diff --git a/.agents/skills/release-openclaw-maintainer/SKILL.md b/.agents/skills/release-openclaw-maintainer/SKILL.md index 661c7695a67..2bf11c26ce5 100644 --- a/.agents/skills/release-openclaw-maintainer/SKILL.md +++ b/.agents/skills/release-openclaw-maintainer/SKILL.md @@ -10,12 +10,15 @@ Use this skill for release and publish-time workflow. Load `$release-private` if ## Respect release guardrails - Do not change version numbers without explicit operator approval. +- Versions use `YYYY.M.PATCH`, where `PATCH` is the sequential release-train number within the month, not the calendar day. +- Choose a new beta train from stable and beta releases only. Alpha-only tags do not consume or advance the beta/stable patch number. Continue the highest existing unpublished/published beta train with the next `beta.N` when appropriate; otherwise increment the highest stable/beta patch by one and start at `beta.1`. +- Example: after stable `2026.6.5`, the next new beta train is `2026.6.6-beta.1`, even if automated alpha-only tags such as `2026.6.10-alpha.1` exist. - Ask permission before any npm publish or release step. - This skill should be sufficient to drive the normal release flow end-to-end. - Use the private maintainer release docs for credentials, recovery steps, and mac signing/notary specifics, and use `docs/reference/RELEASING.md` for public policy. - Core `openclaw` publish is manual `workflow_dispatch`; creating or pushing a tag does not publish by itself. - Normal release work happens on a branch cut from `main`, not directly on - `main`. Use `release/YYYY.M.D` for the branch name. + `main`. Use `release/YYYY.M.PATCH` for the branch name. - If the operator asks for a release without saying stable/full, default to beta only. Continue from beta to stable only when the operator explicitly asks for the full release or an automated beta-and-stable train. @@ -92,7 +95,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if ## Keep release channel naming aligned - `stable`: tagged releases only, published to npm `beta` by default; operators may target npm `latest` explicitly or promote later -- `beta`: prerelease tags like `vYYYY.M.D-beta.N`, with npm dist-tag `beta` +- `beta`: prerelease tags like `vYYYY.M.PATCH-beta.N`, with npm dist-tag `beta` - Prefer `-beta.N`; do not mint new `-1` or `-2` beta suffixes - `dev`: moving head on `main` - When using a beta Git tag, publish npm with the matching beta version suffix so the plain version is not consumed or blocked @@ -108,7 +111,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if - `docs/install/updating.md` - Peekaboo Xcode project and plist version fields - Before creating a release tag, make every version location above match the version encoded by that tag. -- For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`. +- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version locations still stay at `YYYY.M.PATCH`. - “Bump version everywhere” means all version locations above except `appcast.xml`. - Release signing and notary credentials live outside the repo in the private maintainer docs. - Every stable OpenClaw release ships the npm package, macOS app, and signed @@ -129,19 +132,19 @@ Use this skill for release and publish-time workflow. Load `$release-private` if tagged commit when the delta is mac packaging, signing, workflow, or validation-only release machinery. If mac packaging needs release-branch-only fixes after the stable npm package or GitHub tag is already published, do not - create a `vYYYY.M.D-N` correction tag just to change the workflow source. - Dispatch the private mac workflows for the original `tag=vYYYY.M.D` with - `source_ref=release/YYYY.M.D` and `public_release_branch=release/YYYY.M.D`; + create a `vYYYY.M.PATCH-N` correction tag just to change the workflow source. + Dispatch the private mac workflows for the original `tag=vYYYY.M.PATCH` with + `source_ref=release/YYYY.M.PATCH` and `public_release_branch=release/YYYY.M.PATCH`; provenance checks must prove the source SHA descends from the tag and - validation/preflight use the same source. Reserve `vYYYY.M.D-N` correction + validation/preflight use the same source. Reserve `vYYYY.M.PATCH-N` correction tags for emergency hotfixes that must publish a new npm package/release identity, not for ordinary mac-only packaging recovery. - The production Sparkle feed lives at `https://raw.githubusercontent.com/openclaw/openclaw/main/appcast.xml`, and the canonical published file is `appcast.xml` on `main` in the `openclaw` repo. - That shared production Sparkle feed is stable-only. Beta mac releases may upload assets to the GitHub prerelease, but they must not replace the shared `appcast.xml` unless a separate beta feed exists. -- For fallback correction tags like `vYYYY.M.D-N`, the repo version still stays - at `YYYY.M.D`, but the mac release must use a strictly higher numeric +- For fallback correction tags like `vYYYY.M.PATCH-N`, the repo version still stays + at `YYYY.M.PATCH`, but the mac release must use a strictly higher numeric `APP_BUILD` / Sparkle build than the original release so existing installs see it as newer. - Stable Windows Hub release closeout requires the signed @@ -151,7 +154,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if workflow after the matching `openclaw/openclaw-windows-node` release exists; it verifies Authenticode signatures on Windows before uploading assets. - Website Windows Hub download links should target exact canonical - `openclaw/openclaw/releases/download/vYYYY.M.D/...` assets for the current + `openclaw/openclaw/releases/download/vYYYY.M.PATCH/...` assets for the current stable release, or `releases/latest/download/...` only after verifying the redirect resolves to that same tag, so the installable signed Windows artifact is visible from both the GitHub release page and openclaw.ai. @@ -165,7 +168,7 @@ Use this skill for release and publish-time workflow. Load `$release-private` if beta release tag as the base, then inspect every commit through the target release SHA. - The changelog rewrite is not optional for beta reruns: any `beta.N` after a - rebase or backport must refresh the same stable-base `## YYYY.M.D` section + rebase or backport must refresh the same stable-base `## YYYY.M.PATCH` section before the new version/tag commit. - Include both merged PR commits and direct commits on `main`. Direct commits matter: infer notes from their subject, body, touched files, linked issues, @@ -188,11 +191,11 @@ Use this skill for release and publish-time workflow. Load `$release-private` if - Changelog entries should be user-facing, not internal release-process notes. - GitHub release and prerelease bodies must use the full matching `CHANGELOG.md` version section, not highlights or an excerpt. When creating - or editing a release, extract from `## YYYY.M.D` through the line before the + or editing a release, extract from `## YYYY.M.PATCH` through the line before the next level-2 heading and use that complete block as the release notes. - To update an existing GitHub Release body, resolve the numeric release id and patch that resource with the notes file as the `body` field: - `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.D --jq .id`, then + `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.PATCH --jq .id`, then `gh api -X PATCH repos/openclaw/openclaw/releases/ -F body=@/tmp/notes.md`. Do not trust `gh release edit --notes-file` or `--input` JSON if verification disagrees; verify with `gh api repos/openclaw/openclaw/releases/` because @@ -205,10 +208,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if record's `docsPath` or `/plugins/compatibility` when no more specific deprecation page exists. - When cutting a mac release with a beta GitHub prerelease: - - tag `vYYYY.M.D-beta.N` from the release commit - - create a prerelease titled `openclaw YYYY.M.D-beta.N` + - tag `vYYYY.M.PATCH-beta.N` from the release commit + - create a prerelease titled `openclaw YYYY.M.PATCH-beta.N` - use release notes from the stable base `CHANGELOG.md` version section - (`## YYYY.M.D`), not a beta-specific heading + (`## YYYY.M.PATCH`), not a beta-specific heading - attach at least the zip and dSYM zip, plus dmg if available - Keep the top version entries in `CHANGELOG.md` sorted by impact: - `### Changes` first @@ -218,10 +221,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if Use the OpenClaw account's existing release-post style: -- Format: `OpenClaw YYYY.M.D 🦞` or `🦞 OpenClaw YYYY.M.D is live`, blank line, +- Format: `OpenClaw YYYY.M.PATCH 🦞` or `🦞 OpenClaw YYYY.M.PATCH is live`, blank line, then 3-4 emoji-led bullets, blank line, one short punchline, then the release link. -- For beta: say `OpenClaw YYYY.M.D-beta.N 🦞` or `OpenClaw YYYY.M.D beta N is +- For beta: say `OpenClaw YYYY.M.PATCH-beta.N 🦞` or `OpenClaw YYYY.M.PATCH beta N is live`; keep it clearly beta and avoid implying stable promotion. - Lead with user-visible capabilities, then important integrations, then reliability/security/install fixes. Compress "lots of fixes" into one @@ -332,8 +335,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts ``` - This verifies the published registry install path in a fresh temp prefix. -- For stable correction releases like `YYYY.M.D-N`, it also verifies the - upgrade path from `YYYY.M.D` to `YYYY.M.D-N` so a correction publish cannot +- For stable correction releases like `YYYY.M.PATCH-N`, it also verifies the + upgrade path from `YYYY.M.PATCH` to `YYYY.M.PATCH-N` so a correction publish cannot silently leave existing global installs on the old base stable payload. - Treat install smoke as a pack-budget gate too. `pnpm test:install:smoke` now fails the candidate update tarball when npm reports an oversized @@ -480,7 +483,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts `npm login --auth-type=legacy`, then confirm `npm whoami` reports `steipete`. - Promote with a fresh OTP: - `npm dist-tag add openclaw@YYYY.M.D latest --otp "$OTP"`. + `npm dist-tag add openclaw@YYYY.M.PATCH latest --otp "$OTP"`. - Verify with a cache-bypassed registry read, for example: `npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$` and `npm view openclaw@latest version dist.tarball --json --prefer-online`. @@ -506,7 +509,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts the npm version is already published. - npm validation-only preflight may still be dispatched from ordinary branches when testing workflow changes before merge. Release checks and real publish - use only `main` or `release/YYYY.M.D`. + use only `main` or `release/YYYY.M.PATCH`. - `.github/workflows/macos-release.yml` in `openclaw/openclaw` is now a public validation-only handoff. It validates the tag/release state and points operators to the private repo. It still rebuilds the JS outputs needed for @@ -531,7 +534,7 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts waives the full gate; mac beta validation is still only required when requested. - Real publish runs may be dispatched from `main` or from a - `release/YYYY.M.D` branch. For release-branch runs, the tag must be contained + `release/YYYY.M.PATCH` branch. For release-branch runs, the tag must be contained in that release branch, and the real publish must reuse a successful preflight from the same branch. - The release workflows stay tag-based; rely on the documented release sequence @@ -599,8 +602,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts 4. Pull latest `main` and confirm current `main` CI is green. 5. Run `/changelog` for the stable base target version on `main`, commit the changelog rewrite immediately, push, and pull/rebase. For beta releases, - keep the changelog heading as `## YYYY.M.D`, not `## YYYY.M.D-beta.N`. -6. Create `release/YYYY.M.D` from that post-changelog `main` commit. + keep the changelog heading as `## YYYY.M.PATCH`, not `## YYYY.M.PATCH-beta.N`. +6. Create `release/YYYY.M.PATCH` from that post-changelog `main` commit. 7. Make every repo version location match the beta tag before creating it. 8. Commit release preparation changes on the release branch and push the branch. 9. Immediately dispatch Actions > `OpenClaw Performance` from `main` with diff --git a/.agents/skills/release-openclaw-nightly/SKILL.md b/.agents/skills/release-openclaw-nightly/SKILL.md index 2b51adffc55..e22c86b7fb2 100644 --- a/.agents/skills/release-openclaw-nightly/SKILL.md +++ b/.agents/skills/release-openclaw-nightly/SKILL.md @@ -37,9 +37,11 @@ This is good for auditability if commits are clearly machine-authored and gated - Branch name: `tideclaw/alpha/YYYY-MM-DD-HHMMZ` - Base: current `origin/main` SHA at trigger time. - State file: resolve from `$release-private` on the Tideclaw host. -- Release tag: `vYYYY.M.D-alpha.N` +- Release tag: `vYYYY.M.PATCH-alpha.N` - npm dist-tag: `alpha` +`PATCH` is a sequential monthly release-train number, never the calendar day. Determine the alpha train from stable and beta releases; ignore alpha-only patch numbers when choosing the next train. Use one greater than the highest stable/beta patch for the month, then increment only `alpha.N` for repeated nightlies on that train. If a beta exists on that next patch, move alpha to the following train. Legacy alpha-only tags with inflated patch numbers do not advance beta/stable numbering. + Do not reuse old alpha branches for a new run. If rerunning the same base SHA, create a new timestamped branch and record why. ## Start @@ -98,7 +100,7 @@ Tideclaw may run beta releases from `#releases` or mentioned `#maintainers` comm Accepted shapes: ```text -@Tideclaw beta release from vYYYY.M.D-alpha.N +@Tideclaw beta release from vYYYY.M.PATCH-alpha.N @Tideclaw beta release from tideclaw/alpha/YYYY-MM-DD-HHMMZ @Tideclaw beta release from latest proven alpha ``` @@ -110,7 +112,7 @@ Rules: 3. Verify the source alpha first: GitHub release, npm `alpha` package, release CI, recorded state file, and branch/tag SHA. 4. Create a fresh beta branch `tideclaw/beta/YYYY-MM-DD-HHMMZ` from the proven alpha source, not directly from a moving `main`. 5. Reuse/squash only stabilization fixes already proven on alpha. Do not import unrelated alpha release mechanics unless the beta release docs require them. -6. Compute beta as `vYYYY.M.D-beta.N`, matching npm `--tag beta`. +6. Compute beta as `vYYYY.M.PATCH-beta.N`, matching npm `--tag beta`. Ignore alpha-only patch numbers when selecting the beta train. 7. Run beta release validation/preflight/full release CI and fix failures on the beta branch. 8. Publish beta only after green beta gates. Use GitHub Actions/OIDC, never direct npm publish from the host. 9. Final Discord summary must include source alpha, beta tag/version, branch, fix commits, workflow run IDs, npm/GitHub proof, and any skipped/blocked reason. @@ -165,7 +167,7 @@ git push -u origin "$BRANCH" After local proof: -1. Compute the next `vYYYY.M.D-alpha.N` from existing git tags, npm versions, and GitHub releases. +1. Compute the next `vYYYY.M.PATCH-alpha.N` from existing git tags, npm versions, and GitHub releases. Select `PATCH` from stable/beta trains, not the date or the highest alpha-only patch. Reuse the same alpha train and increment `alpha.N` until that patch has a beta; after a beta exists, use the following patch for new alpha builds. 2. Make the alpha branch package version and release metadata match that tag, commit it, and push the branch. 3. Run release validation from the alpha branch, using GitHub CLI, not browser/fetch tools. On the Tideclaw host, bare `gh` is a read-only Codex sandbox wrapper; use `/usr/local/bin/gh-tideclaw-write` for write-capable commands such as `workflow run`, `run cancel`, and publish dispatch: diff --git a/AGENTS.md b/AGENTS.md index 3309487f308..2beff581fb5 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -251,9 +251,11 @@ Skills own workflows; root owns hard policy and routing. - Lockfiles/shrinkwrap are security surface: review `pnpm-lock.yaml`, `npm-shrinkwrap.json`, `package-lock.json`; root/plugin npm packages ship shrinkwrap, not package-lock. - Carbon pins owner-only: do not change `@buape/carbon` unless Shadow (`@thewilloftheshadow`, verified by `gh`) asks. - Releases/publish/version bumps need explicit approval. Use `$release-openclaw-maintainer`. +- Release versions use `YYYY.M.PATCH`, where `PATCH` is a sequential monthly release-train number, never the calendar day. Stable and beta tags determine the current train; alpha-only tags do not consume or advance the beta/stable patch number. After `2026.6.5`, the next beta train is `2026.6.6-beta.1` even if higher alpha-only tags exist. +- Alpha/nightly versions use the next unreleased train plus an incrementing prerelease number. Repeated nightlies for the same train increment only `alpha.N`; they must not mint a new patch number from the date. - Backport means apply to newest open `release/` branch unless user names another target. - GHSA/advisories: `$openclaw-ghsa-maintainer` / `$security-triage`. Secret scanning: `$openclaw-secret-scanning-maintainer`. -- Beta tag/version match: `vYYYY.M.D-beta.N` -> npm `YYYY.M.D-beta.N --tag beta`. +- Beta tag/version match: `vYYYY.M.PATCH-beta.N` -> npm `YYYY.M.PATCH-beta.N --tag beta`. ## Platform / Ops diff --git a/docs/reference/RELEASING.md b/docs/reference/RELEASING.md index 6a20e01e572..af9086ee3b9 100644 --- a/docs/reference/RELEASING.md +++ b/docs/reference/RELEASING.md @@ -23,16 +23,24 @@ OpenClaw has three public release lanes: - Git tag: `vYYYY.M.PATCH-beta.N` - Do not zero-pad month or patch - Starting with the June 2026 release process update, the third component is a - monthly patch counter, not a calendar day. Pre-update tags and npm versions - keep their existing names and remain valid; release automation continues to + sequential monthly release-train number, not a calendar day. Stable and beta + releases determine the current train; alpha-only tags do not consume or + advance the beta/stable patch number. Pre-update tags and npm versions keep + their existing names and remain valid; release automation continues to compare them by year, month, patch, channel, and prerelease or correction number. +- Alpha/nightly builds use the next unreleased patch train and increment only + `alpha.N` for repeated builds. Once that patch has a beta, new alpha builds + move to the following patch. Ignore legacy alpha-only tags with higher patch + numbers when selecting a beta or stable train. - npm versions are immutable. If a beta tag has already been published, do not delete, republish, or reuse it; cut the next beta number or the next monthly patch instead. Because `2026.6.5-beta.1` was already published during the transition, June 2026 release trains must use patch `5` or higher. Do not publish new June 2026 stable or beta trains as `2026.6.2`, `2026.6.3`, or `2026.6.4`. +- After stable `2026.6.5`, the next new beta train is `2026.6.6-beta.1`, even + if automated alpha-only tags with higher patch numbers already exist. - `latest` means the current promoted stable npm release - `beta` means the current beta install target - Stable and stable correction releases publish to npm `beta` by default; release operators can target `latest` explicitly, or promote a vetted beta build later