fix(ci): include ACPX in shared live-test image

[openclaw-clownfish]

Summary

• build the shared live-test Docker image with both matrix and acpx bundled
• keep live-acp-bind-docker compatible with OPENCLAW_SKIP_DOCKER_BUILD=1 when it reuses the shared image
• leave the current Codex harness path unchanged because current main already forces a rebuild after appending codex

Validation

• pnpm check:workflows
• pnpm check:changed

Source: Clownfish commit finding for 806a011

Clownfish 🐠 replacement reef notes:

• Cluster: clawsweeper-commit-openclaw-openclaw-806a0119f3cd
• Source PRs: none
• Credit: Source finding: ClawSweeper commit report for openclaw/openclaw commit 806a011.; No contributor PR is being replaced; source_prs is intentionally empty.; CI-only release validation fix; no user-facing changelog entry is required.
• Validation: pnpm check:workflows; pnpm check:changed

fish notes: model gpt-5.5, reasoning xhigh; reviewed against daa396a.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 10, 2026, 3:37 AM ET / 07:37 UTC.

Summary
The PR changes the reusable live/e2e workflow so the shared live-test Docker image is built and tagged for both matrix and acpx.

PR surface: Config +3. Total +3 across 1 file.

Reproducibility: yes. Source inspection shows current main builds the shared live image with only matrix while the ACP bind suite runs with OPENCLAW_SKIP_DOCKER_BUILD=1 and needs acpx, so a reused shared image can miss the ACPX plugin.

Review metrics: 1 noteworthy metric.

• Shared image recipe: 1 tag key changed, 1 build-arg source changed. The workflow will build or pull a new matrix-acpx GHCR image variant instead of reusing a matrix-only live-test image.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Run or inspect an affected live-acp-bind-docker or shared live-test image workflow once if maintainers want GHCR-level proof before merge.

Risk before merge

• [P1] This changes release/live workflow automation and the GHCR shared-image cache key; normal workflow syntax checks do not fully prove the actual build/pull reuse path until an affected live run exercises it.

Maintainer options:

1. Prove the affected live image path (recommended)
   Run pnpm check:workflows and, if release confidence is needed before merge, an affected live-acp-bind-docker or shared live-test image path that shows the matrix-acpx image is built or pulled.
2. Accept as a narrow CI repair
   Maintainers can merge after normal required checks if they accept that the GHCR build/reuse path is fully proven by the next live release run.

Next step before merge

• [P2] No repair lane is needed; no patch defect was found and the remaining action is normal workflow/live validation before merge.

Security
Cleared: The diff changes an existing pinned workflow's image tag and build args only; it adds no new actions, permissions, secrets, downloads, or unpinned code execution.

Review details

Best possible solution:

Land the narrow workflow repair after workflow validation, with an affected live ACP/shared-image run if maintainers want GHCR-level proof before merge.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main builds the shared live image with only matrix while the ACP bind suite runs with OPENCLAW_SKIP_DOCKER_BUILD=1 and needs acpx, so a reused shared image can miss the ACPX plugin.

Is this the best way to solve the issue?

Yes. Centralizing the matrix,acpx image recipe in the shared image step and suffixing the tag is narrower than per-suite rebuilds and avoids reusing older matrix-only images.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 9408380ae729.

Label changes

Label changes:

• add P2: This is a normal-priority CI/release validation repair with limited runtime blast radius but a real affected live-test path.
• add merge-risk: 🚨 automation: The diff changes reusable workflow image tagging and build arguments, so the main remaining risk is release/live CI automation behavior rather than application code.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Contributor real-behavior proof gate is not applicable because this is an OpenClaw bot PR; the body reports workflow checks, but no external contributor setup proof is required.

Label justifications:

• P2: This is a normal-priority CI/release validation repair with limited runtime blast radius but a real affected live-test path.
• merge-risk: 🚨 automation: The diff changes reusable workflow image tagging and build arguments, so the main remaining risk is release/live CI automation behavior rather than application code.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Contributor real-behavior proof gate is not applicable because this is an OpenClaw bot PR; the body reports workflow checks, but no external contributor setup proof is required.

Evidence reviewed

PR surface:

Config +3. Total +3 across 1 file.

View PR surface stats

Area	Files	Added	Removed	Net
Source	0	0	0	0
Tests	0	0	0	0
Docs	0	0	0	0
Config	1	5	2	+3
Generated	0	0	0	0
Other	0	0	0	0
Total	1	5	2	+3

What I checked:

• Current main builds matrix-only shared live image: The reusable workflow currently resolves the shared live-test image as the selected SHA alone and builds it with OPENCLAW_EXTENSIONS=matrix, so a preexisting shared image can lack ACPX. (.github/workflows/openclaw-live-and-e2e-checks-reusable.yml:1596, 9408380ae729)
• ACP bind path requires ACPX but reuses the shared image: The ACP bind Docker suite appends acpx before invoking the live build helper, while the workflow supplies OPENCLAW_LIVE_IMAGE and OPENCLAW_SKIP_DOCKER_BUILD=1; the helper exits after inspecting or pulling the shared image, so it does not rebuild to add ACPX when the shared image already exists. (scripts/test-live-acp-bind-docker.sh:274, 9408380ae729)
• PR uses one extension list for tag and build args: At the PR head, the workflow defines live_image_extensions="matrix,acpx", suffixes the image tag with matrix-acpx, exports that value, and feeds it into the Docker build arg. (.github/workflows/openclaw-live-and-e2e-checks-reusable.yml:1596, daa396a47c08)
• Dockerfile contract supports comma-separated extension lists: The Dockerfile documents and parses comma- or space-separated OPENCLAW_EXTENSIONS, so matrix,acpx is accepted by the existing build contract. (Dockerfile:1, 9408380ae729)
• Adjacent release-path scheduler already expects ACPX in live-test builds: The local release-path scheduler appends matrix, acpx, and codex to the shared live-test build environment, supporting the PR's direction for ACPX-capable shared images. (scripts/test-docker-all.mjs:1335, 9408380ae729)
• History and ownership provenance: Blame ties the current shared live-test workflow and ACPX append behavior to recent work by Shakker; the source regression context references Peter Steinberger's earlier shared-image reuse commit. (.github/workflows/openclaw-live-and-e2e-checks-reusable.yml:1567, 09854d9de740)

Likely related people:

• shakkernerd: Current blame for the shared live-test workflow, ACPX bind script hook, and scheduler extension list points to recent work by Shakker on the affected live Docker/ACP paths. (role: recent area contributor; confidence: high; commits: 09854d9de740; files: .github/workflows/openclaw-live-and-e2e-checks-reusable.yml, scripts/test-live-acp-bind-docker.sh, scripts/test-docker-all.mjs)
• steipete: The PR body's source finding and local commit history point to Peter Steinberger's shared live-test Docker image reuse commit as the older behavior this PR repairs. (role: introduced shared-image behavior; confidence: medium; commits: 806a0119f3cd; files: .github/workflows/openclaw-live-and-e2e-checks-reusable.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[vincentkoc]

Maintainer pre-merge proof for #91879:

• ProjectClownfish executor opened this PR from clownfish/clawsweeper-commit-openclaw-openclaw-806a0119f3cd at daa396a47c081232bc8594ed7a5e5ff089652cb2.
• Executor merge preflight passed: scoped security cleared, no unresolved review threads, Codex /review passed, and pnpm check:changed passed on the target branch.
• GitHub checks are clean at the same head SHA: 130 passed, 18 skipped/neutral, 0 pending. The only canceled checks are superseded auto-response / real-behavior-proof duplicates.
• ClawSweeper found no patch defect; it marked this ready for maintainer review and called out optional GHCR/live-path proof. I am accepting the narrow workflow repair without waiting for a full live release run because the diff only changes the shared image extension list/tag and the next live run is the real end-to-end proof.

Merging by squash.