mirror of https://github.com/openclaw/openclaw.git
239 lines
8.1 KiB
YAML
239 lines
8.1 KiB
YAML
name: OpenClaw NPM Release
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: Release tag to publish (for example v2026.3.22, v2026.3.22-beta.1, or fallback v2026.3.22-1)
|
|
required: true
|
|
type: string
|
|
preflight_only:
|
|
description: Run validation/build only and skip the gated publish job
|
|
required: true
|
|
default: false
|
|
type: boolean
|
|
preflight_run_id:
|
|
description: Existing preflight workflow run id to promote without rebuilding
|
|
required: false
|
|
type: string
|
|
|
|
concurrency:
|
|
group: openclaw-npm-release-${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
|
|
NODE_VERSION: "24.x"
|
|
PNPM_VERSION: "10.23.0"
|
|
|
|
jobs:
|
|
preflight_openclaw_npm:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Validate tag input format
|
|
env:
|
|
RELEASE_TAG: ${{ inputs.tag }}
|
|
run: |
|
|
set -euo pipefail
|
|
if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
|
|
echo "Invalid release tag format: ${RELEASE_TAG}"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
ref: refs/tags/${{ inputs.tag }}
|
|
fetch-depth: 0
|
|
|
|
- name: Setup Node environment
|
|
uses: ./.github/actions/setup-node-env
|
|
with:
|
|
node-version: ${{ env.NODE_VERSION }}
|
|
pnpm-version: ${{ env.PNPM_VERSION }}
|
|
install-bun: "false"
|
|
use-sticky-disk: "false"
|
|
|
|
- name: Ensure version is not already published
|
|
env:
|
|
PREFLIGHT_ONLY: ${{ inputs.preflight_only }}
|
|
run: |
|
|
set -euo pipefail
|
|
PACKAGE_VERSION=$(node -p "require('./package.json').version")
|
|
|
|
if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
|
|
if [[ "${PREFLIGHT_ONLY}" == "true" ]]; then
|
|
echo "openclaw@${PACKAGE_VERSION} is already published on npm; continuing because preflight_only=true."
|
|
exit 0
|
|
fi
|
|
echo "openclaw@${PACKAGE_VERSION} is already published on npm."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Publishing openclaw@${PACKAGE_VERSION}"
|
|
|
|
- name: Check
|
|
env:
|
|
OPENCLAW_LOCAL_CHECK: "0"
|
|
run: pnpm check
|
|
|
|
- name: Build
|
|
run: pnpm build
|
|
|
|
- name: Build Control UI
|
|
run: pnpm ui:build
|
|
|
|
- name: Validate release tag and package metadata
|
|
env:
|
|
RELEASE_TAG: ${{ inputs.tag }}
|
|
RELEASE_MAIN_REF: origin/main
|
|
run: |
|
|
set -euo pipefail
|
|
RELEASE_SHA=$(git rev-parse HEAD)
|
|
export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
|
|
# Fetch the full main ref so merge-base ancestry checks keep working
|
|
# for older tagged commits that are still contained in main.
|
|
git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
|
|
pnpm release:openclaw:npm:check
|
|
|
|
- name: Verify release contents
|
|
run: pnpm release:check
|
|
|
|
- name: Pack prepared npm tarball
|
|
id: packed_tarball
|
|
env:
|
|
OPENCLAW_PREPACK_PREPARED: "1"
|
|
run: |
|
|
set -euo pipefail
|
|
PACK_JSON="$(npm pack --json)"
|
|
echo "$PACK_JSON"
|
|
PACK_PATH="$(printf '%s\n' "$PACK_JSON" | node -e 'const chunks=[]; process.stdin.on("data", (chunk) => chunks.push(chunk)); process.stdin.on("end", () => { const parsed = JSON.parse(Buffer.concat(chunks).toString("utf8")); const first = Array.isArray(parsed) ? parsed[0] : null; if (!first || typeof first.filename !== "string" || !first.filename) { process.exit(1); } process.stdout.write(first.filename); });')"
|
|
if [[ -z "$PACK_PATH" || ! -f "$PACK_PATH" ]]; then
|
|
echo "npm pack did not produce a tarball file." >&2
|
|
exit 1
|
|
fi
|
|
echo "path=$PACK_PATH" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload prepared npm tarball
|
|
uses: actions/upload-artifact@v7
|
|
with:
|
|
name: openclaw-npm-preflight-${{ inputs.tag }}
|
|
path: ${{ steps.packed_tarball.outputs.path }}
|
|
if-no-files-found: error
|
|
|
|
validate_publish_dispatch_ref:
|
|
if: ${{ !inputs.preflight_only }}
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Require main workflow ref for publish
|
|
env:
|
|
WORKFLOW_REF: ${{ github.ref }}
|
|
run: |
|
|
set -euo pipefail
|
|
if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]]; then
|
|
echo "Real publish runs must be dispatched from main. Use preflight_only=true for branch validation."
|
|
exit 1
|
|
fi
|
|
|
|
publish_openclaw_npm:
|
|
# npm trusted publishing + provenance requires a GitHub-hosted runner.
|
|
needs: [preflight_openclaw_npm, validate_publish_dispatch_ref]
|
|
if: ${{ !inputs.preflight_only }}
|
|
runs-on: ubuntu-latest
|
|
environment: npm-release
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
id-token: write
|
|
steps:
|
|
- name: Validate tag input format
|
|
env:
|
|
RELEASE_TAG: ${{ inputs.tag }}
|
|
run: |
|
|
set -euo pipefail
|
|
if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
|
|
echo "Invalid release tag format: ${RELEASE_TAG}"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
ref: refs/tags/${{ inputs.tag }}
|
|
fetch-depth: 0
|
|
|
|
- name: Setup Node environment
|
|
uses: ./.github/actions/setup-node-env
|
|
with:
|
|
node-version: ${{ env.NODE_VERSION }}
|
|
pnpm-version: ${{ env.PNPM_VERSION }}
|
|
install-bun: "false"
|
|
use-sticky-disk: "false"
|
|
|
|
- name: Ensure version is not already published
|
|
run: |
|
|
set -euo pipefail
|
|
PACKAGE_VERSION=$(node -p "require('./package.json').version")
|
|
|
|
if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
|
|
echo "openclaw@${PACKAGE_VERSION} is already published on npm."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Publishing openclaw@${PACKAGE_VERSION}"
|
|
|
|
- name: Download prepared npm tarball
|
|
if: ${{ inputs.preflight_run_id != '' }}
|
|
uses: actions/download-artifact@v8
|
|
with:
|
|
name: openclaw-npm-preflight-${{ inputs.tag }}
|
|
path: preflight-tarball
|
|
repository: ${{ github.repository }}
|
|
run-id: ${{ inputs.preflight_run_id }}
|
|
github-token: ${{ github.token }}
|
|
|
|
- name: Build
|
|
if: ${{ inputs.preflight_run_id == '' }}
|
|
run: pnpm build
|
|
|
|
- name: Build Control UI
|
|
if: ${{ inputs.preflight_run_id == '' }}
|
|
run: pnpm ui:build
|
|
|
|
- name: Validate release tag and package metadata
|
|
env:
|
|
RELEASE_TAG: ${{ inputs.tag }}
|
|
RELEASE_MAIN_REF: origin/main
|
|
run: |
|
|
set -euo pipefail
|
|
RELEASE_SHA=$(git rev-parse HEAD)
|
|
export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
|
|
# Fetch the full main ref so merge-base ancestry checks keep working
|
|
# for older tagged commits that are still contained in main.
|
|
git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
|
|
pnpm release:openclaw:npm:check
|
|
|
|
- name: Resolve publish tarball
|
|
id: publish_tarball
|
|
if: ${{ inputs.preflight_run_id != '' }}
|
|
run: |
|
|
set -euo pipefail
|
|
TARBALL_PATH="$(find preflight-tarball -maxdepth 1 -type f -name '*.tgz' -print | sort | tail -n 1)"
|
|
if [[ -z "$TARBALL_PATH" ]]; then
|
|
echo "Prepared preflight tarball not found." >&2
|
|
ls -la preflight-tarball >&2 || true
|
|
exit 1
|
|
fi
|
|
echo "path=$TARBALL_PATH" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Publish
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
OPENCLAW_PREPACK_PREPARED: "1"
|
|
run: bash scripts/openclaw-npm-publish.sh --publish "${{ steps.publish_tarball.outputs.path }}"
|