Files
openclaw/test/scripts/openclaw-npm-extended-stable-workflow.test.ts
Kevin Lin ba7b5db74c feat(release): add monthly npm extended-stable publication (#99352)
* feat(release): add npm stable publication

* fix(release): allow stable full validation

* feat(release): add stable guard test bypass

* fix(release): allow stable maintenance after month rollover

* docs: refresh release documentation map

* refactor(release): rename monthly channel to extended-stable

* fix(release): repair extended-stable selector forward

* docs(release): fix extended-stable link
2026-07-04 08:22:39 -07:00

152 lines
6.3 KiB
TypeScript

import { readFileSync } from "node:fs";
import { describe, expect, it } from "vitest";
import { parse } from "yaml";
const workflowPath = ".github/workflows/openclaw-npm-release.yml";
type Step = { env?: Record<string, string>; id?: string; if?: string; name?: string; run?: string };
type Job = { environment?: string; steps?: Step[] };
type Workflow = {
on?: {
workflow_dispatch?: {
inputs?: {
bypass_extended_stable_guard?: { default?: boolean; type?: string };
npm_dist_tag?: { options?: string[] };
};
};
};
jobs?: Record<string, Job>;
};
function workflow(): Workflow {
return parse(readFileSync(workflowPath, "utf8")) as Workflow;
}
function step(job: Job | undefined, name: string): Step {
const found = job?.steps?.find((candidate) => candidate.name === name);
if (!found) {
throw new Error(`Missing workflow step: ${name}`);
}
return found;
}
describe("minimal npm extended-stable workflow", () => {
it("adds extended-stable without adding policy or verifier contracts", () => {
const raw = readFileSync(workflowPath, "utf8");
const parsed = workflow();
expect(parsed.on?.workflow_dispatch?.inputs?.npm_dist_tag?.options).toEqual([
"alpha",
"beta",
"latest",
"extended-stable",
]);
for (const forbidden of [
"release-policy",
"policyMode",
"release-operation-verifier",
"external_contract_revision",
"stable-lines.json",
]) {
expect(raw).not.toContain(forbidden);
}
});
it("reuses the v1 preflight tarball and guards all three extended-stable gates", () => {
const parsed = workflow();
const raw = readFileSync(workflowPath, "utf8");
expect(raw).toContain("version: 1");
expect(raw).toContain("openclaw-npm-preflight-${{ inputs.tag }}");
expect(raw.match(/openclaw-npm-extended-stable-release\.mjs validate-request/g)).toHaveLength(
3,
);
expect(step(parsed.jobs?.preflight_openclaw_npm, "Validate npm release request").run).toContain(
"openclaw-npm-extended-stable-release.mjs validate-request",
);
expect(
step(parsed.jobs?.validate_publish_request, "Validate npm release request").run,
).toContain("openclaw-npm-extended-stable-release.mjs validate-request");
expect(step(parsed.jobs?.publish_openclaw_npm, "Recheck npm release request").run).toContain(
"openclaw-npm-extended-stable-release.mjs validate-request",
);
expect(
parsed.jobs?.validate_publish_request?.steps?.map((candidate) => candidate.name),
).not.toContain("Setup Node environment");
});
it("threads an explicit, default-off extended-stable bypass through every policy gate", () => {
const parsed = workflow();
const input = parsed.on?.workflow_dispatch?.inputs?.bypass_extended_stable_guard;
expect(input).toMatchObject({ default: false, type: "boolean" });
const policySteps = [
step(parsed.jobs?.preflight_openclaw_npm, "Validate npm release request"),
step(parsed.jobs?.validate_publish_request, "Validate npm release request"),
step(parsed.jobs?.publish_openclaw_npm, "Recheck npm release request"),
step(parsed.jobs?.publish_openclaw_npm, "Publish"),
];
for (const policyStep of policySteps) {
expect(policyStep.env?.BYPASS_EXTENDED_STABLE_GUARD).toBe(
"${{ inputs.bypass_extended_stable_guard }}",
);
}
const trustedRef = step(
parsed.jobs?.validate_publish_request,
"Require trusted workflow ref for publish",
);
expect(trustedRef.env?.BYPASS_EXTENDED_STABLE_GUARD).toBeUndefined();
expect(trustedRef.run).not.toContain("BYPASS_EXTENDED_STABLE_GUARD");
expect(trustedRef.run).toContain('"${WORKFLOW_REF}" == refs/heads/extended-stable/*');
const summary = step(
parsed.jobs?.publish_openclaw_npm,
"Summarize extended-stable npm publication",
);
expect(summary.env?.BYPASS_EXTENDED_STABLE_GUARD).toBe(
"${{ inputs.bypass_extended_stable_guard }}",
);
expect(summary.run).toContain("Extended-stable guard bypass: ${BYPASS_EXTENDED_STABLE_GUARD}");
});
it("authenticates exact extended-stable run and Full Validation identities", () => {
const raw = readFileSync(workflowPath, "utf8");
expect(raw).toContain("--json workflowName,headBranch,headSha,event,conclusion,url");
expect(raw).toContain("--json workflowName,headBranch,headSha,event,status,conclusion,url");
expect(raw.match(/openclaw-npm-extended-stable-release\.mjs verify-run/g)).toHaveLength(2);
expect(raw).toContain("openclaw-npm-extended-stable-release.mjs verify-manifest");
});
it("captures selector fail closed, publishes extended-stable, retries, and summarizes", () => {
const parsed = workflow();
const publish = parsed.jobs?.publish_openclaw_npm;
const capture = step(publish, "Capture previous extended-stable selector");
const readback = step(publish, "Verify extended-stable registry readback");
const summary = step(publish, "Summarize extended-stable npm publication");
expect(capture.run).toContain("openclaw-npm-extended-stable-release.mjs capture-selector");
expect(step(publish, "Publish").run).toContain("openclaw-npm-publish.sh");
expect(readback.run).toContain("openclaw-npm-extended-stable-release.mjs verify-readback");
expect(summary.if).toContain("always()");
expect(summary.run).toContain("openclaw-npm-extended-stable-release.mjs repair-command");
expect(summary.run).toContain('EXPECTED_VERSION="$RELEASE_TAG"');
expect(publish?.environment).toBe("npm-release");
});
it("publishes only the tarball path verified from the preflight manifest", () => {
const publish = workflow().jobs?.publish_openclaw_npm;
const provenance = step(publish, "Verify prepared tarball provenance");
const publishStep = step(publish, "Publish");
expect(provenance.run).toContain(
'ARTIFACT_TARBALL_PATH="preflight-tarball/$ARTIFACT_TARBALL_NAME"',
);
expect(provenance.run).toContain('echo "tarball_path=$ARTIFACT_TARBALL_PATH"');
expect(publishStep.env?.PUBLISH_TARBALL_PATH).toBe(
"${{ steps.preflight_provenance.outputs.tarball_path }}",
);
expect(publish?.steps?.map((candidate) => candidate.name)).not.toContain(
"Resolve publish tarball",
);
expect(readFileSync(workflowPath, "utf8")).not.toContain(
"find preflight-tarball -type f -name '*.tgz'",
);
});
});