ContextQMD
Back to Openclaw

Verify Release

.agents/skills/verify-release/SKILL.md

2026.5.284.3 KB
Original Source

Verify Release

Use this when asked whether an OpenClaw release is fully released, published, promoted, smoke-tested, or live-verified. This is a verification skill, not a publish skill; use $release-openclaw-maintainer before changing release state.

Rules

  • Resolve short suffixes like .27 to the concrete CalVer version from the current date/context, then say the resolved version.
  • Verify live state. Do not trust local checkout state, release notes, or old memory as current truth.
  • If the checkout is dirty or divergent, use it only for scripts/reference. For version metadata, fetch from GitHub release/tag or unpack the tag tarball under /tmp.
  • Never print secrets. Use inherited live keys only for scoped smoke commands.
  • Keep the final terse: yes/no, evidence bullets, caveats, cleanup.

Core Checks

  1. GitHub release:
    • gh release view v<VERSION> --repo openclaw/openclaw --json tagName,name,publishedAt,isDraft,isPrerelease,targetCommitish,url,body,assets
    • Confirm stable releases are not draft/prerelease.
    • Confirm release body has npm, CI, plugin npm, ClawHub, mac/appcast evidence links when expected.
    • Confirm assets expected for stable mac releases are uploaded: zip, dmg, dSYM, dependency evidence when present.
  2. Root npm:
    • npm view openclaw@<VERSION> version dist-tags.latest dist.tarball dist.integrity time.<VERSION> --json
    • latest must equal <VERSION> for stable.
    • Record tarball, integrity, publish time.
  3. Plugin publish set:
    • Get exact tag metadata from GitHub, not the local checkout when dirty: download https://api.github.com/repos/openclaw/openclaw/tarball/v<VERSION> into /tmp/openclaw-v<VERSION>-src.
    • Count extensions/*/package.json with openclaw.release.publishToNpm === true and openclaw.release.publishToClawHub === true.
    • Compare expected counts to workflow job counts: gh api repos/openclaw/openclaw/actions/runs/<RUN>/jobs --paginate.
    • Each expected npm plugin must have version <VERSION> and dist-tags.latest === <VERSION>.
  4. ClawHub:
    • Check the Plugin ClawHub Release workflow conclusion and publish job count.
    • Use OpenClaw itself for live registry proof: openclaw plugins search <known-plugin> --json.
    • Install one official plugin from ClawHub in an isolated HOME: openclaw plugins install clawhub:@openclaw/matrix --pin. Prefer matrix unless that plugin is not in the expected set.
  5. Release workflows:
    • Verify conclusions for release notes evidence links: Full Release Validation, OpenClaw Release Checks, OpenClaw NPM Release, Plugin NPM Release, Plugin ClawHub Release, mac preflight/validation/publish when stable mac assets are expected.
    • Summarize only relevant successful/failed jobs; ignore routine skipped optional lanes unless the release body promised them.
  6. Published package smoke:
    • In /tmp, isolated HOME: npm exec --yes --package openclaw@<VERSION> -- openclaw --version.
    • Run at least one harmless command that touches the published CLI surface, for example plugins --help or gateway --help.
  7. Dev Gateway live model smoke:
    • Use temp HOME/workspace, not the user's normal state: HOME=/tmp/openclaw-release-smoke/home OPENCLAW_WORKSPACE=/tmp/openclaw-release-smoke/work pnpm openclaw --dev gateway run --auth none --force --verbose.
    • Health check via CLI: openclaw --dev gateway health --json.
    • Run one Gateway-backed agent turn with inherited OPENAI_API_KEY, short prompt, explicit session key, JSON output, and a known-available model.
    • If the configured default model fails as unavailable, record that caveat and retry with the newest known-good OpenAI model instead of declaring the release failed.
    • Stop the gateway and verify the port is not listening.

Caveats To Report

  • Dist-tag caveat: stable latest is release truth; if optional beta mirrors still point at a beta version, report it as a caveat, not a stable-release blocker, unless the user asked to verify beta promotion.
  • Divergent checkout caveat: say when local source SHA differs from release tag or origin and which live sources were used instead.
  • Smoke caveat: distinguish Gateway-backed agent success from local embedded fallback. A valid Gateway smoke has health OK plus gateway log/run id for the agent call.