openclaw/.github/workflows/openclaw-npm-release.yml

name: OpenClaw NPM Release

on:
  workflow_dispatch:
    inputs:
      tag:
        description: Release tag to publish (for example v2026.3.22, v2026.3.22-beta.1, or fallback v2026.3.22-1)
        required: true
        type: string
      preflight_only:
        description: Run validation/build only and skip the gated publish job
        required: true
        default: false
        type: boolean

concurrency:
  group: openclaw-npm-release-${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
  cancel-in-progress: false

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
  NODE_VERSION: "24.x"
  PNPM_VERSION: "10.23.0"

jobs:
  preflight_openclaw_npm:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Validate tag input format
        env:
          RELEASE_TAG: ${{ inputs.tag }}
        run: |
          set -euo pipefail
          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
            echo "Invalid release tag format: ${RELEASE_TAG}"
            exit 1
          fi          

      - name: Checkout
        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0

      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
          node-version: ${{ env.NODE_VERSION }}
          pnpm-version: ${{ env.PNPM_VERSION }}
          install-bun: "false"
          use-sticky-disk: "false"

      - name: Validate release tag and package metadata
        env:
          RELEASE_TAG: ${{ inputs.tag }}
          RELEASE_MAIN_REF: origin/main
        run: |
          set -euo pipefail
          RELEASE_SHA=$(git rev-parse HEAD)
          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
          # Fetch the full main ref so merge-base ancestry checks keep working
          # for older tagged commits that are still contained in main.
          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
          pnpm release:openclaw:npm:check          

      - name: Ensure version is not already published
        env:
          PREFLIGHT_ONLY: ${{ inputs.preflight_only }}
        run: |
          set -euo pipefail
          PACKAGE_VERSION=$(node -p "require('./package.json').version")

          if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
            if [[ "${PREFLIGHT_ONLY}" == "true" ]]; then
              echo "openclaw@${PACKAGE_VERSION} is already published on npm; continuing because preflight_only=true."
              exit 0
            fi
            echo "openclaw@${PACKAGE_VERSION} is already published on npm."
            exit 1
          fi

          echo "Publishing openclaw@${PACKAGE_VERSION}"          

      - name: Check
        run: pnpm check

      - name: Build
        run: pnpm build

      - name: Verify release contents
        run: pnpm release:check

  validate_publish_dispatch_ref:
    if: ${{ !inputs.preflight_only }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Require main workflow ref for publish
        env:
          WORKFLOW_REF: ${{ github.ref }}
        run: |
          set -euo pipefail
          if [[ "${WORKFLOW_REF}" != "refs/heads/main" ]]; then
            echo "Real publish runs must be dispatched from main. Use preflight_only=true for branch validation."
            exit 1
          fi          

  publish_openclaw_npm:
    # npm trusted publishing + provenance requires a GitHub-hosted runner.
    needs: [preflight_openclaw_npm, validate_publish_dispatch_ref]
    if: ${{ !inputs.preflight_only }}
    runs-on: ubuntu-latest
    environment: npm-release
    permissions:
      contents: read
      id-token: write
    steps:
      - name: Validate tag input format
        env:
          RELEASE_TAG: ${{ inputs.tag }}
        run: |
          set -euo pipefail
          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*((-beta\.[1-9][0-9]*)|(-[1-9][0-9]*))?$ ]]; then
            echo "Invalid release tag format: ${RELEASE_TAG}"
            exit 1
          fi          

      - name: Checkout
        uses: actions/checkout@v6
        with:
          ref: refs/tags/${{ inputs.tag }}
          fetch-depth: 0

      - name: Setup Node environment
        uses: ./.github/actions/setup-node-env
        with:
          node-version: ${{ env.NODE_VERSION }}
          pnpm-version: ${{ env.PNPM_VERSION }}
          install-bun: "false"
          use-sticky-disk: "false"

      - name: Validate release tag and package metadata
        env:
          RELEASE_TAG: ${{ inputs.tag }}
          RELEASE_MAIN_REF: origin/main
        run: |
          set -euo pipefail
          RELEASE_SHA=$(git rev-parse HEAD)
          export RELEASE_SHA RELEASE_TAG RELEASE_MAIN_REF
          # Fetch the full main ref so merge-base ancestry checks keep working
          # for older tagged commits that are still contained in main.
          git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
          pnpm release:openclaw:npm:check          

      - name: Ensure version is not already published
        run: |
          set -euo pipefail
          PACKAGE_VERSION=$(node -p "require('./package.json').version")

          if npm view "openclaw@${PACKAGE_VERSION}" version >/dev/null 2>&1; then
            echo "openclaw@${PACKAGE_VERSION} is already published on npm."
            exit 1
          fi

          echo "Publishing openclaw@${PACKAGE_VERSION}"          

      - name: Publish
        run: bash scripts/openclaw-npm-publish.sh --publish