惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
T
Threat Research - Cisco Blogs
N
News and Events Feed by Topic
Hacker News: Ask HN
Hacker News: Ask HN
Project Zero
Project Zero
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 叶小钗
Security Latest
Security Latest
Spread Privacy
Spread Privacy
aimingoo的专栏
aimingoo的专栏
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
U
Unit 42
Cyberwarzone
Cyberwarzone
小众软件
小众软件
Scott Helme
Scott Helme
Engineering at Meta
Engineering at Meta
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
A
About on SuperTechFans
爱范儿
爱范儿
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Schneier on Security
Schneier on Security
Latest news
Latest news
GbyAI
GbyAI
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
The Register - Security
The Register - Security
WordPress大学
WordPress大学
博客园_首页
Blog — PlanetScale
Blog — PlanetScale
PCI Perspectives
PCI Perspectives
Jina AI
Jina AI
AI
AI
NISL@THU
NISL@THU
I
Intezer
G
GRAHAM CLULEY
B
Blog
S
Secure Thoughts
IT之家
IT之家
宝玉的分享
宝玉的分享
Recent Announcements
Recent Announcements
Y
Y Combinator Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
酷 壳 – CoolShell
酷 壳 – CoolShell
有赞技术团队
有赞技术团队
V2EX - 技术
V2EX - 技术
Recorded Future
Recorded Future
Hacker News - Newest:
Hacker News - Newest: "LLM"

Recent Commits to openclaw:main

test: merge chat side-result checks · openclaw/openclaw@ddd2c2a test: merge cron history checks · openclaw/openclaw@f7eb746 test: merge responsive navigation shell checks · openclaw/openclaw@c2e4b47 docs(changelog): add codex oauth fixes · openclaw/openclaw@628e6cd test: merge navigation routing cases · openclaw/openclaw@5d8cecb Tests: mock channel registry bundled fallback · openclaw/openclaw@2b08233 Secrets: avoid broad web search discovery for single plugin config · openclaw/openclaw@a464f59 test: merge config view browser checks · openclaw/openclaw@20cf511 fix(status): align oauth health with runtime · openclaw/openclaw@eed7116 feat: add macOS screen snapshots for monitor preview (#67954) thanks … · openclaw/openclaw@f377db1 fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev · openclaw/openclaw@0b6c39b Auto-reply: avoid eager bundled route fallback · openclaw/openclaw@3ea1bf4 Tests: narrow session binding contract setup · openclaw/openclaw@54e4e16 fix(macOS): enable undo/redo in webchat composer text input (#34962) · openclaw/openclaw@00951dc Tests: speed up channel setup promotion · openclaw/openclaw@82b529a Docs: refresh agent instructions · openclaw/openclaw@5775fe2 fix(auth): serialize OAuth refresh across agents to fix #26322 (#67876) · openclaw/openclaw@8e79080 test: allow ollama public surface boundary test · openclaw/openclaw@7d4f1a6 Docs: add test performance guardrails · openclaw/openclaw@89706d3 Tests: restore context-engine usage proof · openclaw/openclaw@e4c4f95 Tests: slim context engine runtime coverage · openclaw/openclaw@74c198f ci: retry failed custom checkouts · openclaw/openclaw@0ee5baf test: trim duplicate provider auth onboarding cases · openclaw/openclaw@1ffc02e matrix: fix sessions_spawn --thread subagent session spawning (#67643) · openclaw/openclaw@1ce2596 test: reduce auth choice fixture churn · openclaw/openclaw@857b9cd test: mock health status config boundaries · openclaw/openclaw@9d5ab4a test: mock onboard config io boundary · openclaw/openclaw@299694d test: mock legacy state plugin boundaries · openclaw/openclaw@2713089 test: mock channel install boundaries · openclaw/openclaw@b945248 test: mock doctor preview channel boundaries · openclaw/openclaw@b1a3ad4 test: trim doctor command hotspots · openclaw/openclaw@c66f16a test: isolate agent auth and spawn hotspots · openclaw/openclaw@9285935 test: stabilize MCP startup disposal race · openclaw/openclaw@dd9d2eb test: merge browser contract server suites · openclaw/openclaw@5817a76 test: narrow ollama provider discovery setup · openclaw/openclaw@a0d9598 build: declare qa-lab aimock runtime dependency · openclaw/openclaw@24431e5 test: speed up safe-bins exec harness · openclaw/openclaw@ee856ab test: preserve tool helpers in embedded runner mocks · openclaw/openclaw@acd86a0 refactor: move memory embeddings into provider plugins · openclaw/openclaw@77e6e4c test: reuse system-run temp fixtures · openclaw/openclaw@7e9ff0f test: trim hotspot wait overhead · openclaw/openclaw@12a59b0 Check: avoid duplicate boundary prep · openclaw/openclaw@baf11b8 test: reduce hotspot fixture overhead · openclaw/openclaw@3a59edd feat(ui): overhaul settings and slash command UX (#67819) thanks @Bun… · openclaw/openclaw@2cfb660 QA Matrix: exit cleanly on failure · openclaw/openclaw@42805d2 QA Matrix: isolate scenario coverage · openclaw/openclaw@7e659e1 Matrix: refresh crypto bootstrap state · openclaw/openclaw@94081d8 QA Lab: add provider registry · openclaw/openclaw@bb7e982 Matrix: add plugin changelog · openclaw/openclaw@4acab55 test: trim more hotspot overhead · openclaw/openclaw@f485311 test: trim remaining hotspot tests · openclaw/openclaw@6ba8626 test: narrow hotspot mocks · openclaw/openclaw@dbc8179 test: isolate gemini embedding request helpers · openclaw/openclaw@cd330f5 test: trim memory and mcp hotspots · openclaw/openclaw@fd48dfa test: slim provider registry mocks · openclaw/openclaw@2e08c77 test: harden Parallels update smoke · openclaw/openclaw@1a98090 feat: default Anthropic to Opus 4.7 · openclaw/openclaw@628b454 fix: harden node-host shell payload mutability checks · openclaw/openclaw@75c551e fix: land node-host approval binding for native binaries (#66731) (th… · openclaw/openclaw@29919bb CI: add daily schedule to CodeQL workflow (#67645) · openclaw/openclaw@69d25f5 fix(gateway): capture config hash after plugin auto-enable to prevent… · openclaw/openclaw@8c11210 fix: repair sanitized replay tool results before send (#67620) (thank… · openclaw/openclaw@c3c7a99 fix: restrict HTML timeout short-circuit to transient statuses · openclaw/openclaw@de129a6 fix: keep TUI watchdog bound to active run (#67401) (thanks @xantorres) · openclaw/openclaw@3525273 Gateway/skills: dedupe skills prefix-match + drop dead fallback on log · openclaw/openclaw@d7f489f Extensions/lmstudio: back off inference preload after consecutive fai… · openclaw/openclaw@b555214 TUI/streaming: add watchdog that resets the activity indicator after … · openclaw/openclaw@f44ab20 Agents/tool-loop: enable unknown-tool stream guard by default · openclaw/openclaw@36ed367 Gateway/skills: invalidate session skills snapshot on config write · openclaw/openclaw@b23d59a fix: classify HTML provider error pages correctly (#67642) (thanks @s… · openclaw/openclaw@e588e90 fix(skills): remove unused model-usage import (#67641) · openclaw/openclaw@55f05df docs(changelog): credit codex fix superseded PRs · openclaw/openclaw@e485f24 fix(openai-codex): normalize stale transport metadata in resolution a… · openclaw/openclaw@90801ba CI: pin Docker-related GitHub Actions (#67632) · openclaw/openclaw@f697b01 Android: modernize WebView and discovery API usage (#67627) · openclaw/openclaw@44a6e50 fix(deps): bump hono to 4.12.14 and @hono/node-server to 1.19.14 (GHS… · openclaw/openclaw@fbccc18 fix(deps): bump dompurify to 3.4.0 (#67614) · openclaw/openclaw@2c2dc00 CI: add explicit permissions to all workflow jobs (fixes code-scannin… · openclaw/openclaw@01b7516 fix: register bundled TTS providers and route overrides correctly (#6… · openclaw/openclaw@6ea3cdd fix: align host tilde paths with OS home (#62804) (thanks @stainlu) · openclaw/openclaw@ecfaf64 fix: flush creds queue before reconnect socket open (#67464) (thanks … · openclaw/openclaw@405c63f fix: strip standalone <function> tool call tags from visible text (#6… · openclaw/openclaw@78df859 fix(agents): preserve cli session metadata before transcript persist … · openclaw/openclaw@898fd04 docs(changelog): move cli transcript entry · openclaw/openclaw@c1817c6 fix(agents): normalize cli transcript api field · openclaw/openclaw@3a3fae0 docs(changelog): note cli transcript persistence · openclaw/openclaw@6c343f1 fix(agents): persist cli transcript turns · openclaw/openclaw@b8ef507 fix(msteams): harden security-sensitive flows (#65841) · openclaw/openclaw@c56b56e [Dashboard] Fix exec approval modal overflow for long command content… · openclaw/openclaw@053c5b0 Docs: remove QA changelog entry · openclaw/openclaw@7fd5771 QA: fix private runtime source loading (#67428) · openclaw/openclaw@d5933af docs(gateway): correct protocol.md schema path, hello-ok example, aut… · openclaw/openclaw@489404d CI: pin Node 22 runners to 22.18.0 · openclaw/openclaw@4ffa621 models.authStatus: normalize provider ids + tighten env-backed escape… · openclaw/openclaw@f2fdb9d Update CHANGELOG.md · openclaw/openclaw@7694a92 test(parallels): clean up npm update guard jobs · openclaw/openclaw@045ea7b Plugins: prefer scanDir override paths · openclaw/openclaw@b2974da fix(dreaming): default storage.mode to "separate" so phase blocks sto… · openclaw/openclaw@8c392f0 fix(memory-core): skip dreaming transcript ingestion via session stor… · openclaw/openclaw@a1b01f0 fix: dedupe replayed exec.finished node events (#67281) · openclaw/openclaw@5dcf526
docs: clarify macOS release workflow refs (#97116) · openclaw/openclaw@bdd365a
RomneyDa · 2026-06-27 · via Recent Commits to openclaw:main

@@ -203,8 +203,9 @@ Stable publication is not complete until `main` carries the actual shipped relea

203203

validation-only release machinery. If mac packaging needs release-branch-only

204204

fixes after the stable npm package or GitHub tag is already published, do not

205205

create a `vYYYY.M.PATCH-N` correction tag just to change the workflow source.

206-

Dispatch the private mac workflows for the original `tag=vYYYY.M.PATCH` with

207-

`source_ref=release/YYYY.M.PATCH` and `public_release_branch=release/YYYY.M.PATCH`;

206+

Dispatch the release-ops mac workflows for the original `tag=vYYYY.M.PATCH`

207+

with `source_ref=release/YYYY.M.PATCH` and

208+

`public_release_branch=release/YYYY.M.PATCH`;

208209

provenance checks must prove the source SHA descends from the tag and

209210

validation/preflight use the same source. Reserve `vYYYY.M.PATCH-N` correction

210211

tags for emergency hotfixes that must publish a new npm package/release

@@ -579,8 +580,8 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

579580

- Actual npm install/update phases are capped at 5 minutes. If `npm install -g`, installer package install, or `openclaw update` takes longer than 300s in release e2e, stop treating the run as healthy progress and debug the installer/updater or harness.

580581

- Serialize host build/package mutations ahead of VM lanes. Finish `pnpm build`, `pnpm ui:build`, `pnpm release:check`, install smoke, and any Docker/package-prep lanes before starting Parallels `npm pack` lanes; otherwise `dist` can disappear during VM pack prep and produce false failures.

581582

- Include mac release readiness in preflight by running the public validation

582-

workflow in `openclaw/openclaw` and the real mac preflight in

583-

`openclaw/releases-private` for every release.

583+

workflow in `openclaw/openclaw` and the release-ops mac preflight in

584+

`openclaw/releases` for every release.

584585

- Treat the `appcast.xml` update on `main` as part of mac release readiness, not an optional follow-up.

585586

- The workflows remain tag-based. The agent is responsible for making sure

586587

preflight runs complete successfully before any publish run starts.

@@ -608,16 +609,16 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

608609

## Use the right auth flow

609610610611

- OpenClaw publish uses GitHub trusted publishing.

611-

- Stable npm promotion from `beta` to `latest` uses the private

612-

`openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`

613-

workflow because `npm dist-tag` management needs `NPM_TOKEN`, while the

614-

public npm release workflow stays OIDC-only.

615-

- Prefer fixing the private workflow token path over any local 1Password

616-

fallback. The desired setup is a granular npm token stored as the private

612+

- Stable npm promotion from `beta` to `latest` uses the restricted release-ops

613+

`openclaw/releases/.github/workflows/openclaw-npm-dist-tags.yml` workflow

614+

because `npm dist-tag` management needs `NPM_TOKEN`, while the public npm

615+

release workflow stays OIDC-only.

616+

- Prefer fixing the release-ops workflow token path over any local 1Password

617+

fallback. The desired setup is a granular npm token stored as the release-ops

617618

repo's `NPM_TOKEN` secret, scoped to the `openclaw` package with read/write

618619

and 2FA bypass for automation.

619-

- If the private dist-tag workflow cannot promote because `NPM_TOKEN` is absent

620-

or stale, use the local tmux + 1Password fallback:

620+

- If the release-ops dist-tag workflow cannot promote because `NPM_TOKEN` is

621+

absent or stale, use the local tmux + 1Password fallback:

621622

- Start or reuse a tmux session so interactive `npm login` and OTP prompts

622623

are observable and recoverable.

623624

- Hard rule: never run `op` directly in the main agent shell during release

@@ -635,21 +636,21 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

635636

- Verify with a cache-bypassed registry read, for example:

636637

`npm view openclaw dist-tags --json --prefer-online --cache /tmp/openclaw-npm-cache-verify-$$`

637638

and `npm view openclaw@latest version dist.tarball --json --prefer-online`.

638-

- Direct stable publishes can also use that private dist-tag workflow to point

639-

`beta` at the already-published `latest` version when the operator wants both

640-

tags aligned immediately.

639+

- Direct stable publishes can also use that release-ops dist-tag workflow to

640+

point `beta` at the already-published `latest` version when the operator wants

641+

both tags aligned immediately.

641642

- The publish run must be started manually with `workflow_dispatch`.

642-

- The npm workflow and the private mac publish workflow accept

643+

- The npm workflow and the release-ops mac publish workflow accept

643644

`preflight_only=true` to run validation/build/package steps without uploading

644645

public release assets.

645646

- Real npm publish requires a prior successful npm preflight run id and the

646647

successful Full Release Validation run id for the same tag/SHA so the publish

647648

job promotes the prepared tarball instead of rebuilding it and attaches the

648649

correct release evidence.

649-

- Real private mac publish requires a prior successful private mac preflight

650-

run id so the publish job promotes the prepared artifacts instead of

650+

- Real release-ops mac publish requires a prior successful release-ops mac

651+

preflight run id so the publish job promotes the prepared artifacts instead of

651652

rebuilding or renotarizing them again.

652-

- The private mac workflow also accepts `smoke_test_only=true` for branch-safe

653+

- The release-ops mac workflow also accepts `smoke_test_only=true` for branch-safe

653654

workflow smoke tests that use ad-hoc signing, skip notarization, skip shared

654655

appcast generation, and do not prove release readiness.

655656

- `preflight_only=true` on the npm workflow is also the right way to validate an

@@ -670,27 +671,27 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

670671

use only `main` or `release/YYYY.M.PATCH`.

671672

- `.github/workflows/macos-release.yml` in `openclaw/openclaw` is now a

672673

public validation-only handoff. It validates the tag/release state and points

673-

operators to the private repo. It still rebuilds the JS outputs needed for

674+

operators to the release-ops repo. It still rebuilds the JS outputs needed for

674675

release validation, but it does not sign, notarize, or publish macOS

675676

artifacts.

676-

- `openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml`

677-

is the required private mac validation lane for `swift test`; keep it green

677+

- `openclaw/releases/.github/workflows/openclaw-macos-validate.yml` is the

678+

required release-ops mac validation lane for `swift test`; keep it green

678679

before any real stable mac publish run starts.

679680

- Real mac preflight and real mac publish both use

680-

`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`.

681-

- The private mac validation lane runs on GitHub's standard macOS runner.

682-

- The private mac preflight path runs on GitHub's xlarge macOS runner and uses

681+

`openclaw/releases/.github/workflows/openclaw-macos-publish.yml`.

682+

- The release-ops mac validation lane runs on GitHub's standard macOS runner.

683+

- The release-ops mac preflight path runs on GitHub's xlarge macOS runner and uses

683684

a SwiftPM cache because the build/sign/notarize/package path is CPU-heavy.

684-

- Private mac preflight uploads notarized build artifacts as workflow artifacts

685-

instead of uploading public GitHub release assets.

686-

- Private smoke-test runs upload ad-hoc, non-notarized build artifacts as

685+

- Release-ops mac preflight uploads notarized build artifacts as workflow

686+

artifacts instead of uploading public GitHub release assets.

687+

- Release-ops smoke-test runs upload ad-hoc, non-notarized build artifacts as

687688

workflow artifacts and intentionally skip stable `appcast.xml` generation.

688689

- For stable releases, npm preflight, Full Release Validation, public mac

689-

validation, private mac validation, and private mac preflight must all pass

690-

before any real publish run starts. For beta releases, npm preflight and Full

691-

Release Validation must pass before npm publish unless the operator explicitly

692-

waives the full gate; mac beta validation is still only required when

693-

requested.

690+

validation, release-ops mac validation, and release-ops mac preflight must all

691+

pass before any real publish run starts. For beta releases, npm preflight and

692+

Full Release Validation must pass before npm publish unless the operator

693+

explicitly waives the full gate; mac beta validation is still only required

694+

when requested.

694695

- Real publish runs may be dispatched from `main` or from a

695696

`release/YYYY.M.PATCH` branch. For release-branch runs, the tag must be contained

696697

in that release branch, and the real publish must reuse a successful preflight

@@ -699,21 +700,21 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

699700

rather than workflow-level SHA pinning.

700701

- The `npm-release` environment must be approved by `@openclaw/openclaw-release-managers` before publish continues.

701702

- Mac publish uses

702-

`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml` for

703-

private mac preflight artifact preparation and real publish artifact

703+

`openclaw/releases/.github/workflows/openclaw-macos-publish.yml` for

704+

release-ops mac preflight artifact preparation and real publish artifact

704705

promotion.

705-

- Real private mac publish uploads the packaged `.zip`, `.dmg`, and

706+

- Real release-ops mac publish uploads the packaged `.zip`, `.dmg`, and

706707

`.dSYM.zip` assets to the existing GitHub release in `openclaw/openclaw`

707708

automatically when `OPENCLAW_PUBLIC_REPO_RELEASE_TOKEN` is present in the

708-

private repo `mac-release` environment.

709+

release-ops repo `mac-release` environment.

709710

- For stable releases, the agent must also download the signed

710-

`macos-appcast-<tag>` artifact from the successful private mac workflow and

711-

then update `appcast.xml` on `main`.

711+

`macos-appcast-<tag>` artifact from the successful release-ops mac workflow

712+

and then update `appcast.xml` on `main`.

712713

- For beta mac releases, do not update the shared production `appcast.xml`

713714

unless a separate beta Sparkle feed exists.

714-

- The private repo targets a dedicated `mac-release` environment. If the GitHub

715-

plan does not yet support required reviewers there, do not assume the

716-

environment alone is the approval boundary; rely on private repo access and

715+

- The release-ops repo targets a dedicated `mac-release` environment. If the

716+

GitHub plan does not yet support required reviewers there, do not assume the

717+

environment alone is the approval boundary; rely on restricted repo access and

717718

CODEOWNERS until those settings can be enabled.

718719

- Do not use `NPM_TOKEN` or the plugin OTP flow for the OpenClaw package

719720

publish path; package publishing uses trusted publishing.

@@ -800,12 +801,12 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

800801

18. For stable releases, start `.github/workflows/macos-release.yml` in

801802

`openclaw/openclaw` and wait for the public validation-only run to pass.

802803

19. For stable releases, start

803-

`openclaw/releases-private/.github/workflows/openclaw-macos-validate.yml`

804-

with the same tag and wait for the private mac validation lane to pass.

804+

`openclaw/releases/.github/workflows/openclaw-macos-validate.yml` with the

805+

same tag and wait for the release-ops mac validation lane to pass.

805806

20. For stable releases, start

806-

`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`

807-

with `preflight_only=true` and wait for it to pass. Save that run id because

808-

the real publish requires it to reuse the notarized mac artifacts.

807+

`openclaw/releases/.github/workflows/openclaw-macos-publish.yml` with

808+

`preflight_only=true` and wait for it to pass. Save that run id because the

809+

real publish requires it to reuse the notarized mac artifacts.

809810

21. If any preflight or validation run fails, fix the issue on a new commit,

810811

delete the tag and any accidental draft/incomplete GitHub release, recreate

811812

the tag from the fixed commit, and rerun all relevant preflights from

@@ -861,22 +862,23 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts <published-version>

861862

promotion roster when the matching beta already carried the full confidence

862863

pass: published npm postpublish verify, Docker install/update smoke,

863864

macOS-only Parallels install/update smoke, and required QA signal.

864-

Then start the private

865-

`openclaw/releases-private/.github/workflows/openclaw-npm-dist-tags.yml`

866-

workflow to promote that stable version from `beta` to `latest`, then

867-

verify `latest` now points at that version.

865+

Then start the restricted release-ops

866+

`openclaw/releases/.github/workflows/openclaw-npm-dist-tags.yml` workflow

867+

to promote that stable version from `beta` to `latest`, then verify

868+

`latest` now points at that version.

868869

29. If the stable release was published directly to `latest` and `beta` should

869-

follow it, start that same private dist-tag workflow to point `beta` at the

870-

stable version, then verify both `latest` and `beta` point at that version.

870+

follow it, start that same release-ops dist-tag workflow to point `beta` at

871+

the stable version, then verify both `latest` and `beta` point at that

872+

version.

871873

30. For stable releases, start

872-

`openclaw/releases-private/.github/workflows/openclaw-macos-publish.yml`

873-

for the real publish with the successful private mac `preflight_run_id` and

874-

wait for success.

875-

31. Verify the successful real private mac run uploaded the `.zip`, `.dmg`,

874+

`openclaw/releases/.github/workflows/openclaw-macos-publish.yml` for the

875+

real publish with the successful release-ops mac `preflight_run_id` and wait

876+

for success.

877+

31. Verify the successful real release-ops mac run uploaded the `.zip`, `.dmg`,

876878

and `.dSYM.zip` artifacts to the existing GitHub release in

877879

`openclaw/openclaw`.

878880

32. For stable releases, download `macos-appcast-<tag>` from the successful

879-

private mac run, update `appcast.xml` on `main`, verify the feed, then

881+

release-ops mac run, update `appcast.xml` on `main`, verify the feed, then

880882

complete the **Close stable releases on main** gate.

881883

33. For beta releases, publish the mac assets only when intentionally requested;

882884

expect no shared production