openclaw
diff --git a/‎.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs‎
Lines changed: 6 additions & 2 deletions b/‎.agents/skills/openclaw-secret-scanning-maintainer/scripts/secret-scanning.mjs‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎.agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs‎
Lines changed: 3 additions & 0 deletions b/‎.agents/skills/openclaw-test-heap-leaks/scripts/heapsnapshot-delta.mjs‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.agents/skills/release-openclaw-ci/scripts/release-ci-summary.mjs‎
Lines changed: 4 additions & 0 deletions b/‎.agents/skills/release-openclaw-ci/scripts/release-ci-summary.mjs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.agents/skills/release-openclaw-ci/scripts/verify-provider-secrets.mjs‎
Lines changed: 4 additions & 0 deletions b/‎.agents/skills/release-openclaw-ci/scripts/verify-provider-secrets.mjs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.agents/skills/release-openclaw-maintainer/SKILL.md‎
Lines changed: 22 additions & 3 deletions b/‎.agents/skills/release-openclaw-maintainer/SKILL.md‎
Lines changed: 22 additions & 3 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/crabbox-hydrate.yml‎
Lines changed: 23 additions & 16 deletions b/‎.github/workflows/crabbox-hydrate.yml‎
Lines changed: 23 additions & 16 deletions
diff --git a/‎.github/workflows/docker-release.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/docker-release.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/openclaw-live-and-e2e-checks-reusable.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/openclaw-live-and-e2e-checks-reusable.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/opengrep-precise.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/opengrep-precise.yml‎
Lines changed: 2 additions & 1 deletion
@@ -1,6 +1,8 @@
 #!/usr/bin/env node
-// Secret scanning alert handler for OpenClaw maintainers.
-// Usage: node secret-scanning.mjs <command> [options]
+/**
+ * Secret scanning alert handler for OpenClaw maintainers.
+ * Usage: node secret-scanning.mjs <command> [options]
+ */
 
 import { spawnSync } from "node:child_process";
 import crypto from "node:crypto";
@@ -57,6 +59,7 @@ function isBodyLocationType(locationType) {
   return locationType === "issue_body" || locationType === "pull_request_body";
 }
 
+/** Decides whether redacting an issue/PR body requires notifying the reporter. */
 export function decideBodyRedaction(currentBody, redactedBody) {
   const bodyChanged = String(currentBody) !== String(redactedBody);
   return {
@@ -65,6 +68,7 @@ export function decideBodyRedaction(currentBody, redactedBody) {
   };
 }
 
+/** Loads redaction-result metadata for issue/PR body secret locations. */
 export function loadBodyRedactionResult(locationType, resultFile) {
   if (!isBodyLocationType(locationType)) {
     return { notify_required: true };
 
@@ -1,4 +1,7 @@
 #!/usr/bin/env node
+/**
+ * Heap snapshot diff utility for OpenClaw test memory leak investigations.
+ */
 
 import fs from "node:fs";
 import path from "node:path";
 
@@ -1,4 +1,8 @@
 #!/usr/bin/env node
+/**
+ * Release CI summary helper that prints parent and child workflow status for a
+ * full release run.
+ */
 import { execFileSync } from "node:child_process";
 import process from "node:process";
 
 
@@ -1,4 +1,8 @@
 #!/usr/bin/env node
+/**
+ * Release preflight helper that verifies required provider API keys can reach
+ * their model-list endpoints without printing secret values.
+ */
 import process from "node:process";
 
 const args = new Map();
 
@@ -111,9 +111,10 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
 - For fallback correction tags like `vYYYY.M.D-N`, the repo version locations still stay at `YYYY.M.D`.
 - “Bump version everywhere” means all version locations above except `appcast.xml`.
 - Release signing and notary credentials live outside the repo in the private maintainer docs.
-- Every stable OpenClaw release ships the npm package and macOS app together.
-  Beta releases normally ship npm/package artifacts first and skip mac app
-  build/sign/notarize unless the operator requests mac beta validation.
+- Every stable OpenClaw release ships the npm package, macOS app, and signed
+  Windows Hub installers together. Beta releases normally ship npm/package
+  artifacts first and skip native app build/sign/notarize/promote unless the
+  operator requests native beta validation.
 - Do not let the slower macOS signing/notary path block npm publication once
   the npm preflight has passed. Keep mac validation/publish running in
   parallel, publish npm from the successful npm preflight, then start published
@@ -143,6 +144,17 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   at `YYYY.M.D`, but the mac release must use a strictly higher numeric
   `APP_BUILD` / Sparkle build than the original release so existing installs
   see it as newer.
+- Stable Windows Hub release closeout requires the signed
+  `OpenClawCompanion-Setup-x64.exe`, `OpenClawCompanion-Setup-arm64.exe`, and
+  `OpenClawCompanion-SHA256SUMS.txt` assets on the canonical
+  `openclaw/openclaw` GitHub Release. Use the public `Windows Node Release`
+  workflow after the matching `openclaw/openclaw-windows-node` release exists;
+  it verifies Authenticode signatures on Windows before uploading assets.
+- Website Windows Hub download links should target exact canonical
+  `openclaw/openclaw/releases/download/vYYYY.M.D/...` assets for the current
+  stable release, or `releases/latest/download/...` only after verifying the
+  redirect resolves to that same tag, so the installable signed Windows artifact
+  is visible from both the GitHub release page and openclaw.ai.
 
 ## Build changelog-backed release notes
 
@@ -178,6 +190,13 @@ Use this skill for release and publish-time workflow. Load `$release-private` if
   `CHANGELOG.md` version section, not highlights or an excerpt. When creating
   or editing a release, extract from `## YYYY.M.D` through the line before the
   next level-2 heading and use that complete block as the release notes.
+- To update an existing GitHub Release body, resolve the numeric release id and
+  patch that resource with the notes file as the `body` field:
+  `gh api repos/openclaw/openclaw/releases/tags/vYYYY.M.D --jq .id`, then
+  `gh api -X PATCH repos/openclaw/openclaw/releases/<id> -F body=@/tmp/notes.md`.
+  Do not trust `gh release edit --notes-file` or `--input` JSON if verification
+  disagrees; verify with `gh api repos/openclaw/openclaw/releases/<id>` because
+  the tag lookup and `gh release view` can lag or show stale body text.
 - When preparing release notes, scan `src/plugins/compat/registry.ts` and
   `src/commands/doctor/shared/deprecation-compat.ts` for compatibility records
   with `warningStarts` or `removeAfter` within 7 days after the release date.
 
@@ -92,7 +92,7 @@ jobs:
             for attempt in 1 2 3; do
               timeout --signal=TERM --kill-after=10s 30s git -C "$GITHUB_WORKSPACE" \
                 -c protocol.version=2 \
-                fetch --no-tags --prune --no-recurse-submodules --depth=1 origin \
+                fetch --no-tags --prune --no-recurse-submodules --depth=2 origin \
                 "+${ref}:refs/remotes/origin/checkout" && return 0
               fetch_status="$?"
               if [ "$fetch_status" != "124" ] && [ "$fetch_status" != "137" ]; then
@@ -146,12 +146,12 @@ jobs:
 
           if [ "${{ github.event_name }}" = "push" ]; then
             BASE="${{ github.event.before }}"
+            node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
           else
             BASE="${{ github.event.pull_request.base.sha }}"
+            node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD --merge-head-first-parent
           fi
 
-          node scripts/ci-changed-scope.mjs --base "$BASE" --head HEAD
-
       - name: Build CI manifest
         id: manifest
         env:
 
@@ -32,11 +32,11 @@ permissions:
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
   PNPM_CONFIG_CHILD_CONCURRENCY: "1"
-  PNPM_CONFIG_MODULES_DIR: "/var/tmp/openclaw-pnpm-node-modules"
+  PNPM_CONFIG_MODULES_DIR: "/var/tmp/openclaw-pnpm/node_modules"
   PNPM_CONFIG_NETWORK_CONCURRENCY: "1"
-  PNPM_CONFIG_STORE_DIR: "/var/tmp/openclaw-pnpm-store"
+  PNPM_CONFIG_STORE_DIR: "/var/cache/crabbox/pnpm/store"
   PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN: "false"
-  PNPM_CONFIG_VIRTUAL_STORE_DIR: "/var/tmp/openclaw-pnpm-virtual-store"
+  PNPM_CONFIG_VIRTUAL_STORE_DIR: "/var/tmp/openclaw-pnpm/virtual-store"
 
 jobs:
   hydrate:
@@ -120,18 +120,24 @@ jobs:
           append_pnpm_option_arg PNPM_CONFIG_MODULES_DIR modules-dir
           append_pnpm_option_arg PNPM_CONFIG_NETWORK_CONCURRENCY network-concurrency
           append_pnpm_option_arg PNPM_CONFIG_VIRTUAL_STORE_DIR virtual-store-dir
-          reset_crabbox_pnpm_path() {
-            local path="$1"
-            if [ -z "$path" ]; then
-              return
+          require_safe_writable_dir() {
+            local dir="$1"
+            if [ -L "$dir" ] || [ ! -d "$dir" ] || [ ! -w "$dir" ]; then
+              echo "::error::Refusing unsafe pnpm directory: $dir"
+              exit 1
             fi
-            case "$path" in
-              /var/tmp/openclaw-pnpm-*) rm -rf "$path" ;;
-            esac
           }
-          reset_crabbox_pnpm_path "${PNPM_CONFIG_MODULES_DIR:-}"
-          reset_crabbox_pnpm_path "${PNPM_CONFIG_STORE_DIR:-}"
-          reset_crabbox_pnpm_path "${PNPM_CONFIG_VIRTUAL_STORE_DIR:-}"
+          prepare_crabbox_pnpm_dirs() {
+            local volatile_root="/var/tmp/openclaw-pnpm"
+            case "${PNPM_CONFIG_MODULES_DIR:?}" in "$volatile_root"/*) ;; *) echo "::error::PNPM_CONFIG_MODULES_DIR must stay under $volatile_root"; exit 1 ;; esac
+            case "${PNPM_CONFIG_VIRTUAL_STORE_DIR:?}" in "$volatile_root"/*) ;; *) echo "::error::PNPM_CONFIG_VIRTUAL_STORE_DIR must stay under $volatile_root"; exit 1 ;; esac
+            rm -rf -- "$volatile_root"
+            mkdir -p "$volatile_root" "$PNPM_CONFIG_STORE_DIR"
+            require_safe_writable_dir "$volatile_root"
+            require_safe_writable_dir "$PNPM_CONFIG_STORE_DIR"
+            mkdir -p "$PNPM_CONFIG_MODULES_DIR" "$PNPM_CONFIG_VIRTUAL_STORE_DIR"
+          }
+          prepare_crabbox_pnpm_dirs
           if [ -L node_modules ] && [ "$(readlink node_modules)" = "${PNPM_CONFIG_MODULES_DIR:-}" ]; then
             rm -f node_modules
           fi
@@ -372,9 +378,10 @@ jobs:
           $env:XDG_CACHE_HOME = Join-Path $cacheRoot "cache"
           $env:COREPACK_HOME = Join-Path $env:XDG_CACHE_HOME "corepack"
           $env:PNPM_HOME = Join-Path $cacheRoot "pnpm-home"
-          $env:PNPM_CONFIG_STORE_DIR = Join-Path $cacheRoot "openclaw-pnpm-store"
-          $env:PNPM_CONFIG_MODULES_DIR = Join-Path $cacheRoot "openclaw-pnpm-node-modules"
-          $env:PNPM_CONFIG_VIRTUAL_STORE_DIR = Join-Path $env:PNPM_CONFIG_MODULES_DIR ".pnpm"
+          $pnpmCacheRoot = Join-Path $cacheRoot "openclaw-pnpm"
+          $env:PNPM_CONFIG_STORE_DIR = Join-Path $pnpmCacheRoot "store"
+          $env:PNPM_CONFIG_MODULES_DIR = Join-Path $pnpmCacheRoot "node_modules"
+          $env:PNPM_CONFIG_VIRTUAL_STORE_DIR = Join-Path $pnpmCacheRoot "virtual-store"
           $env:PNPM_CONFIG_CHILD_CONCURRENCY = "4"
           $env:PNPM_CONFIG_NETWORK_CONCURRENCY = "8"
           $env:PNPM_CONFIG_VERIFY_DEPS_BEFORE_RUN = "false"
 
@@ -4,6 +4,7 @@ on:
   push:
     tags:
       - "v*"
+      - "!v*-alpha.*"
     paths-ignore:
       - "docs/**"
       - "**/*.md"
@@ -38,7 +39,11 @@ jobs:
           RELEASE_TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
-          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-(alpha|beta)\.[1-9][0-9]*)?$ ]]; then
+          if [[ "${RELEASE_TAG}" == *"-alpha."* ]]; then
+            echo "Docker alpha image publishing is disabled."
+            exit 1
+          fi
+          if [[ ! "${RELEASE_TAG}" =~ ^v[0-9]{4}\.[1-9][0-9]*\.[1-9][0-9]*(-beta\.[1-9][0-9]*)?$ ]]; then
             echo "Invalid release tag: ${RELEASE_TAG}"
             exit 1
           fi
 
@@ -563,7 +563,7 @@ jobs:
     needs: validate_selected_ref
     if: inputs.include_repo_e2e && inputs.live_suite_filter == ''
     continue-on-error: ${{ inputs.advisory }}
-    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-8vcpu-ubuntu-2404' }}
+    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-32vcpu-ubuntu-2404' }}
     timeout-minutes: ${{ inputs.release_test_profile == 'full' && 90 || 60 }}
     env:
       OPENCLAW_VITEST_MAX_WORKERS: "2"
@@ -595,7 +595,7 @@ jobs:
     needs: validate_selected_ref
     if: inputs.include_repo_e2e && (inputs.live_suite_filter == '' || inputs.live_suite_filter == 'openshell-e2e')
     continue-on-error: ${{ inputs.advisory }}
-    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-8vcpu-ubuntu-2404' }}
+    runs-on: ${{ inputs.use_github_hosted_runners && 'ubuntu-24.04' || 'blacksmith-32vcpu-ubuntu-2404' }}
     timeout-minutes: ${{ matrix.timeout_minutes }}
     strategy:
       fail-fast: false
 
@@ -44,7 +44,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
-          fetch-depth: 1
+          fetch-depth: 2
           fetch-tags: false
           persist-credentials: false
           submodules: false
@@ -74,6 +74,7 @@ jobs:
       - name: Run opengrep on PR diff
         env:
           OPENCLAW_OPENGREP_BASE_REF: ${{ github.event.pull_request.base.sha }}...HEAD
+          OPENCLAW_OPENGREP_MERGE_HEAD_FIRST_PARENT: "1"
         # Findings from precise rules block this workflow. Pull requests scan
         # changed first-party source paths only so findings stay attributable to
         # the PR diff. Test/fixture/QA path exclusions live in `.semgrepignore`