Full Release Validation is the release product-validation umbrella. Most work
happens in child workflows so a failed box can be rerun without restarting the
whole release.
Freeze the product-complete pre-changelog commit as the Code SHA, then run:
provider also accepts anthropic or minimax for cross-OS onboarding and the
end-to-end agent turn. The helper infers the beta profile from alpha/beta
package versions and stable otherwise. Pass alternate workflow inputs with
-f key=value; use -f release_profile=full only for the broad advisory sweep.
The helper creates a temporary release-ci/* ref pinned to one trusted
origin/main workflow SHA, passes the target SHA only as the candidate ref,
and deletes the temporary ref after validation. Every dispatched child must
report that same workflow SHA. Pass
-f reuse_evidence=false to force a fresh run or
--workflow-sha <trusted-main-sha> to select an older workflow commit still
reachable from current origin/main. The workflow never creates or updates
repository refs itself.
When the Code SHA is green, generate and commit only CHANGELOG.md. This new
commit is the Release SHA. Run the same helper for the Release SHA. Product
evidence is reused only when GitHub proves the Release SHA descends from the
Code SHA and the complete changed path set is exactly CHANGELOG.md; npm
preflight and package/install acceptance still run on the Release SHA.
release_profile=stable and release_profile=full always run the exhaustive
live/Docker soak. Pass run_release_soak=true to include the same soak lanes
with the beta profile. Stable publication rejects a validation manifest
without this soak and blocking product-performance evidence.
Package Acceptance normally builds the candidate tarball from the resolved
ref, including full-SHA runs dispatched with pnpm ci:full-release. After a
beta publish, pass release_package_spec=openclaw@YYYY.M.PATCH-beta.N to reuse
the shipped npm package across release checks, Package Acceptance, cross-OS,
release-path Docker, and package Telegram. Use package_acceptance_package_spec
only when Package Acceptance should intentionally prove a different package.
The Codex plugin live package lane follows the same state: published
release_package_spec values derive codex_plugin_spec=npm:@openclaw/codex@<version>;
SHA/artifact runs pack extensions/codex from the selected ref; and operators
can set codex_plugin_spec directly for npm:, npm-pack:, or git: plugin
sources. The lane grants the explicit Codex CLI install approval required by
that plugin, then runs Codex CLI preflight and same-session OpenAI agent turns.
Top-level stages
Forrerun_group=all, a Check for reusable validation evidence job runs
first. It looks for the newest prior green full validation with the same release
profile, effective soak setting, and validation inputs. Exact-target reruns use
exact-target-full-validation-v1. A descendant whose complete delta is exactly
CHANGELOG.md uses changelog-only-release-v1; every product lane is skipped
and the verifier independently rechecks the GitHub commit comparison, immutable
parent artifact, child runs, and dispatch logs. Any other target change requires
a fresh Code SHA validation. Pass reuse_evidence=false to force a fresh full
run. Evidence reuse runs only from main or a canonical SHA-pinned
release-ci/* ref whose workflow commit remains on trusted main lineage;
other workflow refs run the selected lanes fresh.
Also for rerun_group=all, a Verify Docker runtime image assets job builds
the runtime-assets Docker target with
OPENCLAW_EXTENSIONS=diagnostics-otel,codex. It runs in parallel with the
other stages and is enforced by the umbrella verifier; lanes no longer wait for
it before dispatching. A narrower rerun_group skips this preflight.
The umbrella always dispatches product performance in artifact-only mode.
OpenClaw Performance permits report publication only for scheduled runs or a
manual dispatch that explicitly sets publish_reports=true. The artifact-only
guard must complete successfully, proving the publisher job stayed skipped.
Fresh and reused evidence records
controls.performanceReportPublication=artifact-only; the verifier and reuse
selector reject evidence without the matching normalized performance-child
proof.
The verifier uploads the canonical manifest as
full-release-validation-<run-id>-<run-attempt>. Evidence tooling validates
its artifact ID, digest, producer run, and attempt before downloading that exact
artifact ID. It caps the downloaded ZIP, verifies its bytes against the REST
sha256: digest, and streams the only allowed bounded manifest entry without
extracting the archive. A stable-name alias remains temporarily for older
publish consumers. The verifier always prefers the attempt-qualified artifact;
as a transition, it accepts the stable name only for an attempt-1 manifest v2
producer. It rejects that legacy name for later attempts and manifest v3.
For ref=main with rerun_group=all, for release/* refs, and for Tideclaw
alpha refs, a newer umbrella run supersedes an older one with the same ref and
rerun group. When the parent is cancelled, its monitor cancels any child
workflow it already dispatched. Tag and pinned-SHA validation runs do not
cancel each other.
Release checks stages
OpenClaw Release Checks is the largest child workflow. It resolves the target
once and prepares a shared release-package-under-test artifact when package
or Docker-facing stages need it.
Docker release-path chunks
The Docker release-path stage runs these chunks whenlive_suite_filter is
empty:
Use targeted
docker_lanes=<lane[,lane]> on the reusable live/E2E workflow when
only one Docker lane failed. The release artifacts include per-lane rerun
commands with package artifact and image reuse inputs when available.
Release profiles
release_profile mostly controls live/provider breadth inside release checks.
It does not remove normal full CI, Plugin Prerelease, install smoke, package
acceptance, or QA Lab. Stable and full profiles always run exhaustive repo/live
E2E and Docker release-path soak coverage. The beta profile can opt in with
run_release_soak=true. Package Acceptance supplies the canonical package
Telegram E2E for every full candidate, so the umbrella does not duplicate that
live poller.
Full-only additions
These suites are skipped bystable and included by full:
stable includes native-live-src-gateway-profiles-anthropic-smoke and
native-live-src-gateway-profiles-opencode-go-smoke; full uses the broader
Anthropic and OpenCode Go model shards instead. Focused reruns can still use the
aggregate native-live-src-gateway-profiles-anthropic or
native-live-src-gateway-profiles-opencode-go handles.
Focused reruns
Usererun_group to avoid repeating unrelated release boxes:
Use
live_suite_filter with rerun_group=live-e2e when one live suite failed.
Valid filter ids are defined in the reusable live/E2E workflow, including
docker-live-models, live-gateway-docker,
live-gateway-anthropic-docker, live-gateway-google-docker,
live-gateway-minimax-docker, live-gateway-advisory-docker,
live-cli-backend-docker, live-acp-bind-docker, and
live-codex-harness-docker.
The live-gateway-advisory-docker handle is an aggregate rerun handle for its
three provider shards, so it still fans out to all advisory Docker gateway jobs.
Use cross_os_suite_filter with rerun_group=cross-os when one cross-OS lane
failed. The filter accepts an OS id, a suite id, or an OS/suite pair, for
example windows/packaged-upgrade, windows, or packaged-fresh. Cross-OS
summaries include per-phase timings for packaged upgrade lanes, and long-running
commands print heartbeat lines so a stuck update is visible before the job
timeout.
QA release-check failures block normal release validation. The QA runtime tool
coverage check (dynamic tool drift between openclaw and codex in the
standard tier) also blocks the release-check verifier even though the
underlying QA runtime parity lane is advisory. Tideclaw alpha runs may still
treat non-package-safety release-check lanes as advisory. With
release_profile=beta, the Run repo/live E2E validation live-provider suites
are advisory: third-party model deployments change underneath a release, so
beta surfaces their failures as warnings while stable and full profiles keep
them blocking. When
live_suite_filter explicitly requests a gated QA live lane such as Discord,
WhatsApp, or Slack, the matching OPENCLAW_RELEASE_QA_*_LIVE_CI_ENABLED repo
variable must be enabled; otherwise input capture fails instead of silently skipping the lane.
Rerun rerun_group=qa, qa-parity, or qa-live when you
need fresh QA evidence.
Evidence to keep
Keep theFull Release Validation summary as the release-level index. It links
child run ids and includes slowest-job tables. For failures, inspect the child
workflow first, then rerun the smallest matching handle above.
Record both Code SHA and Release SHA, the reuse policy and changed-path set, the
green Code SHA parent run, and the lightweight Release SHA parent run.
Useful artifacts:
release-package-under-testfromOpenClaw Release Checks- Docker release-path artifacts under
.artifacts/docker-tests/ - Package Acceptance
package-under-testand Docker acceptance artifacts - Cross-OS release-check artifacts for each OS and suite
- QA parity, runtime parity, Matrix, and Telegram artifacts
Workflow files
.github/workflows/full-release-validation.yml.github/workflows/openclaw-release-checks.yml.github/workflows/openclaw-live-and-e2e-checks-reusable.yml.github/workflows/plugin-prerelease.yml.github/workflows/install-smoke.yml.github/workflows/install-smoke-reusable.yml.github/workflows/openclaw-cross-os-release-checks-reusable.yml.github/workflows/package-acceptance.yml.github/workflows/openclaw-performance.yml.github/workflows/npm-telegram-beta-e2e.yml