Codex review: version existence alone does not prove the npm registry
serves the tarball this tag's preflight built — the same version could
have been published from a different artifact and npm versions are
immutable. The resume resolver now downloads the preflight manifest,
requires its releaseSha to match the target, and compares the published
registry tarball's sha256 against the manifest before skipping the core
dispatch; mismatches abort with correction-tag guidance.
The 2026.7.1 retro measured ~13h tag-to-published for beta.2 and stable
2026.6.11; any post-npm failure previously hard-aborted retries because
the already-published guard refused the whole run.
- resolve_openclaw_npm_publish_state replaces the abort guard: an
already-published core version skips the core npm dispatch and resumes
the remaining stages; verify_published_release still proves the
registry state matches the tag before the page leaves draft.
- Windows and Android promotion runs concurrently with the core npm
publish (their only shared prerequisite is the draft release page,
which is now created before the dispatch) and each promotion
short-circuits when the release already carries its verified asset
contract, so retries only redo failed stages.
- The release proof cites the core npm run only when this run dispatched
one; resumed publishes rely on the registry package check.
The preflight ran 61 times at ~14 minutes during 2026.7.1, redoing the
full build and Control UI build after every late-step failure. Restore
dist outputs from an actions/cache keyed on the resolved target SHA and
lockfile hash (mirroring ci.yml's dist-build cache) so re-runs skip only
the build producers; every validation step still runs against the
restored artifacts.
Shipped alpha tags carry a dedicated ## X-alpha.N heading with no base
section (see v2026.6.20-alpha.1's tagged CHANGELOG.md); the renderer and
candidate provenance now prefer that dedicated heading for alpha and
correction tags while beta/stable remain pinned to the stable base
section per #103222.
Codex review + test findings on the pipeline convergence:
- candidate changelog provenance now validates the same section the
renderer publishes (correction tags may carry their own heading) via a
shared correctionVersionForTag helper
- guard_existing_public_release accepts a canonical proofless body with
intact dependency evidence, matching the renderer's documented
proof-omitted-at-limit state; retries re-append the proof
- ledgerFor regains main's noteReferences threading so prose-cited PRs
keep their contribution-record rows, and the ledger/verify tests pin
the merged entry shape (externalReferences) and highlight gate
Two competing release-notes pipelines existed: the release branch's
hardened render/verify/provenance pipeline (a486f3ab08 + dcee1da876,
battle-tested by 2026.7.1) and main's lighter prepare-github-release-notes
size gate (#103222). Repo policy is one canonical path; the release-branch
pipeline wins and main's unique value is grafted in:
- scripts/render-github-release-notes.mjs becomes the canonical release
body renderer (full/compact 125k char+byte modes, tag-pinned record
link, verification tail, canonical shipped-baseline format), now also
preferring a correction tag's dedicated changelog section (from
prepare's heading matrix).
- verify-release-notes.mjs is a three-way merge: release's --shipped-ref
cumulative baselines, provenance checks, highlights gate, and the
excluded-record rewrite fix, plus main's compact contribution rows,
externalReferences threading, and both-heading parser compat.
- release-candidate-checklist.mjs gains validateCandidateCheckout and
changelog-provenance gates that run before any dispatch.
- openclaw-release-publish.yml keeps main's fail-before-mutation early
notes gate (retargeted to the renderer) and adopts release's
render/verify_release_tag_target/canonical_release_body_matches flow.
- scripts/prepare-github-release-notes.mjs and its test are deleted;
release-notes-ledger.test.ts stays and pins the merged verify exports.
- .gitignore tracks every repo skill for Git-aware syncs; SKILL.md
runbooks and RELEASING.md document the converged contract.
Codex review round four: workflows execute helper scripts from the
workflow ref, so comparing only the .github/workflows tree missed
script-only harness changes. Harness equivalence now means the git tree
diff between the candidate run's head SHA and the current workflow SHA
is itself release-metadata-only, using the same canonical classifier as
the target delta. The classifier's worktree overlay no longer applies
when --head is an explicit SHA, keeping SHA-exact comparisons exact.
Codex review round three: a prior green run may have executed with
different lane definitions; the resolver now compares the candidate
run head SHA's .github/workflows tree against the current workflow
ref before accepting its manifest.