بنقرة واحدة
release-peekaboo
Peekaboo release: notarization, npm/GitHub release, appcast, verify, closeout.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Peekaboo release: notarization, npm/GitHub release, appcast, verify, closeout.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | release-peekaboo |
| description | Peekaboo release: notarization, npm/GitHub release, appcast, verify, closeout. |
| metadata | {"clawdbot":{"emoji":"👁️","requires":{"bins":["pnpm","op","tmux","gh","xcrun","jq","node","npm"]}}} |
Release ~/Projects/Peekaboo as the npm package @steipete/peekaboo plus signed/notarized macOS app assets.
Use $one-password, $browser-use, $npm, $autoreview, and repo AGENTS.md rules. Load $release-private if it exists before resolving Peter-owned credential locators. Read $npm before any npm auth, token, or publish recovery work. Keep all op secret work inside one persistent tmux session. Never print .p8, npm tokens, passwords, or OTPs.
$release-private.key_id, issuer_id, private_key_p8.xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.Sparkle key:
.mac-release.env has the current fallback.SPARKLE_PRIVATE_KEY_FILE for normal releases.Developer ID release keychain:
$release-private.codesign wants to use the release keychain, enter the keychain item password, not the Developer ID .p12 password..p12 while creating the keychain.security unlock-keychain and security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" so codesign can use the identity without GUI prompts.npm publish token:
$release-private.$npm rules. Run inside the same tmux session, write only a temp npmrc, delete it immediately, and use the npmjs TOTP item for web auth if npm prompts.Use the service account from $release-private first. Put the token in the tmux environment without printing it:
# Resolve SERVICE_ACCOUNT_TOKEN from $release-private first.
tmux -S "$SOCKET" set-environment -t "$SESSION" OP_SERVICE_ACCOUNT_TOKEN "$SERVICE_ACCOUNT_TOKEN"
Create a temp env file with service-account refs from $release-private:
APP_STORE_CONNECT_API_KEY_P8=<1Password ref from release-private>
APP_STORE_CONNECT_KEY_ID=<1Password ref from release-private>
APP_STORE_CONNECT_ISSUER_ID=<1Password ref from release-private>
Before a release, verify shape and Apple auth without printing values:
op run --env-file "$ENVFILE" -- bash -c '
set -euo pipefail
KEY_FILE="/tmp/AuthKey_${APP_STORE_CONNECT_KEY_ID}.p8"
printf "%s\n" "$APP_STORE_CONNECT_API_KEY_P8" > "$KEY_FILE"
chmod 600 "$KEY_FILE"
xcrun notarytool history \
--key "$KEY_FILE" \
--key-id "$APP_STORE_CONNECT_KEY_ID" \
--issuer "$APP_STORE_CONNECT_ISSUER_ID" \
--output-format json >/dev/null
rm -f "$KEY_FILE"
'
Peekaboo forces notarytool submit --no-s3-acceleration; the default S3 accelerated upload path can return a misleading 401 even when history auth succeeds.
If both history and non-S3 submit fail, suspect wrong access level or stale key. Browser route:
$browser-use real Chrome profile.https://appstoreconnect.apple.com/access/integrations/api.Peekaboo Release <version> with Admin access..p8 once from the key row.notarytool history; delete ~/Downloads/AuthKey_<key_id>.p8.main; pull ff-only if needed.package.jsonversion.jsonApps/CLI/Sources/Resources/version.jsonCore/PeekabooCore/Sources/PeekabooAgentRuntime/MCP/PeekabooMCPVersion.swiftApps/*CHANGELOG.md and Apps/CLI/CHANGELOG.md for the release.$autoreview before commit unless the change is trivial/docs-only.committer.main.op run --env-file "$ENVFILE" -- \
bash -c 'printf "y\n" | ./scripts/release-binaries.sh --create-github-release --publish-npm'
The script builds universal CLI, npm package, signed/notarized app zip, appcast, checksums, draft GitHub release, and npm publish.
Use a non-login shell: profile exports can replace current 1Password ASC IDs with stale values while leaving the current .p8, producing a misleading 401.
Notarized app releases must sign with Developer ID Application: OpenClaw Foundation (FWJYW4S8P8), not a personal or development identity. The tracked release manifest resolves the shared passwordless signing keychain from the OpenClaw-Core vault; never copy the keychain path or signing material into the repository. The standalone CLI deliberately keeps Developer ID Application: Peter Steinberger (Y5PE65HELJ) for compatibility with pre-3.8 GUI bridge hosts, and the release driver verifies that exact split. Do not migrate the CLI signer without a separate bridge-compatibility plan.
If npm upload is slow and TOTP expires, use the stored npm token through a temp npmrc and complete npm web auth immediately when prompted with the configured TOTP. Do not create granular bypass tokens for this; if one was created by mistake, delete it before closeout.
Required before closeout:
npm view @steipete/peekaboo@<version> version dist-tags dist.tarball dist.integrity time --json
(cd /tmp && npm exec --yes --package=@steipete/peekaboo@<version> -- peekaboo --version)
gh release view v<version> --repo openclaw/Peekaboo --json tagName,isDraft,isPrerelease,url,assets,body
xmllint --noout appcast.xml
git status --short --branch
Confirm:
latest points to it.v<version>.appcast.xml changes are committed and pushed.Unreleased section to root and CLI changelogs.committer "docs(changelog): open <next-version>" CHANGELOG.md Apps/CLI/CHANGELOG.md.git checkout main && git pull --ff-only && git status --short --branch.OP_SERVICE_ACCOUNT_TOKEN, remove temp env/key files, and final with what landed.