
























@@ -0,0 +1,90 @@
1+---
2+name: openclaw-release-ci
3+description: "Run, watch, debug, and summarize OpenClaw full release CI, release checks, live provider gates, install/update proofs, and release-secret preflights."
4+---
5+6+# OpenClaw Release CI
7+8+Use this with `$openclaw-release-maintainer` and `$openclaw-testing` when a release candidate needs full validation, install/update proof, live provider checks, or CI recovery.
9+10+## Guardrails
11+12+- No version bump, tag, npm publish, GitHub release, or release promotion without explicit operator approval.
13+- Validate provider secrets before dispatching expensive full release matrices.
14+- Do not set GitHub secrets from unvalidated 1Password candidates. If a candidate returns 401/403, leave the existing secret alone and report the exact missing provider.
15+- Use `$one-password` for secret reads/writes: one persistent tmux session, targeted items only, no secret output.
16+- Watch one parent run plus compact child summaries. Avoid broad `gh run view` polling loops; REST quota is easy to burn.
17+- Fetch logs only for failed or currently-blocking jobs. If quota is low, stop polling and wait for reset.
18+- Treat live-provider flakes separately from code failures: prove key validity, provider HTTP status, retry evidence, and exact failing lane before editing code.
19+20+## Preflight
21+22+Before full release validation:
23+24+```bash
25+node .agents/skills/openclaw-release-ci/scripts/verify-provider-secrets.mjs --required openai,anthropic,fireworks
26+gh api rate_limit --jq '.resources.core'
27+git status --short --branch
28+git rev-parse HEAD
29+```
30+31+If env lacks keys, use `$one-password` to inject or set them, then rerun the script. The script prints only provider status and HTTP class, never tokens.
32+33+## Dispatch
34+35+Prefer the trusted workflow on `main`, target the exact release SHA:
36+37+```bash
38+gh workflow run full-release-validation.yml \
39+ --repo openclaw/openclaw \
40+ --ref main \
41+ -f ref=<release-sha> \
42+ -f provider=openai \
43+ -f mode=both \
44+ -f release_profile=full \
45+ -f rerun_group=all
46+```
47+48+Use `release_profile=stable` unless the operator explicitly asks for the broad advisory provider/media matrix. Use narrow `rerun_group` after focused fixes.
49+50+## Watch
51+52+Use the summary helper instead of repeated raw polling:
53+54+```bash
55+node .agents/skills/openclaw-release-ci/scripts/release-ci-summary.mjs <full-release-run-id>
56+```
57+58+Then watch only when useful:
59+60+```bash
61+gh run watch <full-release-run-id> --repo openclaw/openclaw --exit-status
62+```
63+64+Stop watchers before ending the turn or switching strategy.
65+66+## Failure Triage
67+68+1. Confirm parent SHA and child run IDs.
69+2. List failed jobs only:
70+```bash
71+ gh run view <child-run-id> --repo openclaw/openclaw --json jobs \
72+ --jq '.jobs[] | select(.conclusion=="failure" or .conclusion=="timed_out" or .conclusion=="cancelled") | [.databaseId,.name,.conclusion,.url] | @tsv'
73+```
74+3. Fetch one failed job log. If rate-limited, note reset time and avoid more REST calls.
75+4. For secret-looking failures, validate the provider endpoint from the same secret source before editing code.
76+5. For live-cache failures, inspect whether it is missing/invalid key, empty text, provider refusal, timeout, or baseline miss. Do not weaken release gates without clear provider evidence.
77+6. Fix narrowly, run local/changed proof, commit, push, rerun the smallest matching group.
78+79+## Evidence
80+81+Record:
82+83+- release SHA
84+- full parent run URL
85+- child run IDs and conclusions: CI, Release Checks, Plugin Prerelease, NPM Telegram
86+- targeted local proof commands
87+- provider-secret preflight result
88+- known gaps or unrelated failures
89+90+For lessons and recovery patterns, read `references/release-ci-notes.md`.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。