ci: record package proof in release evidence

2026-05-13 04:48:15 +00:00 · 2026-04-27 21:58:17 +01:00 · 2026-04-27 21:58:17 +01:00 · 295d63c331
commit 295d63c331
parent 1eea534ddb
2 changed files with 17 additions and 3 deletions
--- a/.github/workflows/full-release-validation.yml
+++ b/.github/workflows/full-release-validation.yml
@ -31,6 +31,11 @@ on:
        required: false
        default: ""
        type: string
+      evidence_package_spec:
+        description: Optional published package spec to prove in the private release evidence report
+        required: false
+        default: ""
+        type: string
      npm_telegram_provider_mode:
        description: Provider mode for the optional post-publish Telegram E2E lane
        required: false
@ -83,6 +88,7 @@ jobs:
          TARGET_SHA: ${{ steps.resolve.outputs.sha }}
          CHILD_WORKFLOW_REF: ${{ github.ref_name }}
          NPM_TELEGRAM_PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
+          EVIDENCE_PACKAGE_SPEC: ${{ inputs.evidence_package_spec }}
        run: |
          {
            echo "## Full release validation"
@ -97,6 +103,9 @@ jobs:
            else
              echo "- Post-publish Telegram E2E: skipped because no published package spec was provided"
            fi
+            if [[ -n "${EVIDENCE_PACKAGE_SPEC// }" ]]; then
+              echo "- Private evidence package proof: \`${EVIDENCE_PACKAGE_SPEC}\`"
+            fi
          } >> "$GITHUB_STEP_SUMMARY"

  normal_ci:
@ -352,7 +361,7 @@ jobs:
        env:
          RELEASE_PRIVATE_DISPATCH_TOKEN: ${{ secrets.OPENCLAW_RELEASES_PRIVATE_DISPATCH_TOKEN }}
          TARGET_REF: ${{ inputs.ref }}
-          PACKAGE_SPEC: ${{ inputs.npm_telegram_package_spec }}
+          PACKAGE_SPEC: ${{ inputs.evidence_package_spec || inputs.npm_telegram_package_spec }}
          GITHUB_RUN_ID_VALUE: ${{ github.run_id }}
        run: |
          set -euo pipefail
--- a/docs/reference/RELEASING.md
+++ b/docs/reference/RELEASING.md
@ -103,7 +103,10 @@ the maintainer-only release runbook.
  `OpenClaw Release Checks` for install smoke, package acceptance, Docker
  release-path suites, live/E2E, OpenWebUI, QA Lab parity, Matrix, and Telegram
  lanes. Provide `npm_telegram_package_spec` only after a package has been
-  published and the post-publish Telegram E2E should run too. Example:
+  published and the post-publish Telegram E2E should run too. Provide
+  `evidence_package_spec` when the private evidence report should prove that the
+  validation matches a published npm package without forcing Telegram E2E.
+  Example:
  `gh workflow run full-release-validation.yml --ref main -f ref=release/YYYY.M.D`
 - Run the manual `Package Acceptance` workflow when you want side-channel proof
  for a package candidate while release work continues. Use `source=npm` for
@ -233,7 +236,8 @@ gh workflow run full-release-validation.yml \
  --ref main \
  -f ref=release/YYYY.M.D \
  -f provider=openai \
-  -f mode=both
+  -f mode=both \
+  -f evidence_package_spec=openclaw@YYYY.M.D-beta.N
 ```

 The workflow resolves the target ref, dispatches manual `CI` with
@ -273,6 +277,7 @@ gh workflow run full-release-validation.yml \
  -f ref=release/YYYY.M.D \
  -f provider=openai \
  -f mode=both \
+  -f evidence_package_spec=openclaw@YYYY.M.D-beta.N \
  -f npm_telegram_package_spec=openclaw@YYYY.M.D-beta.N \
  -f npm_telegram_provider_mode=mock-openai
 ```