nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ci: switch npm release workflow to trusted publishing

This commit is contained in:
Onur Solmaz 2026-03-14 13:12:27 +01:00 committed by Onur
parent 61a7f2e7c3
commit 00891dee90
3 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/openclaw-npm-release.yml vendored
View File

@ -26,7 +26,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
id-token: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v6
@ -57,7 +56,6 @@ jobs:
echo "Would run: pnpm check" echo "Would run: pnpm check"
echo "Would run: pnpm build" echo "Would run: pnpm build"
echo "Would run: pnpm release:check" echo "Would run: pnpm release:check"
bash scripts/openclaw-npm-publish.sh --dry-run
- name: Validate release tag and package metadata - name: Validate release tag and package metadata
env: env:
@ -111,6 +109,16 @@ jobs:
contents: read contents: read
id-token: write id-token: write
steps: steps:
- name: Validate tag input format
env:
RELEASE_TAG: ${{ inputs.tag }}
run: |
set -euo pipefail
if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then
echo "Invalid release tag format: ${RELEASE_TAG}"
exit 1
fi
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v6
with: with:
@ -161,6 +169,4 @@ jobs:
run: pnpm release:check run: pnpm release:check
- name: Publish - name: Publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: bash scripts/openclaw-npm-publish.sh --publish run: bash scripts/openclaw-npm-publish.sh --publish

1
docs/reference/RELEASING.md
View File

@ -94,6 +94,7 @@ Historical note:
- [ ] Confirm git status is clean; commit and push as needed. - [ ] Confirm git status is clean; commit and push as needed.
- [ ] Confirm npm trusted publishing is configured for the `openclaw` package. - [ ] Confirm npm trusted publishing is configured for the `openclaw` package.
- [ ] Do not rely on an `NPM_TOKEN` secret for this workflow; the publish job uses GitHub OIDC trusted publishing.
- [ ] Push the matching git tag to trigger the preview run in `.github/workflows/openclaw-npm-release.yml`. - [ ] Push the matching git tag to trigger the preview run in `.github/workflows/openclaw-npm-release.yml`.
- [ ] Run `OpenClaw NPM Release` manually with the same tag to publish after `npm-release` environment approval. - [ ] Run `OpenClaw NPM Release` manually with the same tag to publish after `npm-release` environment approval.
- Stable tags publish to npm `latest`. - Stable tags publish to npm `latest`.

11
scripts/openclaw-npm-publish.sh
View File

@ -20,16 +20,7 @@ fi
echo "Resolved package version: ${package_version}" echo "Resolved package version: ${package_version}"
echo "Resolved release channel: ${release_channel}" echo "Resolved release channel: ${release_channel}"
echo "Publish auth: GitHub OIDC trusted publishing"
if [[ -n "${NODE_AUTH_TOKEN:-}" ]]; then
if [[ "${mode}" == "--dry-run" ]]; then
echo 'Would write npm auth config to $HOME/.npmrc using NODE_AUTH_TOKEN'
else
printf '//registry.npmjs.org/:_authToken=%s\n' "${NODE_AUTH_TOKEN}" > "${HOME}/.npmrc"
fi
else
echo 'No NODE_AUTH_TOKEN set in this environment'
fi
printf 'Publish command:' printf 'Publish command:'
printf ' %q' "${publish_cmd[@]}" printf ' %q' "${publish_cmd[@]}"