diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68c3259..ef0716a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -148,8 +148,6 @@ jobs: npm publish "./release-artifacts/${{ needs.validate.outputs.tarball_name }}" --access public --tag "${{ needs.validate.outputs.npm_tag }}" publish-clawhub: - # Disabled until the kitchen-sink package exists in the ClawHub org/registry. - if: ${{ false }} needs: validate permissions: contents: read diff --git a/AGENTS.md b/AGENTS.md index a573d98..13ce64a 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -8,7 +8,7 @@ Work from repo root. Keep changes small and commit/push them to `main` when aske - Trusted publisher: GitHub Actions, repository `openclaw/kitchen-sink`, workflow `release.yml`. - Do not publish npm releases locally. Cut releases by bumping `package.json`/`package-lock.json`, syncing generated surface files, pushing `main`, creating an annotated `vX.Y.Z` tag, pushing the tag, then publishing the GitHub release with `gh release create vX.Y.Z --verify-tag --generate-notes --title vX.Y.Z`. - The `release.yml` workflow owns npm publishing through OIDC trusted publishing. Keep `permissions.id-token: write`; do not add `NODE_AUTH_TOKEN` or long-lived npm token secrets for publish. -- ClawHub release publishing is intentionally disabled until the ClawHub package/org setup exists. Keep dry-run CI wired, but do not enable real ClawHub publish without credentials and registry ownership being ready. +- ClawHub release publishing is enabled through the canonical reusable ClawHub workflow. Keep `permissions.id-token: write` and continue passing the `CLAWHUB_TOKEN` secret for release publishes. ## Validation diff --git a/README.md b/README.md index 7fed399..392f82d 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,5 @@ not replace the stable `latest` tag. Pull requests run a ClawHub package-publish dry run through the canonical `openclaw/clawhub` reusable workflow on `main`, so the fixture tests the current -ClawHub publishing path instead of a vendored copy. Release publishing is wired -the same way, but remains disabled until the ClawHub org/package ownership for -this fixture is set up. +ClawHub publishing path instead of a vendored copy. Releases publish to ClawHub +through the same canonical workflow after validation.