fix: let ClawHub dry runs skip publish approval

[Patrick-Erichsen]

Summary

• Skip the protected clawhub-plugin-release environment approval when plugin-clawhub-release.yml is dispatched with dry_run=true.
• Keep real publishes gated on the approval job.
• Keep the reusable ClawHub publish job dependent on successful artifact packing, and allow it to run for dry-runs without approval.

Verification

• ./node_modules/.bin/vitest run --config test/vitest/vitest.tooling.config.ts test/scripts/package-acceptance-workflow.test.ts
• Dry-run proof: https://github.com/openclaw/openclaw/actions/runs/27182518869
  • publish_plugins_clawhub succeeded with dry_run: true.
  • approve_plugin_clawhub_release skipped.
  • verify_published_clawhub_package skipped.
  • Fake dry-run version @openclaw/brave-plugin@2026.6.99-beta.1 still returns 404 from ClawHub.

[clawsweeper]

Codex review: found issues before merge. Reviewed June 9, 2026, 12:02 AM ET / 04:02 UTC.

Summary
The PR changes the ClawHub plugin release workflow so dry-run dispatches skip the protected publish approval job while real publishes still require approval, and adds workflow-string assertions.

PR surface: Tests +4, Config 0. Total +4 across 2 files.

Reproducibility: yes. Current main shows the publish job depends on the approval job, and the linked dry-run proof shows the intended after-change scheduling with approval skipped and publish completed.

Review metrics: 1 noteworthy metric.

• Protected release gate behavior: 1 dry-run approval bypass added. This is the central behavior change and it affects a workflow path that currently receives a publish credential.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🐚 platinum hermit ✨ media proof bonus
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Prevent CLAWHUB_TOKEN from being passed to approval-less dry-run publish jobs.
• Tighten the workflow assertion so it specifically verifies the approval-job dry-run condition and no-secret dry-run path.

Risk before merge

• [P1] Dry-run dispatch would bypass the protected clawhub-plugin-release approval while still passing secrets.CLAWHUB_TOKEN into the pinned reusable publish workflow.
• [P1] The added inputs.dry_run != true assertion is broad enough to pass because the workflow already had that string in the verify job, so it does not specifically protect the approval-gate condition.

Maintainer options:

1. Strip the token from dry runs (recommended)
   Pass an empty clawhub_token or split a no-secret dry-run job so approval-less dry runs cannot materialize CLAWHUB_TOKEN.
2. Keep approval for token-backed dry runs
   If maintainers want dry runs to exercise the token-backed publish path, keep the protected approval requirement for that mode and document the reason.

Next step before merge

• [P2] The remaining blocker is a release secret/approval boundary decision plus a small workflow repair, so maintainer review should choose the intended token behavior before automation proceeds.

Security
Needs attention: The diff introduces a concrete secret-boundary concern by skipping protected approval while still forwarding the ClawHub publish token.

Review findings

• [P1] Withhold the ClawHub token from approval-less dry runs — .github/workflows/plugin-clawhub-release.yml:443

Review details

Best possible solution:

Keep the dry-run approval skip, but make the approval-less dry-run path call ClawHub without a publish token while real publishes continue to require the protected environment.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main shows the publish job depends on the approval job, and the linked dry-run proof shows the intended after-change scheduling with approval skipped and publish completed.

Is this the best way to solve the issue?

No, not as submitted. The always() condition fixes the skipped-needs behavior, but the approval-less path should not receive CLAWHUB_TOKEN unless maintainers explicitly accept that security boundary change.

Full review comments:

• [P1] Withhold the ClawHub token from approval-less dry runs — .github/workflows/plugin-clawhub-release.yml:443
  This lets publish_plugins_clawhub run when inputs.dry_run == true without the protected approval job, but the job still passes secrets.CLAWHUB_TOKEN to the reusable ClawHub workflow. The pinned workflow writes a ClawHub config whenever that secret is present, even on dry runs, so this changes the approval boundary for the publish token. Split the dry-run path or pass an empty token for dry runs while keeping real publishes gated.
  Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.9

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9fdd56da2106.

Label changes

Label changes:

• add P1: The PR touches release automation and currently changes a secret/approval boundary in the ClawHub publish path.
• add merge-risk: 🚨 security-boundary: Merging as-is would allow a dry-run publish job to run without the protected environment while still receiving the ClawHub publish token.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body links a real GitHub Actions dry-run, and the public run page shows the approval job skipped and the publish matrix completed successfully.
• add rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🐚 platinum hermit and patch quality is 🧂 unranked krab.
• add status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (linked_artifact): The PR body links a real GitHub Actions dry-run, and the public run page shows the approval job skipped and the publish matrix completed successfully.

Label justifications:

• P1: The PR touches release automation and currently changes a secret/approval boundary in the ClawHub publish path.
• merge-risk: 🚨 security-boundary: Merging as-is would allow a dry-run publish job to run without the protected environment while still receiving the ClawHub publish token.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🐚 platinum hermit and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (linked_artifact): The PR body links a real GitHub Actions dry-run, and the public run page shows the approval job skipped and the publish matrix completed successfully.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body links a real GitHub Actions dry-run, and the public run page shows the approval job skipped and the publish matrix completed successfully.

Evidence reviewed

PR surface:

Tests +4, Config 0. Total +4 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	1	4	0	+4
Docs	0	0	0	0
Config	1	2	2	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	6	2	+4

Security concerns:

• [high] Approval-less dry runs still receive CLAWHUB_TOKEN — .github/workflows/plugin-clawhub-release.yml:443
  The caller continues to map secrets.CLAWHUB_TOKEN into the reusable publish workflow, whose pinned implementation writes a token config whenever the secret is present; dry runs should avoid receiving that secret if they bypass approval.
  Confidence: 0.9

What I checked:

• Repository policy: Full root AGENTS.md and scoped test/AGENTS.md were read; the root policy treats release workflows, secrets, and approval gates as security-sensitive review surfaces. (AGENTS.md:1, 9fdd56da2106)
• Current main behavior: On current main, publish_plugins_clawhub depends on approve_plugin_clawhub_release, and the approval job has the protected clawhub-plugin-release environment. (.github/workflows/plugin-clawhub-release.yml:431, 9fdd56da2106)
• PR diff: The PR skips approve_plugin_clawhub_release when inputs.dry_run != true is false and uses always() so publish_plugins_clawhub can still run when dry-run approval is skipped. (.github/workflows/plugin-clawhub-release.yml:443, 5be0e953bf6d)
• Reusable ClawHub workflow contract: The pinned ClawHub reusable workflow accepts optional clawhub_token, skips token validation for dry runs, but still writes a ClawHub config whenever the token is supplied. (openclaw/clawhub:.github/workflows/package-publish.yml:194, c9bb13023598)
• Real dry-run proof: The public Actions HTML for run 27182518869 shows approve_plugin_clawhub_release skipped and the publish_plugins_clawhub matrix completed successfully. (5be0e953bf6d)
• History provenance: The current ClawHub reusable publish path was introduced in feat: dogfood reusable ClawHub package publish; the release orchestration around child approval was carried by earlier release workflow work. (.github/workflows/plugin-clawhub-release.yml:431, e8cf6df3a358)

Likely related people:

• Patrick-Erichsen: Current main blame shows Patrick Erichsen introduced the reusable ClawHub package publish workflow section that this PR modifies. (role: recent area contributor; confidence: high; commits: e8cf6df3a358; files: .github/workflows/plugin-clawhub-release.yml, test/scripts/package-acceptance-workflow.test.ts)
• Vincent Koc: Blame shows Vincent Koc authored the surrounding release-publish orchestration and much of the workflow guard test this change extends. (role: adjacent release workflow contributor; confidence: medium; commits: ff5fac143973, 5f6ee9f913c7; files: .github/workflows/openclaw-release-publish.yml, test/scripts/package-acceptance-workflow.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.