name: OpenClaw NPM Release on: workflow_dispatch: inputs: tag: description: Release tag to publish (for example v2026.3.22, v2026.3.22-beta.1, or fallback v2026.3.22-1) required: true type: string preflight_only: description: Run validation/build only and skip the gated publish job required: true default: false type: boolean preflight_run_id: description: Existing preflight workflow run id to promote without rebuilding required: false type: string concurrency: group: openclaw-npm-release-${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }} cancel-in-progress: false env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" PNPM_VERSION: "10.23.0" jobs: preflight_openclaw_npm: runs-on: ubuntu-latest permissions: contents: read steps: - name: Validate tag input format env: RELEASE_TAG: ${{ inputs.tag }} run: | set -euo pipefail if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then echo "Invalid release tag format: ${RELEASE_TAG}" exit 1 fi - name: Checkout uses: actions/checkout@v6 with: ref: refs/tags/${{ inputs.tag }} fetch-depth: 0 - name: Setup Node environment uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" use-sticky-disk: "false" - name: Ensure version is not already published env: PREFLIGHT_ONLY: ${{ inputs.preflight_only }} run: | set -euo pipefail PACKAGE_VERSION=$(node -p "require('./package.json').version") if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then if [[ "${PREFLIGHT_ONLY}" == "true" ]]; then echo "openclaw@${PACKAGE_VERSION} is already published on npm; continuing because preflight_only=true." exit 0 fi echo "openclaw@${PACKAGE_VERSION} is already published on npm." exit 1 fi echo "Publishing openclaw@${PACKAGE_VERSION}" - name: Check env: OPENCLAW_LOCAL_CHECK: "0" run: pnpm check - name: Build run: pnpm build - name: Build Control UI run: pnpm ui:build - name: Validate release tag and package metadata env: RELEASE_TAG: ${{ inputs.tag }} RELEASE_MAIN_REF: origin/main run: | set -euo pipefail RELEASE_SHA=$(git rev-parse HEAD) export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF # Fetch the full main ref so merge-base ancestry checks keep working # for older tagged commits that are still contained in main. git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main pnpm release:openclaw:npm:check - name: Verify release contents run: pnpm release:check - name: Pack prepared npm tarball id: packed_tarball env: OPENCLAW_PREPACK_PREPARED: "1" run: | set -euo pipefail PACK_JSON="$(npm pack --json)" echo "$PACK_JSON" PACK_PATH="$(printf '%s\n' "$PACK_JSON" | node -e 'const chunks=[]; process.stdin.on("data", (chunk) => chunks.push(chunk)); process.stdin.on("end", () => { const parsed = JSON.parse(Buffer.concat(chunks).toString("utf8")); const first = Array.isArray(parsed) ? parsed[0] : null; if (!first || typeof first.filename !== "string" || !first.filename) { process.exit(1); } process.stdout.write(first.filename); });')" if [[ -z "$PACK_PATH" || ! -f "$PACK_PATH" ]]; then echo "npm pack did not produce a tarball file." >&2 exit 1 fi echo "path=$PACK_PATH" >> "$GITHUB_OUTPUT" - name: Upload prepared npm tarball uses: actions/upload-artifact@v7 with: name: openclaw-npm-preflight-${{ inputs.tag }} path: ${{ steps.packed_tarball.outputs.path }} if-no-files-found: error validate_publish_dispatch_ref: if: ${{ !inputs.preflight_only }} runs-on: ubuntu-latest permissions: contents: read steps: - name: Require main workflow ref for publish env: WORKFLOW_REF: ${{ github.ref }} run: | set -euo pipefail if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]]; then echo "Real publish runs must be dispatched from main. Use preflight_only=true for branch validation." exit 1 fi publish_openclaw_npm: # npm trusted publishing + provenance requires a GitHub-hosted runner. needs: [preflight_openclaw_npm, validate_publish_dispatch_ref] if: ${{ !inputs.preflight_only }} runs-on: ubuntu-latest environment: npm-release permissions: actions: read contents: read id-token: write steps: - name: Validate tag input format env: RELEASE_TAG: ${{ inputs.tag }} run: | set -euo pipefail if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then echo "Invalid release tag format: ${RELEASE_TAG}" exit 1 fi - name: Checkout uses: actions/checkout@v6 with: ref: refs/tags/${{ inputs.tag }} fetch-depth: 0 - name: Setup Node environment uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" use-sticky-disk: "false" - name: Ensure version is not already published run: | set -euo pipefail PACKAGE_VERSION=$(node -p "require('./package.json').version") if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then echo "openclaw@${PACKAGE_VERSION} is already published on npm." exit 1 fi echo "Publishing openclaw@${PACKAGE_VERSION}" - name: Download prepared npm tarball if: ${{ inputs.preflight_run_id != '' }} uses: actions/download-artifact@v8 with: name: openclaw-npm-preflight-${{ inputs.tag }} path: preflight-tarball repository: ${{ github.repository }} run-id: ${{ inputs.preflight_run_id }} github-token: ${{ github.token }} - name: Build if: ${{ inputs.preflight_run_id == '' }} run: pnpm build - name: Build Control UI if: ${{ inputs.preflight_run_id == '' }} run: pnpm ui:build - name: Validate release tag and package metadata env: RELEASE_TAG: ${{ inputs.tag }} RELEASE_MAIN_REF: origin/main run: | set -euo pipefail RELEASE_SHA=$(git rev-parse HEAD) export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF # Fetch the full main ref so merge-base ancestry checks keep working # for older tagged commits that are still contained in main. git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main pnpm release:openclaw:npm:check - name: Resolve publish tarball id: publish_tarball if: ${{ inputs.preflight_run_id != '' }} run: | set -euo pipefail TARBALL_PATH="$(find preflight-tarball -maxdepth 1 -type f -name '*.tgz' -print | sort | tail -n 1)" if [[ -z "$TARBALL_PATH" ]]; then echo "Prepared preflight tarball not found." >&2 ls -la preflight-tarball >&2 || true exit 1 fi echo "path=$TARBALL_PATH" >> "$GITHUB_OUTPUT" - name: Publish env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} OPENCLAW_PREPACK_PREPARED: "1" run: bash scripts/openclaw-npm-publish.sh --publish "${{ steps.publish_tarball.outputs.path }}"