mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-07 03:00:44 +00:00
255 lines
14 KiB
Markdown
255 lines
14 KiB
Markdown
---
|
|
summary: "Public release channels, version naming, and cadence"
|
|
title: "Release policy"
|
|
read_when:
|
|
- Looking for public release channel definitions
|
|
- Looking for version naming and cadence
|
|
---
|
|
|
|
OpenClaw has three public release lanes:
|
|
|
|
- stable: tagged releases that publish to npm `beta` by default, or to npm `latest` when explicitly requested
|
|
- beta: prerelease tags that publish to npm `beta`
|
|
- dev: the moving head of `main`
|
|
|
|
## Version naming
|
|
|
|
- Stable release version: `YYYY.M.D`
|
|
- Git tag: `vYYYY.M.D`
|
|
- Stable correction release version: `YYYY.M.D-N`
|
|
- Git tag: `vYYYY.M.D-N`
|
|
- Beta prerelease version: `YYYY.M.D-beta.N`
|
|
- Git tag: `vYYYY.M.D-beta.N`
|
|
- Do not zero-pad month or day
|
|
- `latest` means the current promoted stable npm release
|
|
- `beta` means the current beta install target
|
|
- Stable and stable correction releases publish to npm `beta` by default; release operators can target `latest` explicitly, or promote a vetted beta build later
|
|
- Every stable OpenClaw release ships the npm package and macOS app together;
|
|
beta releases normally validate and publish the npm/package path first, with
|
|
mac app build/sign/notarize reserved for stable unless explicitly requested
|
|
|
|
## Release cadence
|
|
|
|
- Releases move beta-first
|
|
- Stable follows only after the latest beta is validated
|
|
- Maintainers normally cut releases from a `release/YYYY.M.D` branch created
|
|
from current `main`, so release validation and fixes do not block new
|
|
development on `main`
|
|
- If a beta tag has been pushed or published and needs a fix, maintainers cut
|
|
the next `-beta.N` tag instead of deleting or recreating the old beta tag
|
|
- Detailed release procedure, approvals, credentials, and recovery notes are
|
|
maintainer-only
|
|
|
|
## Release preflight
|
|
|
|
- Run `pnpm check:test-types` before release preflight so test TypeScript stays
|
|
covered outside the faster local `pnpm check` gate
|
|
- Run `pnpm check:architecture` before release preflight so the broader import
|
|
cycle and architecture boundary checks are green outside the faster local gate
|
|
- Run `pnpm build && pnpm ui:build` before `pnpm release:check` so the expected
|
|
`dist/*` release artifacts and Control UI bundle exist for the pack
|
|
validation step
|
|
- Run the manual `Full Release Validation` workflow before release approval
|
|
when you need the whole release validation suite from one entrypoint. It
|
|
accepts a branch, tag, or full commit SHA, dispatches manual `CI`, and
|
|
dispatches `OpenClaw Release Checks` for install smoke, Docker release-path
|
|
suites, live/E2E, OpenWebUI, QA Lab parity, Matrix, and Telegram lanes.
|
|
Provide `npm_telegram_package_spec` only after a package has been published
|
|
and the post-publish Telegram E2E should run too.
|
|
Example: `gh workflow run full-release-validation.yml --ref main -f ref=release/YYYY.M.D`
|
|
- Run the manual `Package Acceptance` workflow when you want side-channel proof
|
|
for a package candidate while release work continues. Use `source=npm` for
|
|
`openclaw@beta`, `openclaw@latest`, or an exact release version; `source=ref`
|
|
to pack a trusted branch/tag/SHA; `source=url` for an HTTPS tarball with a
|
|
required SHA-256; or `source=artifact` for a tarball uploaded by another
|
|
GitHub Actions run. The workflow resolves the candidate to
|
|
`package-under-test`, reuses the Docker E2E release scheduler against that
|
|
tarball, and can optionally run published-npm Telegram QA.
|
|
Example: `gh workflow run package-acceptance.yml --ref main -f source=npm -f package_spec=openclaw@beta -f suite_profile=product`
|
|
Common profiles:
|
|
- `smoke`: install/channel/agent, gateway network, and config reload lanes
|
|
- `package`: package/update/plugin lanes without OpenWebUI
|
|
- `product`: package profile plus MCP channels, cron/subagent cleanup,
|
|
OpenAI web search, and OpenWebUI
|
|
- `full`: Docker release-path chunks with OpenWebUI
|
|
- `custom`: exact `docker_lanes` selection for a focused rerun
|
|
- Run the manual `CI` workflow directly when you only need full normal CI
|
|
coverage for the release candidate. Manual CI dispatches bypass changed
|
|
scoping and force the Linux Node shards, bundled-plugin shards, channel
|
|
contracts, Node 22 compatibility, `check`, `check-additional`, build smoke,
|
|
docs checks, Python skills, Windows, macOS, Android, and Control UI i18n
|
|
lanes.
|
|
Example: `gh workflow run ci.yml --ref release/YYYY.M.D`
|
|
- Run `pnpm qa:otel:smoke` when validating release telemetry. It exercises
|
|
QA-lab through a local OTLP/HTTP receiver and verifies the exported trace
|
|
span names, bounded attributes, and content/identifier redaction without
|
|
requiring Opik, Langfuse, or another external collector.
|
|
- Run `pnpm release:check` before every tagged release
|
|
- Release checks now run in a separate manual workflow:
|
|
`OpenClaw Release Checks`
|
|
- `OpenClaw Release Checks` also runs the QA Lab mock parity gate plus the live
|
|
Matrix and Telegram QA lanes before release approval. The live lanes use the
|
|
`qa-live-shared` environment; Telegram also uses Convex CI credential leases.
|
|
- Cross-OS install and upgrade runtime validation is dispatched from the
|
|
private caller workflow
|
|
`openclaw/releases-private/.github/workflows/openclaw-cross-os-release-checks.yml`,
|
|
which invokes the reusable public workflow
|
|
`.github/workflows/openclaw-cross-os-release-checks-reusable.yml`
|
|
- This split is intentional: keep the real npm release path short,
|
|
deterministic, and artifact-focused, while slower live checks stay in their
|
|
own lane so they do not stall or block publish
|
|
- Secret-bearing release checks should be dispatched through `Full Release
|
|
Validation` or from the `main`/release workflow ref so workflow logic and
|
|
secrets stay controlled
|
|
- `OpenClaw Release Checks` accepts a branch, tag, or full commit SHA as long
|
|
as the resolved commit is reachable from an OpenClaw branch or release tag
|
|
- `OpenClaw NPM Release` validation-only preflight also accepts the current
|
|
full 40-character workflow-branch commit SHA without requiring a pushed tag
|
|
- That SHA path is validation-only and cannot be promoted into a real publish
|
|
- In SHA mode the workflow synthesizes `v<package.json version>` only for the
|
|
package metadata check; real publish still requires a real release tag
|
|
- Both workflows keep the real publish and promotion path on GitHub-hosted
|
|
runners, while the non-mutating validation path can use the larger
|
|
Blacksmith Linux runners
|
|
- That workflow runs
|
|
`OPENCLAW_LIVE_TEST=1 OPENCLAW_LIVE_CACHE_TEST=1 pnpm test:live:cache`
|
|
using both `OPENAI_API_KEY` and `ANTHROPIC_API_KEY` workflow secrets
|
|
- npm release preflight no longer waits on the separate release checks lane
|
|
- Run `RELEASE_TAG=vYYYY.M.D node --import tsx scripts/openclaw-npm-release-check.ts`
|
|
(or the matching beta/correction tag) before approval
|
|
- After npm publish, run
|
|
`node --import tsx scripts/openclaw-npm-postpublish-verify.ts YYYY.M.D`
|
|
(or the matching beta/correction version) to verify the published registry
|
|
install path in a fresh temp prefix
|
|
- After a beta publish, run `OPENCLAW_NPM_TELEGRAM_PACKAGE_SPEC=openclaw@YYYY.M.D-beta.N OPENCLAW_NPM_TELEGRAM_CREDENTIAL_SOURCE=convex OPENCLAW_NPM_TELEGRAM_CREDENTIAL_ROLE=ci pnpm test:docker:npm-telegram-live`
|
|
to verify installed-package onboarding, Telegram setup, and real Telegram E2E
|
|
against the published npm package using the shared leased Telegram credential
|
|
pool. Local maintainer one-offs may omit the Convex vars and pass the three
|
|
`OPENCLAW_QA_TELEGRAM_*` env credentials directly.
|
|
- Maintainers can run the same post-publish check from GitHub Actions via the
|
|
manual `NPM Telegram Beta E2E` workflow. It is intentionally manual-only and
|
|
does not run on every merge.
|
|
- Maintainer release automation now uses preflight-then-promote:
|
|
- real npm publish must pass a successful npm `preflight_run_id`
|
|
- the real npm publish must be dispatched from the same `main` or
|
|
`release/YYYY.M.D` branch as the successful preflight run
|
|
- stable npm releases default to `beta`
|
|
- stable npm publish can target `latest` explicitly via workflow input
|
|
- token-based npm dist-tag mutation now lives in
|
|
`openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`
|
|
for security, because `npm dist-tag add` still needs `NPM_TOKEN` while the
|
|
public repo keeps OIDC-only publish
|
|
- public `macOS Release` is validation-only
|
|
- real private mac publish must pass successful private mac
|
|
`preflight_run_id` and `validate_run_id`
|
|
- the real publish paths promote prepared artifacts instead of rebuilding
|
|
them again
|
|
- For stable correction releases like `YYYY.M.D-N`, the post-publish verifier
|
|
also checks the same temp-prefix upgrade path from `YYYY.M.D` to `YYYY.M.D-N`
|
|
so release corrections cannot silently leave older global installs on the
|
|
base stable payload
|
|
- npm release preflight fails closed unless the tarball includes both
|
|
`dist/control-ui/index.html` and a non-empty `dist/control-ui/assets/` payload
|
|
so we do not ship an empty browser dashboard again
|
|
- Post-publish verification also checks that the published registry install
|
|
contains non-empty bundled plugin runtime deps under the root `dist/*`
|
|
layout. A release that ships with missing or empty bundled plugin
|
|
dependency payloads fails the postpublish verifier and cannot be promoted
|
|
to `latest`.
|
|
- `pnpm test:install:smoke` also enforces the npm pack `unpackedSize` budget on
|
|
the candidate update tarball, so installer e2e catches accidental pack bloat
|
|
before the release publish path
|
|
- If the release work touched CI planning, extension timing manifests, or
|
|
extension test matrices, regenerate and review the planner-owned
|
|
`checks-node-extensions` workflow matrix outputs from `.github/workflows/ci.yml`
|
|
before approval so release notes do not describe a stale CI layout
|
|
- Stable macOS release readiness also includes the updater surfaces:
|
|
- the GitHub release must end up with the packaged `.zip`, `.dmg`, and `.dSYM.zip`
|
|
- `appcast.xml` on `main` must point at the new stable zip after publish
|
|
- the packaged app must keep a non-debug bundle id, a non-empty Sparkle feed
|
|
URL, and a `CFBundleVersion` at or above the canonical Sparkle build floor
|
|
for that release version
|
|
|
|
## NPM workflow inputs
|
|
|
|
`OpenClaw NPM Release` accepts these operator-controlled inputs:
|
|
|
|
- `tag`: required release tag such as `v2026.4.2`, `v2026.4.2-1`, or
|
|
`v2026.4.2-beta.1`; when `preflight_only=true`, it may also be the current
|
|
full 40-character workflow-branch commit SHA for validation-only preflight
|
|
- `preflight_only`: `true` for validation/build/package only, `false` for the
|
|
real publish path
|
|
- `preflight_run_id`: required on the real publish path so the workflow reuses
|
|
the prepared tarball from the successful preflight run
|
|
- `npm_dist_tag`: npm target tag for the publish path; defaults to `beta`
|
|
|
|
`OpenClaw Release Checks` accepts these operator-controlled inputs:
|
|
|
|
- `ref`: branch, tag, or full commit SHA to validate. Secret-bearing checks
|
|
require the resolved commit to be reachable from an OpenClaw branch or
|
|
release tag.
|
|
|
|
Rules:
|
|
|
|
- Stable and correction tags may publish to either `beta` or `latest`
|
|
- Beta prerelease tags may publish only to `beta`
|
|
- For `OpenClaw NPM Release`, full commit SHA input is allowed only when
|
|
`preflight_only=true`
|
|
- `OpenClaw Release Checks` and `Full Release Validation` are always
|
|
validation-only
|
|
- The real publish path must use the same `npm_dist_tag` used during preflight;
|
|
the workflow verifies that metadata before publish continues
|
|
|
|
## Stable npm release sequence
|
|
|
|
When cutting a stable npm release:
|
|
|
|
1. Run `OpenClaw NPM Release` with `preflight_only=true`
|
|
- Before a tag exists, you may use the current full workflow-branch commit
|
|
SHA for a validation-only dry run of the preflight workflow
|
|
2. Choose `npm_dist_tag=beta` for the normal beta-first flow, or `latest` only
|
|
when you intentionally want a direct stable publish
|
|
3. Run `Full Release Validation` on the release branch, release tag, or full
|
|
commit SHA when you want normal CI plus live prompt cache, Docker, QA Lab,
|
|
Matrix, and Telegram coverage from one manual workflow
|
|
4. If you intentionally only need the deterministic normal test graph, run the
|
|
manual `CI` workflow on the release ref instead
|
|
5. Save the successful `preflight_run_id`
|
|
6. Run `OpenClaw NPM Release` again with `preflight_only=false`, the same
|
|
`tag`, the same `npm_dist_tag`, and the saved `preflight_run_id`
|
|
7. If the release landed on `beta`, use the private
|
|
`openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`
|
|
workflow to promote that stable version from `beta` to `latest`
|
|
8. If the release intentionally published directly to `latest` and `beta`
|
|
should follow the same stable build immediately, use that same private
|
|
workflow to point both dist-tags at the stable version, or let its scheduled
|
|
self-healing sync move `beta` later
|
|
|
|
The dist-tag mutation lives in the private repo for security because it still
|
|
requires `NPM_TOKEN`, while the public repo keeps OIDC-only publish.
|
|
|
|
That keeps the direct publish path and the beta-first promotion path both
|
|
documented and operator-visible.
|
|
|
|
If a maintainer must fall back to local npm authentication, run any 1Password
|
|
CLI (`op`) commands only inside a dedicated tmux session. Do not call `op`
|
|
directly from the main agent shell; keeping it inside tmux makes prompts,
|
|
alerts, and OTP handling observable and prevents repeated host alerts.
|
|
|
|
## Public references
|
|
|
|
- [`.github/workflows/openclaw-npm-release.yml`](https://github.com/openclaw/openclaw/blob/main/.github/workflows/openclaw-npm-release.yml)
|
|
- [`.github/workflows/openclaw-release-checks.yml`](https://github.com/openclaw/openclaw/blob/main/.github/workflows/openclaw-release-checks.yml)
|
|
- [`.github/workflows/openclaw-cross-os-release-checks-reusable.yml`](https://github.com/openclaw/openclaw/blob/main/.github/workflows/openclaw-cross-os-release-checks-reusable.yml)
|
|
- [`scripts/openclaw-npm-release-check.ts`](https://github.com/openclaw/openclaw/blob/main/scripts/openclaw-npm-release-check.ts)
|
|
- [`scripts/package-mac-dist.sh`](https://github.com/openclaw/openclaw/blob/main/scripts/package-mac-dist.sh)
|
|
- [`scripts/make_appcast.sh`](https://github.com/openclaw/openclaw/blob/main/scripts/make_appcast.sh)
|
|
|
|
Maintainers use the private release docs in
|
|
[`openclaw/maintainers/release/README.md`](https://github.com/openclaw/maintainers/blob/main/release/README.md)
|
|
for the actual runbook.
|
|
|
|
## Related
|
|
|
|
- [Release channels](/install/development-channels)
|