diff --git a/.agents/skills/release-peekaboo/SKILL.md b/.agents/skills/release-peekaboo/SKILL.md index e6fd6b85..ff003ced 100644 --- a/.agents/skills/release-peekaboo/SKILL.md +++ b/.agents/skills/release-peekaboo/SKILL.md @@ -99,10 +99,11 @@ If both `history` and non-S3 `submit` fail, suspect wrong access level or stale ```bash op run --env-file "$ENVFILE" -- \ - bash -lc 'printf "y\n" | ./scripts/release-binaries.sh --create-github-release --publish-npm' + bash -c 'printf "y\n" | ./scripts/release-binaries.sh --create-github-release --publish-npm' ``` The script builds universal CLI, npm package, signed/notarized app zip, appcast, checksums, draft GitHub release, and npm publish. +Use a non-login shell: profile exports can replace current 1Password ASC IDs with stale values while leaving the current `.p8`, producing a misleading `401`. Notarized releases must sign with `Developer ID Application: Peter Steinberger (Y5PE65HELJ)`, not `Apple Development`. If your shell has `SIGN_IDENTITY` exported for CLI builds, override it for the release command. @@ -114,6 +115,7 @@ Required before closeout: ```bash npm view @steipete/peekaboo@ version dist-tags dist.tarball dist.integrity time --json +(cd /tmp && npm exec --yes --package=@steipete/peekaboo@ -- peekaboo --version) gh release view v --repo openclaw/Peekaboo --json tagName,isDraft,isPrerelease,url,assets,body xmllint --noout appcast.xml git status --short --branch @@ -122,6 +124,7 @@ git status --short --branch Confirm: - npm version exists and `latest` points to it. +- npm-downloaded CLI reports the release version from a neutral cwd. - GitHub release/tag/assets exist; release body is from changelog. - app zip asset exists and appcast points at `v`. - `appcast.xml` changes are committed and pushed. diff --git a/AGENTS.md b/AGENTS.md index 82674f55..2e44675d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -35,6 +35,9 @@ - Batch git network ops in groups: commit related repo changes first, then push/pull repos together so submodule gitlinks stay coherent. - PRs should summarize intent, list test commands executed, mention doc updates, and include screenshots or terminal snippets when behavior changes. - Never release or publish without an explicit release command. +- Peekaboo releases: follow `$release-peekaboo`; current Mac + existing 1Password credentials first. App Store Connect changes last resort, only after same-item `notarytool history` and non-S3 `submit` both fail. +- Credentialed release wrappers: `bash -c`, never login shells; profile exports can override ASC IDs and mix credentials. +- Published CLI proof: run `npm exec` from `/tmp`; repo cwd may shadow the downloaded package with a local binary. - During PR triage, keep moving autonomously: fix defects, add obvious scoped features, and rewrite or land what makes sense. - Before landing every PR, run autoreview until no actionable findings remain and fix or rerun CI until green. diff --git a/CHANGELOG.md b/CHANGELOG.md index 74bcbec4..f5cafaaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Unreleased +### Changed +- Hardened the maintainer release workflow around 1Password credential consistency, non-login shells, and neutral-directory npm verification. + ## [3.5.1] - 2026-06-12 ### Fixed