.agents/skills/release-openclaw-mac/SKILL.md
Use with $release-openclaw-maintainer, $release-openclaw-ci, $one-password, and $release-private if it exists when stable macOS assets, release-ops mac preflight, notarization, appcast promotion, or mac release recovery is involved.
$release-private.private_key_p8, key_id, issuer_id.xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.xcrun notarytool history before setting GitHub secrets.$one-password: all op work inside one persistent tmux session, no secret output.$release-private when available.op whoami; never print token values.OP_BIOMETRIC_UNLOCK_ENABLED=false for the manual op account add --signin path.Target release-ops repo environment: openclaw/releases, env mac-release.
Set only after local notary auth validation:
APP_STORE_CONNECT_API_KEY_P8APP_STORE_CONNECT_KEY_IDAPP_STORE_CONNECT_ISSUER_IDDo not update these from mixed sources. All three ASC fields must come from the same 1Password item.
openclaw/openclaw is the public product repo. Its GitHub Releases page is
where macOS assets are ultimately attached.openclaw/openclaw macos-release.yml is public handoff validation only.
It never signs, notarizes, or uploads macOS assets, regardless of
preflight_only.openclaw/releases is the restricted release-ops repo. Its macOS workflows
sign, notarize, validate, and promote assets onto the
openclaw/openclaw GitHub release.source_ref=release/YYYY.M.PATCH for release-ops mac preflight/validation when building that branch variation.tag=vYYYY.M.PATCH pointing at the original stable release commit.mac-release
environment in the build_sign_and_package job. Operators may be able to
trigger the workflow while Vincent or another environment reviewer approves
the paused deployment before signing/notarization/promotion proceeds.source_ref; promotion rejects mismatched proof.scripts/notarize-mac-artifact.sh.xcrun notarytool submit should use --no-s3-acceleration; accelerated upload can surface misleading 401s even when notarytool history succeeds.Public handoff validation:
gh workflow run macos-release.yml --repo openclaw/openclaw \
--ref release/YYYY.M.PATCH \
-f tag=vYYYY.M.PATCH \
-f preflight_only=true \
-f public_release_branch=release/YYYY.M.PATCH
release/YYYY.M.PATCH, matching prior stable macOS handoff runs.--ref main or --ref vYYYY.M.PATCH for this public handoff
validation. The workflow checks out the tag from the tag input internally.Release-ops preflight:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases --ref main \
-f tag=vYYYY.M.PATCH \
-f source_ref=release/YYYY.M.PATCH \
-f preflight_only=true \
-f smoke_test_only=false \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.PATCH
Wait for the run to reach the mac-release environment approval if GitHub
pauses it, then get approval from Vincent or another configured environment
reviewer. Record the successful preflight run id.
Release-ops validation for a branch-variation preflight:
gh workflow run openclaw-macos-validate.yml --repo openclaw/releases --ref main \
-f tag=vYYYY.M.PATCH \
-f source_ref=release/YYYY.M.PATCH
Record the successful validation run id.
Real publish:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases --ref main \
-f tag=vYYYY.M.PATCH \
-f preflight_only=false \
-f smoke_test_only=false \
-f preflight_run_id=<successful-preflight-run> \
-f validate_run_id=<successful-validation-run> \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.PATCH
Wait for the mac-release environment approval again if GitHub pauses the real
publish run before it promotes assets.
openclaw/releases publish/validate workflows run from their own
trusted main workflow ref. Real publish has a guard that rejects any other
workflow ref. That displayed main ref is expected; the public OpenClaw
source is selected by tag and optional source_ref.gh release view vYYYY.M.PATCH --repo openclaw/openclaw shows zip, dmg, dSYM zip, not draft, not prerelease.main appcast.xml points at OpenClaw-YYYY.M.PATCH.zip.sparkle:version, sparkle:shortVersionString, length, and sparkle:edSignature.