From 5cac655a1b99cd984801beeb829f9f4da1ccc634 Mon Sep 17 00:00:00 2001
From: Patrick Erichsen <patrick.a.erichsen@gmail.com>
Date: Tue, 28 Apr 2026 18:51:55 -0700
Subject: [PATCH] ci: enable ClawHub release publishing

---
 .github/workflows/release.yml | 2 --
 AGENTS.md                     | 2 +-
 README.md                     | 5 ++---
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 68c3259..ef0716a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -148,8 +148,6 @@ jobs:
           npm publish "./release-artifacts/${{ needs.validate.outputs.tarball_name }}" --access public --tag "${{ needs.validate.outputs.npm_tag }}"
 
   publish-clawhub:
-    # Disabled until the kitchen-sink package exists in the ClawHub org/registry.
-    if: ${{ false }}
     needs: validate
     permissions:
       contents: read
diff --git a/AGENTS.md b/AGENTS.md
index a573d98..13ce64a 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -8,7 +8,7 @@ Work from repo root. Keep changes small and commit/push them to `main` when aske
 - Trusted publisher: GitHub Actions, repository `openclaw/kitchen-sink`, workflow `release.yml`.
 - Do not publish npm releases locally. Cut releases by bumping `package.json`/`package-lock.json`, syncing generated surface files, pushing `main`, creating an annotated `vX.Y.Z` tag, pushing the tag, then publishing the GitHub release with `gh release create vX.Y.Z --verify-tag --generate-notes --title vX.Y.Z`.
 - The `release.yml` workflow owns npm publishing through OIDC trusted publishing. Keep `permissions.id-token: write`; do not add `NODE_AUTH_TOKEN` or long-lived npm token secrets for publish.
-- ClawHub release publishing is intentionally disabled until the ClawHub package/org setup exists. Keep dry-run CI wired, but do not enable real ClawHub publish without credentials and registry ownership being ready.
+- ClawHub release publishing is enabled through the canonical reusable ClawHub workflow. Keep `permissions.id-token: write` and continue passing the `CLAWHUB_TOKEN` secret for release publishes.
 
 ## Validation
 
diff --git a/README.md b/README.md
index 7fed399..392f82d 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,5 @@ not replace the stable `latest` tag.
 
 Pull requests run a ClawHub package-publish dry run through the canonical
 `openclaw/clawhub` reusable workflow on `main`, so the fixture tests the current
-ClawHub publishing path instead of a vendored copy. Release publishing is wired
-the same way, but remains disabled until the ClawHub org/package ownership for
-this fixture is set up.
+ClawHub publishing path instead of a vendored copy. Releases publish to ClawHub
+through the same canonical workflow after validation.