Skills for comprehensive verification of release integrity

389542 81926 Updated: 2026-07-12 22:56:55

"Verify Release" is a read-only verification tool designed to confirm whether an OpenClaw release has been fully deployed across GitHub, npm, the plugin ecosystem, ClawHub, package smoke tests, and Live Gateway proxy calls. It does not perform any actual release operations (which are handled by `release-openclaw-maintainer`); instead, it simply answers questions such as "Has a specific version been fully released, deployed, and cleared for smoke and Live testing?" and provides a "yes" or "no" conclusion based on an evidence-driven checklist.

Install
npx skills add https://github.com/openclaw/openclaw --skill verify-release
Skill Details readonly

I. Skill Overview

This skill serves as the final immutable quality gate validation layer within the OpenClaw release pipeline, invoked immediately after every completed Beta or Stable release. It runs a series of cross-dimensional, tamper-proof evidence checks to confirm a release version has been fully deployed and operates normally across all delivery surfaces: GitHub Release, npm registry, plugin npm packages, ClawHub plugin repository, local package smoke tests, and live Gateway proxy invocation workflows.
Core Design Principle: Validate, never publish. This skill operates in read-only mode and never executes version bumping, npm publish, GitHub release creation, or any mutating write operations. All final judgments are grounded on live real-time evidence; local checkout state, stale release notes, and cached historical records are never trusted as authoritative truth sources.

II. Core Functional Capabilities

1. GitHub Release Validation

Invoke gh release view to pull full release metadata including Git tag, display name, publish timestamp, draft/prerelease flag status, target commit hash, permanent URL, release body text, and attached asset manifests.
  1. Confirm stable production releases are neither drafts nor prerelease builds.
  2. Verify the release body embeds all required permanent evidence links for npm registry artifacts, CI run logs, plugin npm packages, ClawHub deployments, macOS Appcast distribution, etc.
  3. For stable macOS releases, validate mandatory attached assets: ZIP archive, DMG installer, dSYM debug symbol bundle, dependency audit records, immutable full release validation manifest, post-publish evidence logs, and stable-main release closeout manifest.
  4. Complete cryptographic integrity audit: Download every immutable evidence asset alongside its paired .sha256 checksum file, then validate matching hash values.

2. Root OpenClaw NPM Package Validation

Run npm view openclaw@<version> to retrieve package metadata: published version, latest distribution tag, tarball download URL, cryptographic integrity hash, and official publish timestamp.
  1. Confirm the latest dist-tag maps exactly to the stable release version under validation.
  2. Persist the tarball URL, integrity checksum, and publish timestamp as permanent audit evidence.
  3. Verify the post-publish evidence manifest records two mandatory success flags: npmRegistrySignaturesVerified: true and npmProvenanceAttestationMatched: true.

3. Plugin Release Batch Validation

  1. Fetch authoritative tag metadata directly from GitHub (dirty local checkouts are untrusted); download the tag source tarball to an isolated /tmp directory for independent offline validation.
  2. Count all plugins under extensions/*/package.json where both openclaw.release.publishToNpm === true and publishToClawHub === true.
  3. Cross-reference the expected plugin count against completed CI job counts via paginated GitHub API calls: gh api repos/openclaw/openclaw/actions/runs/<run-id>/jobs --paginate
  4. Confirm each eligible plugin exists on npm with a matching published version, and its latest dist-tag aligns with the current release train version.

4. ClawHub Plugin Repository Validation

  1. Inspect the final conclusion status and completed publish job tally of the dedicated Plugin ClawHub Release workflow.
  2. Execute live registry proof natively via OpenClaw CLI: openclaw plugins search <version> --json
  3. Deploy an isolated end-to-end verification: install an official production plugin in a temporary clean environment with pinning enabled: openclaw plugins install clawhub:@openclaw/matrix --pin

5. Release Workflow Audit

Validate the success status of all mandatory CI workflows referenced within the official release notes: Full Release Validation, OpenClaw Release Checks, OpenClaw NPM Release, Plugin NPM Release, Plugin ClawHub Release, and macOS preflight/validation/publish pipelines.
  1. For stable production releases, verify the OpenClaw Stable Main Closeout workflow completed successfully, and its embedded manifest records a matching release Git tag, rollback drill results, mandatory stable soak testing logs, and blocking performance benchmark evidence.
  2. Summarize only relevant pass/fail job outcomes; routine skipped optional test lanes are omitted from the audit unless the release body explicitly guarantees their execution.

6. Published Package Smoke Test

Within an isolated /tmp temporary workspace, validate the distributed CLI binary via npm one-off execution:
npm exec --yes --package openclaw@<version> -- openclaw --version
Execute at minimum one harmless surface-level CLI command to validate core functionality, such as plugins --help or gateway --help.

7. Live Gateway Proxy End-to-End Validation

All Gateway tests run within a fully isolated temporary HOME and workspace directory, decoupled from the user’s persistent local state:
HOME=/tmp/openclaw-release-smoke/home OPENCLAW_WORKSPACE=/tmp/openclaw-release-smoke/work pnpm openclaw --dev gateway run --auth none --force --verbose
  1. Run native CLI health check and output structured JSON results: openclaw --dev gateway health --json
  2. Execute one full Gateway-backed proxy LLM call using the inherited OPENAI_API_KEY, minimal short prompt, explicit session identifier, JSON output format, and a pre-confirmed available model.
  3. Graceful degradation logic: If the configured default model is temporarily unavailable, log the caveat statement and retry with the latest verified functional OpenAI model; this transient failure does not mark the entire release as invalid.
  4. Terminate the Gateway process and confirm the bound network port is fully released post-test.

III. Primary Use Cases

  1. Full Release Completeness Audit
     
    After every Beta or Stable release, resolve the core verification question: Is this version fully shipped and live? Validate successful deployment across GitHub Release, npm registry, plugin packages, and ClawHub distribution layers.
  2. Distributed Package Smoke Validation
     
    Run isolated smoke tests against the officially published npm package to confirm successful installation, executable CLI entrypoint, and functional core base commands.
  3. Live Gateway End-to-End Functional Verification
     
    Execute real LLM proxy requests through the embedded Gateway service to validate the shipped release handles production model traffic in a runtime environment matching end-user deployments.
  4. Immutable Release Evidence Archival Confirmation
     
    Verify all tamper-proof audit assets (validation manifests, post-publish evidence logs, stable closeout manifests) are fully uploaded with matching cryptographic checksums.
  5. Structured Release Status Reporting
     
    Generate a concise final report containing a pass/fail verdict, enumerated supporting evidence, documented caveats, and cleanup guidance for maintainer decision-making.

IV. Core Governing Rules

Rule Detailed Specification
Version Number Parsing Short suffix notations such as .27 are resolved into full CalVer standard versions by inferring context from the current release date and tag metadata; the fully resolved version string is explicitly stated in all output.
Live State Mandate Local checkout state, static release notes, and cached historical data are never treated as authoritative source of truth; all validation relies on live remote endpoints.
Dirty Checkout Isolation If the local working tree contains uncommitted changes or diverges from the remote origin, it is only used to access static script reference files. All authoritative version metadata is pulled from GitHub release/tag endpoints or isolated /tmp tag tarball archives.
Secret Redaction Rule Inherited live API keys are only used within limited-scope smoke test workflows; raw secret values are never printed to logs or output reports.
Standard Output Format Final deliverables remain concise, structured around a binary pass/fail verdict, bullet-point evidence list, documented caveats, and environment cleanup recommendations.

V. Reportable Caveat Definitions

Caveat Category Explanation
Dist-tag Caveat The stable/latest tag is the definitive release truth. If optional beta distribution mirrors still point to legacy beta versions, this is logged as a minor caveat rather than a hard stable release blocker — unless the user explicitly mandates full beta promotion validation.
Divergent Checkout Caveat Document discrepancies between the local source commit SHA and the official release tag / remote origin, alongside a full breakdown of all live remote data sources used for validation.
Smoke Test Caveat Distinguish successful Gateway-backed agent execution from local embedded fallback runtime. Valid Gateway smoke tests must include a passing health check log and unique Gateway run ID tied to the test agent invocation.

VI. Cross-Skill Collaboration Matrix

Partner Skill Collaboration Logic
release-openclaw-maintainer This skill operates as the post-hoc validation layer; the maintainer skill acts as the release execution layer. This skill runs only after all publish workflows complete and never performs any mutating release operations.
release-openclaw-ci The CI skill handles pre-release gate validation during pipeline execution; this skill delivers post-release full completeness audit after full deployment.

VII. Summary

Verify Release is a read-only release integrity validation skill built around six orthogonal evidence audit layers: GitHub Release asset verification, npm registry package validation, batch plugin release auditing, live ClawHub proof testing, distributed package smoke testing, and live Gateway proxy end-to-end invocation. It delivers evidence-based binary judgments to answer the core question: Has this OpenClaw version been fully and successfully published across all delivery channels? It executes zero write/mutate release operations, and all conclusions rely exclusively on live remote real-time data rather than local cached state or historical records. Designed for OpenClaw core maintainers, it runs post every Beta and Stable release to validate full deployment completeness and end-user runtime functionality.