Codex review: the early draft-page creation could rewrite an
already-public release with the proofless prepublish body, stripping its
verification section until the proof append re-ran — a failed resume
would leave the public page proofless. create_or_update now no-ops when
the existing page is public and already canonical (the state
guard_existing_public_release vetted); drafts still get refreshed
notes.
Codex review: version existence alone does not prove the npm registry
serves the tarball this tag's preflight built — the same version could
have been published from a different artifact and npm versions are
immutable. The resume resolver now downloads the preflight manifest,
requires its releaseSha to match the target, and compares the published
registry tarball's sha256 against the manifest before skipping the core
dispatch; mismatches abort with correction-tag guidance.
The retry short-circuits call the Android/Windows verifiers as if
predicates, where bash suppresses errexit inside the function; a failed
gh attestation verify would have fallen through to the summary echo and
classified an unverified APK as promoted. Every failure-capable command
in both verifiers now returns explicitly.
Codex review on the resumable publish chain: postpublish evidence embeds
the current run id, so retries regenerated different bytes and wedged on
the byte-identity asset check — the evidence json and its checksum now
replace the release asset (latest verification wins; prior copies stay
as workflow artifacts) while content-stable manifest and dependency
evidence remain byte-verified. ClawHub verification is now skipped only
when ClawHub itself failed, not when an unrelated Windows/Android
promotion flake set the aggregate failure flag.
The 2026.7.1 retro measured ~13h tag-to-published for beta.2 and stable
2026.6.11; any post-npm failure previously hard-aborted retries because
the already-published guard refused the whole run.
- resolve_openclaw_npm_publish_state replaces the abort guard: an
already-published core version skips the core npm dispatch and resumes
the remaining stages; verify_published_release still proves the
registry state matches the tag before the page leaves draft.
- Windows and Android promotion runs concurrently with the core npm
publish (their only shared prerequisite is the draft release page,
which is now created before the dispatch) and each promotion
short-circuits when the release already carries its verified asset
contract, so retries only redo failed stages.
- The release proof cites the core npm run only when this run dispatched
one; resumed publishes rely on the registry package check.
Codex review + test findings on the pipeline convergence:
- candidate changelog provenance now validates the same section the
renderer publishes (correction tags may carry their own heading) via a
shared correctionVersionForTag helper
- guard_existing_public_release accepts a canonical proofless body with
intact dependency evidence, matching the renderer's documented
proof-omitted-at-limit state; retries re-append the proof
- ledgerFor regains main's noteReferences threading so prose-cited PRs
keep their contribution-record rows, and the ledger/verify tests pin
the merged entry shape (externalReferences) and highlight gate
Two competing release-notes pipelines existed: the release branch's
hardened render/verify/provenance pipeline (a486f3ab08 + dcee1da876,
battle-tested by 2026.7.1) and main's lighter prepare-github-release-notes
size gate (#103222). Repo policy is one canonical path; the release-branch
pipeline wins and main's unique value is grafted in:
- scripts/render-github-release-notes.mjs becomes the canonical release
body renderer (full/compact 125k char+byte modes, tag-pinned record
link, verification tail, canonical shipped-baseline format), now also
preferring a correction tag's dedicated changelog section (from
prepare's heading matrix).
- verify-release-notes.mjs is a three-way merge: release's --shipped-ref
cumulative baselines, provenance checks, highlights gate, and the
excluded-record rewrite fix, plus main's compact contribution rows,
externalReferences threading, and both-heading parser compat.
- release-candidate-checklist.mjs gains validateCandidateCheckout and
changelog-provenance gates that run before any dispatch.
- openclaw-release-publish.yml keeps main's fail-before-mutation early
notes gate (retargeted to the renderer) and adopts release's
render/verify_release_tag_target/canonical_release_body_matches flow.
- scripts/prepare-github-release-notes.mjs and its test are deleted;
release-notes-ledger.test.ts stays and pins the merged verify exports.
- .gitignore tracks every repo skill for Git-aware syncs; SKILL.md
runbooks and RELEASING.md document the converged contract.
One-time maintainer-authorized bootstrap merge for the release-gate verifier policy. Exact hosted CI and all supporting workflow gates passed on 66133de419.
Delay public GitHub release publication until postpublish verification, dependency evidence upload, proof append, and required plugin publish gates pass.
Also updates release-maintainer instructions so newly publishable plugins are minted/prepublished through an owner-approved path without consuming the next auto-bumped beta version unless that path is the actual release publish.
Recreated from #85108 because the original branch could not be updated by maintainers.
Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install.
Co-authored-by: Altay <altay@hey.com>