name: OpenClaw NPM Release on: push: tags: - "v*" concurrency: group: openclaw-npm-release-${{ github.ref }} cancel-in-progress: false env: NODE_VERSION: "22.x" PNPM_VERSION: "10.23.0" jobs: publish_openclaw_npm: # npm trusted publishing + provenance requires a GitHub-hosted runner. runs-on: ubuntu-latest permissions: contents: read id-token: write steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup Node environment uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" use-sticky-disk: "false" - name: Validate release tag and package metadata env: RELEASE_SHA: ${{ github.sha }} RELEASE_TAG: ${{ github.ref_name }} RELEASE_MAIN_REF: origin/main run: | set -euo pipefail # Fetch the full main ref so merge-base ancestry checks keep working # for older tagged commits that are still contained in main. git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main pnpm release:openclaw:npm:check - name: Ensure version is not already published run: | set -euo pipefail PACKAGE_VERSION=$(node -p "require('./package.json').version") if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then echo "openclaw@${PACKAGE_VERSION} is already published on npm." exit 1 fi echo "Publishing openclaw@${PACKAGE_VERSION}" - name: Check run: pnpm check - name: Build run: pnpm build - name: Verify release contents run: pnpm release:check - name: Publish run: | set -euo pipefail PACKAGE_VERSION=$(node -p "require('./package.json').version") if [[ "$PACKAGE_VERSION" == *-beta.* ]]; then npm publish --access public --tag beta --provenance else npm publish --access public --provenance fi