ci: fix clawhub release dry-run gating

* ci: align clawhub oidc publish refs

* ci: make clawhub bootstrap recovery idempotent

* ci: route clawhub repair candidates through bootstrap

* ci: preserve tideclaw alpha clawhub guards

* ci: simplify clawhub release ref handling

* ci: extract clawhub release routing plan

* ci: extract clawhub release runtime state

* test: guard clawhub release helper executability

* ci: pin ClawHub CLI for plugin publishing

* ci: allow historical ClawHub dry-run validation

* ci: fix ClawHub bootstrap token handoff
2026-06-12 20:16:06 -07:00
Vincent Koc
6fb0c940fa fix(release): gate beta publish on plugin verification
Delay public GitHub release publication until postpublish verification, dependency evidence upload, proof append, and required plugin publish gates pass.

Also updates release-maintainer instructions so newly publishable plugins are minted/prepublished through an owner-approved path without consuming the next auto-bumped beta version unless that path is the actual release publish.
2026-06-11 20:42:58 +09:00
Vincent Koc
f5a7f613ee fix(release): use monthly patch versions
Switch release train handling to YYYY.M.PATCH monthly patch numbering, preserve pre-transition compatibility, and pin the June 2026 stable/beta floor at 2026.6.5 after the published beta.

Verification:
- node scripts/run-vitest.mjs run test/appcast.test.ts test/release-check.test.ts test/scripts/package-mac-app.test.ts test/scripts/package-mac-dist.test.ts test/openclaw-npm-release-check.test.ts test/npm-publish-plan.test.ts src/infra/npm-registry-spec.test.ts src/infra/clawhub.test.ts src/plugins/clawhub.test.ts test/plugin-npm-release.test.ts test/scripts/ios-version.test.ts test/scripts/ios-pin-version.test.ts
- node --import tsx scripts/plugin-npm-release-check.ts --base-ref origin/main --head-ref HEAD
- node --import tsx scripts/plugin-clawhub-release-check.ts --base-ref origin/main --head-ref HEAD
- git diff --check origin/main...HEAD
- .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main --no-web-search
2026-06-06 12:26:32 -07:00
Peter Steinberger
4e45010203 ci(release): fail fast on red release children
(cherry picked from commit 8d7038775f0a0a1bb5354ba6b6b708c6b2c3167b)
2026-06-01 22:42:53 +01:00
Peter Steinberger
cb765f1664 ci(release): require all plugins for core publish 2026-05-29 12:07:03 +01:00
Peter Steinberger
910354b07f docs: point release process at public evidence repo 2026-05-28 15:04:33 +01:00
Peter Steinberger
1e67af7006 ci(release): accept main full-validation proof 2026-05-27 13:58:14 +01:00
Peter Steinberger
a0702e195d build(pnpm): use packageManager as pnpm source
Recreated from #85108 because the original branch could not be updated by maintainers.

Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install.

Co-authored-by: Altay <altay@hey.com>
2026-05-22 19:17:43 +01:00
Peter Steinberger
08f66133ef ci(release): link durable release evidence 2026-05-21 23:24:35 +01:00
Peter Steinberger
3faddfb506 ci(release): keep non-waiting clawhub publish best effort 2026-05-21 08:03:48 +01:00
Peter Steinberger
1c5fda115f ci(release): streamline beta publish verification 2026-05-21 07:58:15 +01:00
Peter Steinberger
d7896ed4c9 ci: retry release artifact downloads 2026-05-20 01:59:34 +01:00
Peter Steinberger
2a01fbb56c ci: keep ClawHub advisory for alpha publish 2026-05-20 01:57:00 +01:00
Peter Steinberger
451563b950 ci: allow Tideclaw alpha release workflows 2026-05-17 07:00:53 +01:00
Peter Steinberger
1ceebf8a01 ci: harden release publish evidence 2026-05-17 06:34:58 +01:00
Peter Steinberger
c4d8e0be18 ci: harden release validation flow 2026-05-17 06:34:58 +01:00
Peter Steinberger
55c275b00a ci(release): require full validation before npm publish 2026-05-15 17:33:28 +01:00
Josh Avant
bd4db5ee62 Add dependency release safety evidence and PR awareness (#81325)
* test: cover dependency pin guard

* build: add dependency vulnerability gate

* build: add dependency risk report

* build: add dependency drift reports

* build: include dependency ownership surface evidence

* build: rename dependency report commands

* build: respect release age exclusions in risk report

* build: clarify transitive risk accounting

* build: remove transitive risk exception registry

* build: clarify transitive risk signal wording

* ci: attach dependency evidence to release preflight

* ci: extract dependency release evidence generator

* build: rename ownership surface dependency report

* ci: clarify release evidence naming

* build: clarify recently published risk report

* build: reorder transitive risk report sections

* build: fix ownership surface pluralization

* ci: surface dependency changes on PRs

* ci: harden dependency change awareness

* ci: use dependency changed PR label

* build: fix dependency report lint

* docs: add dependency safety changelog
2026-05-13 03:05:09 -05:00
Peter Steinberger
a4acd33097 ci: speed up beta release verification
(cherry picked from commit 7ca9b58a27)
2026-05-12 06:21:09 +01:00
Altay
8b95270cc9 ci(pnpm): use pnpm 11 in workflows 2026-05-11 00:48:14 +01:00
Peter Steinberger
18997be120 ci: speed up release validation reruns 2026-05-11 00:22:19 +01:00
Peter Steinberger
522f3296a7 ci: forward-port release validation fixes 2026-05-10 20:38:36 +01:00
Peter Steinberger
b52773870f ci: speed up release validation profiles 2026-05-10 15:55:24 +01:00
Peter Steinberger
ac15c919c4 ci: tighten release publish timeouts 2026-05-10 15:55:24 +01:00
Peter Steinberger
fa8a85586c ci(release): create GitHub release during publish 2026-05-07 22:03:46 +01:00
Peter Steinberger
a68ad39877 ci(release): speed up beta publish path 2026-05-07 15:02:24 +01:00
Peter Steinberger
39b17310b6 ci: parallelize release publish workflows 2026-05-06 10:45:29 +01:00
Peter Steinberger
f789f8e394 ci: fix release publish repo context
(cherry picked from commit 202b7fd597)
2026-05-03 14:37:17 +01:00
Peter Steinberger
bb294bcd20 feat: support alpha releases 2026-05-02 18:29:13 +01:00
Peter Steinberger
cdd8e81075 ci: orchestrate plugin release publishing 2026-05-02 07:24:02 +01:00