Community编程与开发github.com

release-openclaw-mac

Run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion.

release-openclaw-mac 是什么?

release-openclaw-mac is a Claude Code agent skill that run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion.

兼容平台~Claude Code~Codex CLI~Cursor
npx skills add https://github.com/clawdbot/clawdbot/tree/main/.agents/skills/release-openclaw-mac

Installed? Explore more 编程与开发 skills: steipete/bluebubbles, steipete/eightctl, steipete/blucli · View all 6 →

在你喜欢的 AI 中提问

打开一个已预加载此 Agent Skill 的新对话。

文档

OpenClaw Mac Release

Use with $release-openclaw-maintainer, $release-openclaw-ci, $one-password, and $release-private if it exists when stable macOS assets, release-ops mac preflight, notarization, appcast promotion, or mac release recovery is involved.

Credentials

  • Resolve Peter-owned ASC item refs, key ids, issuer ids, and service-token provenance from $release-private.
  • Fields: private_key_p8, key_id, issuer_id.
  • Stale/revoked key symptom: xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.
  • Validate candidate ASC credentials with xcrun notarytool history before setting GitHub secrets.

1Password

  • Use $one-password: all op work inside one persistent tmux session, no secret output.
  • Use the service-token guidance from $release-private when available.
  • If a service token fails, run status-only checks: token present/length and op whoami; never print token values.
  • If desktop app auth is needed but Touch ID is unavailable, set OP_BIOMETRIC_UNLOCK_ENABLED=false for the manual op account add --signin path.

GitHub Secrets

Target release-ops repo environment: openclaw/releases, env mac-release.

Set only after local notary auth validation:

  • APP_STORE_CONNECT_API_KEY_P8
  • APP_STORE_CONNECT_KEY_ID
  • APP_STORE_CONNECT_ISSUER_ID

Do not update these from mixed sources. All three ASC fields must come from the same 1Password item.

Workflow Shape

  • openclaw/openclaw is the public product repo. Its GitHub Releases page is where macOS assets are ultimately attached.
  • openclaw/openclaw macos-release.yml is public handoff validation only. It never signs, notarizes, or uploads macOS assets, regardless of preflight_only.
  • openclaw/releases is the restricted release-ops repo. Its macOS workflows sign, notarize, validate, and promote assets onto the openclaw/openclaw GitHub release.
  • Public release branch may carry mac-only packaging fixes after the stable tag/npm are already live.
  • Use source_ref=release/YYYY.M.PATCH for release-ops mac preflight/validation when building that branch variation.
  • Keep tag=vYYYY.M.PATCH pointing at the original stable release commit.
  • Real mac publish must reuse:
    • a successful release-ops mac preflight run for the same tag/source SHA
    • a successful release-ops mac validation run for the same tag/source SHA
  • Release-ops preflight and real publish enter the protected mac-release environment in the build_sign_and_package job. Operators may be able to trigger the workflow while Vincent or another environment reviewer approves the paused deployment before signing/notarization/promotion proceeds.
  • If preflight source SHA differs from tag SHA, validation must also use the same source_ref; promotion rejects mismatched proof.

Notarization

  • OpenClaw uses scripts/notarize-mac-artifact.sh.
  • xcrun notarytool submit should use --no-s3-acceleration; accelerated upload can surface misleading 401s even when notarytool history succeeds.
  • If signing succeeds but notarization fails immediately with 401, check ASC key freshness first.
  • If notarization stays in progress for several minutes after key-file write, that is normal Apple wait time; do not edit blindly.

Dispatch

Public handoff validation:

gh workflow run macos-release.yml --repo openclaw/openclaw \
  --ref release/YYYY.M.PATCH \
  -f tag=vYYYY.M.PATCH \
  -f preflight_only=true \
  -f public_release_branch=release/YYYY.M.PATCH
  • Use the public release branch as the workflow ref so the Actions list displays release/YYYY.M.PATCH, matching prior stable macOS handoff runs.
  • Do not use --ref main or --ref vYYYY.M.PATCH for this public handoff validation. The workflow checks out the tag from the tag input internally.

Release-ops preflight:

gh workflow run openclaw-macos-publish.yml --repo openclaw/releases --ref main \
  -f tag=vYYYY.M.PATCH \
  -f source_ref=release/YYYY.M.PATCH \
  -f preflight_only=true \
  -f smoke_test_only=false \
  -f allow_late_calver_recovery=false \
  -f public_release_branch=release/YYYY.M.PATCH

Wait for the run to reach the mac-release environment approval if GitHub pauses it, then get approval from Vincent or another configured environment reviewer. Record the successful preflight run id.

Release-ops validation for a branch-variation preflight:

gh workflow run openclaw-macos-validate.yml --repo openclaw/releases --ref main \
  -f tag=vYYYY.M.PATCH \
  -f source_ref=release/YYYY.M.PATCH

Record the successful validation run id.

Real publish:

gh workflow run openclaw-macos-publish.yml --repo openclaw/releases --ref main \
  -f tag=vYYYY.M.PATCH \
  -f preflight_only=false \
  -f smoke_test_only=false \
  -f preflight_run_id=<successful-preflight-run> \
  -f validate_run_id=<successful-validation-run> \
  -f allow_late_calver_recovery=false \
  -f public_release_branch=release/YYYY.M.PATCH

Wait for the mac-release environment approval again if GitHub pauses the real publish run before it promotes assets.

  • Release-ops openclaw/releases publish/validate workflows run from their own trusted main workflow ref. Real publish has a guard that rejects any other workflow ref. That displayed main ref is expected; the public OpenClaw source is selected by tag and optional source_ref.

Verify

  • gh release view vYYYY.M.PATCH --repo openclaw/openclaw shows zip, dmg, dSYM zip, not draft, not prerelease.
  • Public main appcast.xml points at OpenClaw-YYYY.M.PATCH.zip.
  • Appcast entry has sparkle:version, sparkle:shortVersionString, length, and sparkle:edSignature.

Individual skills in this repo

This repo contains 20 individual skills — each has its own dedicated page.

1password

Set up and use 1Password CLI for sign-in, desktop integration, and reading or injecting secrets.

acp-router

Route plain-language requests for Claude Code, Cursor, Copilot, OpenClaw ACP, OpenCode, Gemini CLI, Qwen, Kiro, Kimi, iFlow, Factory Droid, Kilocode, or explicit ACP harness work into either OpenClaw ACP runtime sessions or direct acpx-driven sessions ("telephone game" flow). For coding-agent thread requests, read this skill first, then use only `sessions_spawn` for thread creation. Codex chat binding defaults to the native Codex app-server plugin unless ACP is explicit or background spawn needs ACP.

agent-transcript

Add a redacted agent transcript section to GitHub PR or issue bodies during OpenClaw agent-created PR/issue workflows.

apple-notes

Create, view, edit, delete, search, move, or export Apple Notes via the memo CLI on macOS.

apple-reminders

List, add, edit, complete, or delete Apple Reminders and reminder lists via remindctl.

autoreview

Pre-commit/ship code review: Codex default; optional Claude, Pi, Droid, Copilot, Cursor, or OpenCode.

bear-notes

Create, search, and manage Bear notes via grizzly CLI.

blacksmith-testbox

Run Blacksmith Testbox for CI-parity checks, secrets, hosted services, migrations, or builds local cannot reproduce.

blogwatcher

Monitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.

blucli

BluOS CLI (blu) for discovery, playback, grouping, and volume.

bluebubbles

Send and manage iMessages via BlueBubbles, including attachments, tapbacks, edits, replies, and groups.

browser-automation

Use when controlling web pages with the OpenClaw browser tool, especially multi-step flows, login checks, tab management, or recovery from stale refs/timeouts.

camsnap

Capture frames or clips from RTSP/ONVIF cameras.

canvas

Present HTML on connected OpenClaw node canvases, navigate/eval/snapshot, and debug canvas host URLs.

channel-message-flows

Use when running QA Lab channel message flow evidence.

clawdtributor

Use for OpenClaw clawtributors PR/issue triage: Discrawl discovery, live-open rechecks, deep review, topic grouping, and compact @handle/LOC/type/blast/verification summaries.

clawhub

Search ClawHub for skills when a requested capability is not already available; install, verify, update, publish, or sync skills.

claw-score

Audit or refresh OpenClaw maturity scorecard docs from root taxonomy, maturity scores, and QA evidence artifacts without using maintainer discrawl data or committed inventory reports.

clawsweeper

Use for all ClawSweeper work: OpenClaw issue/PR sweep reports, commit-review reports, repair jobs, cloud fix PRs, @clawsweeper maintainer mention commands, trusted ClawSweeper-reviewed autofix/automerge, GitHub Actions monitoring, permissions, gates, and manual backfills.

clownfish-cloud-pr

Use when launching Clownfish in GitHub Actions to create or update one guarded GitHub implementation PR from issue/PR refs, a ClawSweeper report, a custom maintainer prompt, or to opt an existing Clownfish PR into ClawSweeper-reviewed cloud automerge.

相关技能