npm - @gianfrancopiana/openclaw-autoresearch - Versions diffs - 1.0.8 → 1.0.9 - Mend

@gianfrancopiana/openclaw-autoresearch 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -132,7 +132,7 @@ npm run smoke:openclaw-host -- /absolute/path/to/openclaw
 npm run smoke:registry-openclaw-host -- <published-version> /absolute/path/to/openclaw
 ```
-Release instructions, including npm 2FA publishing, live in [`RELEASING.md`](RELEASING.md).
+Release instructions, including `npm run release:prepare -- <version> --host /absolute/path/to/openclaw` and GitHub Actions trusted publishing with npm provenance, live in [`RELEASING.md`](RELEASING.md).
 The local test shim supports typechecking and tests without a full OpenClaw host checkout. Runtime behavior depends on a real OpenClaw host, so run the host smoke against a current checkout before release.

package/RELEASING.md CHANGED Viewed

@@ -2,44 +2,55 @@
 ## Prerequisites
-- npm access to `@gianfrancopiana`
-- either npm account 2FA enabled for publishing, or a granular access token with `Bypass 2FA` enabled
+- GitHub release access for `gianfrancopiana/openclaw-autoresearch`
+- npm trusted publishing configured for `@gianfrancopiana/openclaw-autoresearch`
+  - repository: `gianfrancopiana/openclaw-autoresearch`
+  - workflow: `.github/workflows/npm-publish.yml`
+  - environment: `npm`
+- fallback only: local npm publish access with 2FA or a granular publish token
 ## Release
-1. Update the package version in `package.json`, then sync generated metadata:
+1. Prepare the version bump from a clean branch:
    ```bash
-   npm run sync:release-metadata
+   npm run release:prepare -- <version> --host /absolute/path/to/openclaw
    ```
-   If you change the minimum supported OpenClaw version, keep
-   `openclaw.install`, `openclaw.compat`, and `openclaw.build` aligned too.
+   This updates `package.json`, `openclaw.plugin.json`, and `package-lock.json`,
+   syncs generated metadata, checks the matching `v<version>` tag, runs
+   `release:verify`, and smoke-tests against the supplied OpenClaw checkout.
-2. Run the release checks:
+   If you do not have a host checkout available, omit `--host` and run the host
+   smoke before publishing:
    ```bash
-   npm install
-   npm run release:verify
+   npm run smoke:openclaw-host -- /absolute/path/to/openclaw
    ```
-   CI runs the same release verification, and `prepublishOnly` runs it again
-   before `npm publish`.
+   If you change the minimum supported OpenClaw version, keep
+   `openclaw.install`, `openclaw.compat`, and `openclaw.build` aligned too.
+2. Open and merge a PR with the version and metadata changes.
-3. Smoke-test against a current local OpenClaw checkout:
+3. Create and publish the matching GitHub release/tag from `main`:
    ```bash
-   npm run smoke:openclaw-host -- /absolute/path/to/openclaw
+   npm run release:check-tag -- v<version>
+   gh release create v<version> --target main --title v<version> --notes-file release-notes.md
    ```
-4. Publish:
+   Publishing the GitHub release triggers `.github/workflows/npm-publish.yml`,
+   which publishes the package to npm with provenance through GitHub OIDC.
+4. Watch the publish workflow and verify npm:
    ```bash
-   npm publish --otp=123456
+   gh run list --workflow npm-publish.yml --limit 1
+   npm view @gianfrancopiana/openclaw-autoresearch version
+   npm view @gianfrancopiana/openclaw-autoresearch@<version> version
    ```
-   Replace `123456` with the current code from your authenticator app.
 5. Verify the published registry tarball against the same host:
    ```bash
@@ -58,9 +69,27 @@
    pnpm openclaw plugins install @gianfrancopiana/openclaw-autoresearch
    ```
-## Common failure
+## Local fallback
+Prefer the GitHub Actions trusted-publishing workflow. If it is unavailable,
+publish from a clean checkout only:
+```bash
+npm ci
+npm run release:verify
+npm publish --otp=123456
+```
+Replace `123456` with the current code from your authenticator app.
+## Common failures
+If the publish workflow fails because trusted publishing is not configured,
+add the npm trusted publisher for `.github/workflows/npm-publish.yml` and rerun
+the release workflow.
-If `npm publish` fails with `E403` and mentions 2FA or bypass tokens, the current auth on this machine is not sufficient to publish. Either:
+If local `npm publish` fails with `E403` and mentions 2FA or bypass tokens, the
+current auth on this machine is not sufficient to publish. Either:
 - re-run `npm publish --otp=<current-code>`
 - or switch to a granular npm token with publish rights and `Bypass 2FA` enabled

package/openclaw.plugin.json CHANGED Viewed

@@ -13,7 +13,7 @@
       "autoresearch_status"
     ]
   },
-  "version": "1.0.8",
+  "version": "1.0.9",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gianfrancopiana/openclaw-autoresearch",
-  "version": "1.0.8",
+  "version": "1.0.9",
   "description": "Faithful OpenClaw port of pi-autoresearch.",
   "type": "module",
   "main": "./index.ts",
@@ -11,6 +11,8 @@
     "test": "vitest run",
     "validate": "npm run check:release-metadata && npm run typecheck && npm run test",
     "release:verify": "npm run validate && npm pack --dry-run",
+    "release:check-tag": "node ./scripts/check-release-tag.mjs",
+    "release:prepare": "node ./scripts/prepare-release.mjs",
     "prepublishOnly": "npm run release:verify",
     "smoke:openclaw-host": "node ./scripts/smoke-openclaw-host.mjs",
     "smoke:registry-openclaw-host": "node ./scripts/smoke-openclaw-registry.mjs"