mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-10 19:36:12 +00:00
* feat(release): add npm stable publication * fix(release): allow stable full validation * feat(release): add stable guard test bypass * fix(release): allow stable maintenance after month rollover * docs: refresh release documentation map * refactor(release): rename monthly channel to extended-stable * fix(release): repair extended-stable selector forward * docs(release): fix extended-stable link
152 lines
6.3 KiB
TypeScript
152 lines
6.3 KiB
TypeScript
import { readFileSync } from "node:fs";
|
|
import { describe, expect, it } from "vitest";
|
|
import { parse } from "yaml";
|
|
|
|
const workflowPath = ".github/workflows/openclaw-npm-release.yml";
|
|
|
|
type Step = { env?: Record<string, string>; id?: string; if?: string; name?: string; run?: string };
|
|
type Job = { environment?: string; steps?: Step[] };
|
|
type Workflow = {
|
|
on?: {
|
|
workflow_dispatch?: {
|
|
inputs?: {
|
|
bypass_extended_stable_guard?: { default?: boolean; type?: string };
|
|
npm_dist_tag?: { options?: string[] };
|
|
};
|
|
};
|
|
};
|
|
jobs?: Record<string, Job>;
|
|
};
|
|
|
|
function workflow(): Workflow {
|
|
return parse(readFileSync(workflowPath, "utf8")) as Workflow;
|
|
}
|
|
|
|
function step(job: Job | undefined, name: string): Step {
|
|
const found = job?.steps?.find((candidate) => candidate.name === name);
|
|
if (!found) {
|
|
throw new Error(`Missing workflow step: ${name}`);
|
|
}
|
|
return found;
|
|
}
|
|
|
|
describe("minimal npm extended-stable workflow", () => {
|
|
it("adds extended-stable without adding policy or verifier contracts", () => {
|
|
const raw = readFileSync(workflowPath, "utf8");
|
|
const parsed = workflow();
|
|
expect(parsed.on?.workflow_dispatch?.inputs?.npm_dist_tag?.options).toEqual([
|
|
"alpha",
|
|
"beta",
|
|
"latest",
|
|
"extended-stable",
|
|
]);
|
|
for (const forbidden of [
|
|
"release-policy",
|
|
"policyMode",
|
|
"release-operation-verifier",
|
|
"external_contract_revision",
|
|
"stable-lines.json",
|
|
]) {
|
|
expect(raw).not.toContain(forbidden);
|
|
}
|
|
});
|
|
|
|
it("reuses the v1 preflight tarball and guards all three extended-stable gates", () => {
|
|
const parsed = workflow();
|
|
const raw = readFileSync(workflowPath, "utf8");
|
|
expect(raw).toContain("version: 1");
|
|
expect(raw).toContain("openclaw-npm-preflight-${{ inputs.tag }}");
|
|
expect(raw.match(/openclaw-npm-extended-stable-release\.mjs validate-request/g)).toHaveLength(
|
|
3,
|
|
);
|
|
expect(step(parsed.jobs?.preflight_openclaw_npm, "Validate npm release request").run).toContain(
|
|
"openclaw-npm-extended-stable-release.mjs validate-request",
|
|
);
|
|
expect(
|
|
step(parsed.jobs?.validate_publish_request, "Validate npm release request").run,
|
|
).toContain("openclaw-npm-extended-stable-release.mjs validate-request");
|
|
expect(step(parsed.jobs?.publish_openclaw_npm, "Recheck npm release request").run).toContain(
|
|
"openclaw-npm-extended-stable-release.mjs validate-request",
|
|
);
|
|
expect(
|
|
parsed.jobs?.validate_publish_request?.steps?.map((candidate) => candidate.name),
|
|
).not.toContain("Setup Node environment");
|
|
});
|
|
|
|
it("threads an explicit, default-off extended-stable bypass through every policy gate", () => {
|
|
const parsed = workflow();
|
|
const input = parsed.on?.workflow_dispatch?.inputs?.bypass_extended_stable_guard;
|
|
expect(input).toMatchObject({ default: false, type: "boolean" });
|
|
|
|
const policySteps = [
|
|
step(parsed.jobs?.preflight_openclaw_npm, "Validate npm release request"),
|
|
step(parsed.jobs?.validate_publish_request, "Validate npm release request"),
|
|
step(parsed.jobs?.publish_openclaw_npm, "Recheck npm release request"),
|
|
step(parsed.jobs?.publish_openclaw_npm, "Publish"),
|
|
];
|
|
for (const policyStep of policySteps) {
|
|
expect(policyStep.env?.BYPASS_EXTENDED_STABLE_GUARD).toBe(
|
|
"${{ inputs.bypass_extended_stable_guard }}",
|
|
);
|
|
}
|
|
const trustedRef = step(
|
|
parsed.jobs?.validate_publish_request,
|
|
"Require trusted workflow ref for publish",
|
|
);
|
|
expect(trustedRef.env?.BYPASS_EXTENDED_STABLE_GUARD).toBeUndefined();
|
|
expect(trustedRef.run).not.toContain("BYPASS_EXTENDED_STABLE_GUARD");
|
|
expect(trustedRef.run).toContain('"${WORKFLOW_REF}" == refs/heads/extended-stable/*');
|
|
|
|
const summary = step(
|
|
parsed.jobs?.publish_openclaw_npm,
|
|
"Summarize extended-stable npm publication",
|
|
);
|
|
expect(summary.env?.BYPASS_EXTENDED_STABLE_GUARD).toBe(
|
|
"${{ inputs.bypass_extended_stable_guard }}",
|
|
);
|
|
expect(summary.run).toContain("Extended-stable guard bypass: ${BYPASS_EXTENDED_STABLE_GUARD}");
|
|
});
|
|
|
|
it("authenticates exact extended-stable run and Full Validation identities", () => {
|
|
const raw = readFileSync(workflowPath, "utf8");
|
|
expect(raw).toContain("--json workflowName,headBranch,headSha,event,conclusion,url");
|
|
expect(raw).toContain("--json workflowName,headBranch,headSha,event,status,conclusion,url");
|
|
expect(raw.match(/openclaw-npm-extended-stable-release\.mjs verify-run/g)).toHaveLength(2);
|
|
expect(raw).toContain("openclaw-npm-extended-stable-release.mjs verify-manifest");
|
|
});
|
|
|
|
it("captures selector fail closed, publishes extended-stable, retries, and summarizes", () => {
|
|
const parsed = workflow();
|
|
const publish = parsed.jobs?.publish_openclaw_npm;
|
|
const capture = step(publish, "Capture previous extended-stable selector");
|
|
const readback = step(publish, "Verify extended-stable registry readback");
|
|
const summary = step(publish, "Summarize extended-stable npm publication");
|
|
expect(capture.run).toContain("openclaw-npm-extended-stable-release.mjs capture-selector");
|
|
expect(step(publish, "Publish").run).toContain("openclaw-npm-publish.sh");
|
|
expect(readback.run).toContain("openclaw-npm-extended-stable-release.mjs verify-readback");
|
|
expect(summary.if).toContain("always()");
|
|
expect(summary.run).toContain("openclaw-npm-extended-stable-release.mjs repair-command");
|
|
expect(summary.run).toContain('EXPECTED_VERSION="$RELEASE_TAG"');
|
|
expect(publish?.environment).toBe("npm-release");
|
|
});
|
|
|
|
it("publishes only the tarball path verified from the preflight manifest", () => {
|
|
const publish = workflow().jobs?.publish_openclaw_npm;
|
|
const provenance = step(publish, "Verify prepared tarball provenance");
|
|
const publishStep = step(publish, "Publish");
|
|
expect(provenance.run).toContain(
|
|
'ARTIFACT_TARBALL_PATH="preflight-tarball/$ARTIFACT_TARBALL_NAME"',
|
|
);
|
|
expect(provenance.run).toContain('echo "tarball_path=$ARTIFACT_TARBALL_PATH"');
|
|
expect(publishStep.env?.PUBLISH_TARBALL_PATH).toBe(
|
|
"${{ steps.preflight_provenance.outputs.tarball_path }}",
|
|
);
|
|
expect(publish?.steps?.map((candidate) => candidate.name)).not.toContain(
|
|
"Resolve publish tarball",
|
|
);
|
|
expect(readFileSync(workflowPath, "utf8")).not.toContain(
|
|
"find preflight-tarball -type f -name '*.tgz'",
|
|
);
|
|
});
|
|
});
|