What:
- let the yolo promote job dispatch the CI workflow after pushing main
- grant the promote job actions:write for workflow_dispatch
Why:
- GitHub suppresses push-triggered workflows created by GITHUB_TOKEN, so yolo-promoted commits otherwise lack a CI run on the final main SHA
Tests:
- scripts/check-flake-lock-owners.sh
- node scripts/select-openclaw-release.test.mjs
- bash -n scripts/update-pins.sh
- ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f) }' .github/workflows/*.yml
- GITHUB_ACTIONS=true scripts/update-pins.sh select
- nix flake show --accept-flake-config
Co-authored-by: Codex <noreply@openai.com>
What:
- replace the misleading gateway test check with a source-checks build/config-options check
- remove the full upstream Vitest suite from the hard Nix promotion gate
- document that yolo validates the Nix-owned package contract, not upstream source test health
Why:
- the current full packageable upstream release builds as a package but has failing upstream Vitest cases when rebuilt from source
- nix-openclaw should block on packaging, smoke startup, config generation, module activation, and app artifacts rather than an upstream-owned unit test suite
Tests:
- git diff --check
- bash -n scripts/update-pins.sh scripts/hm-activation-macos.sh nix/modules/home-manager/openclaw-launchd-relink.sh nix/scripts/source-checks-build.sh nix/scripts/source-checks-check.sh nix/scripts/config-options-check.sh
- ruby -e 'require "yaml"; YAML.load_file(".github/workflows/ci.yml"); YAML.load_file(".github/workflows/yolo-update.yml")'
- nix eval --accept-flake-config --raw .#checks.x86_64-linux.source-checks.drvPath
- nix eval --accept-flake-config --raw .#checks.x86_64-linux.ci.drvPath
- nix flake show --accept-flake-config --all-systems --json
- scripts/check-flake-lock-owners.sh
- node scripts/select-openclaw-release.test.mjs
- scripts/hm-activation-macos.sh
- nix build --accept-flake-config -L .#checks.aarch64-darwin.ci
Blacksmith Linux hung twice during final verification while the same check passed once in between. Move Linux validation back to ubuntu-latest and keep explicit timeouts so the packaging gate favors reliability over runner speed.
Verification: git diff --check; ruby YAML parse
Apply the same timeout discipline to the automated OpenClaw pin updater so release validation cannot hang indefinitely before rewriting main.
Verification: git diff --check; ruby YAML parse
Add explicit CI timeouts around the Linux and macOS packaging gates so a wedged OpenClaw build fails inspectably instead of hanging indefinitely.
Verification: git diff --check; ruby YAML parse
What:
- split the stable-release updater into read-only selection and pin materialization modes
- rewrite yolo into select, validate-linux, validate-macos, and promote jobs
- fail yolo when the newest stable release is incomplete instead of silently sticking
- update maintainer docs to describe the new safe promotion policy
Why:
- stop direct yolo pushes from moving main without the same Linux and macOS proof as CI
- keep mirroring the newest stable release while making broken upstream releases visible
Tests:
- bash -n scripts/update-pins.sh
- ruby -e 'require "yaml"; YAML.load_file(".github/workflows/yolo-update.yml"); puts "yaml-ok"'
- GITHUB_ACTIONS=true GH_TOKEN="$(gh auth token)" scripts/update-pins.sh select
- temp copy pinned to v2026.4.11: scripts/update-pins.sh select emits v2026.4.14 tuple
What:
- switch the pin updater from upstream-main commit selection to upstream stable release selection
- restore Yolo Update Pins as an hourly stable-release poller
- update maintainer and README docs to describe stable-release mirroring and the recovery lesson
Why:
- OpenClaw stable is already tag-based upstream, and nix-openclaw should mirror that release line directly
- this removes the old latest-green-main churn model and keeps source + app pins tied to one published upstream release
Tests:
- bash -n scripts/update-pins.sh
- GITHUB_ACTIONS=true GH_TOKEN="$(gh auth token)" scripts/update-pins.sh
What:
- move the Linux CI job to blacksmith-16vcpu-ubuntu-2404
- switch Linux Nix installation to cachix/install-nix-action
Why:
- the recovery line exhausted disk on ubuntu-latest during the Linux aggregator build
- the larger runner kept the normal parallel build graph intact and the cachix installer worked reliably there
Tests:
- final green CI run on main: 24217118174
What:
- restore one visible CI workflow
- add CI concurrency and Linux failure-log dumping
- disable yolo during release recovery
- delete the old split workflow_run files
Why:
- cut away the post-reset churn immediately
- keep one readable contract on main
- prevent any updater mutation during recovery
Tests:
- git diff --check
What:
- set `dontFixup = true` for `openclaw-gateway`
- speed install phase by moving build outputs instead of deep-copying node_modules
- add lightweight dangling-symlink integrity check in gateway install script
- remove `.github/workflows/cache-only.yml`
Why:
- keep the high-value packaging/build speed improvements
- keep one minimal safety guard when fixup is skipped
- remove flaky cache orchestration that adds CI latency and merge-SHA timeout failures
Tests:
- not run locally (per-request: CI-only validation due local NixOS issues)
- will validate via GitHub Actions/Garnix on push to main
Add a Linux nixosTest for Home Manager activation and a macOS CI workflow to run the activation script.
Wire the new Linux check into flake checks and Garnix.
Tests: not run (CI wiring).
What: trigger Cache Only + Config Options Guard via workflow_run on Yolo Update Pins
Why: Yolo uses GITHUB_TOKEN so push workflows don't fire; ensures guardrails run on pin bumps
Tests: not run (CI config change)
What:
- bypass DNS lookup in SSRF resolver when MOLTBOT_DNS_BYPASS=1
- set DNS bypass env vars for gateway tests
- update cache-only workflow to moltbot package names
Why:
- fix Garnix gateway-tests in no-DNS environments
- keep cache-only checks aligned with renamed packages
Tests:
- not run (CI/Garnix)
