원클릭으로
release-openclaw-mac
Run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Create, edit, audit, tidy, validate, or restructure AgentSkills and SKILL.md files.
QQ channel management skill. Use qqbot_channel_api for explicit QQ channel-management requests; confirm write, delete, and bulk actions before calling authenticated QQ Open Platform endpoints.
QQBot rich media send and receive support. Use <qqmedia> tags only for explicit media send/view requests, treating inbound attachment paths as private current-conversation context.
QQBot scheduled reminders. Use only for explicit user requests to create, list, or cancel one-time or recurring QQ reminders; ask for missing time, content, or timezone before scheduling.
Manage OpenClaw GitHub Actions and Blacksmith CI capacity, runner-registration budgets, fanout caps, main-push debounce, shard sizing, hosted-runner offload, queue health, and safe ramp-down/ramp-up changes. Use when tuning `.github/workflows/*`, `docs/ci.md`, CI runner labels, matrix `max-parallel`, ClawSweeper/Blacksmith burst protection, CodeQL runner placement, or investigating slow/queued OpenClaw CI.
Prepare or verify OpenClaw stable/beta releases, changelogs, release notes, publish commands, and artifacts.
| name | release-openclaw-mac |
| description | Run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion. |
Use with $release-openclaw-maintainer, $release-openclaw-ci, $one-password, and $release-private if it exists when stable macOS assets, release-ops mac preflight, notarization, appcast promotion, or mac release recovery is involved.
$release-private.private_key_p8, key_id, issuer_id.xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.xcrun notarytool history before setting GitHub secrets.$one-password: all op work inside one persistent tmux session, no secret output.$release-private when available.op whoami; never print token values.OP_BIOMETRIC_UNLOCK_ENABLED=false for the manual op account add --signin path.Target release-ops repo environment: openclaw/releases, env mac-release.
Set only after local notary auth validation:
APP_STORE_CONNECT_API_KEY_P8APP_STORE_CONNECT_KEY_IDAPP_STORE_CONNECT_ISSUER_IDDo not update these from mixed sources. All three ASC fields must come from the same 1Password item.
openclaw/openclaw is the public product repo. Its GitHub Releases page is
where macOS assets are ultimately attached.openclaw/openclaw macos-release.yml is public handoff validation only.
It never signs, notarizes, or uploads macOS assets, regardless of
preflight_only.openclaw/releases is the restricted release-ops repo. Its macOS workflows
sign, notarize, validate, and promote assets onto the
openclaw/openclaw GitHub release.source_ref=release/YYYY.M.PATCH for release-ops mac preflight/validation when building that branch variation.tag=vYYYY.M.PATCH pointing at the original stable release commit.mac-release
environment in the build_sign_and_package job. Operators may be able to
trigger the workflow while Vincent or another environment reviewer approves
the paused deployment before signing/notarization/promotion proceeds.source_ref; promotion rejects mismatched proof.scripts/notarize-mac-artifact.sh.xcrun notarytool submit should use --no-s3-acceleration; accelerated upload can surface misleading 401s even when notarytool history succeeds.Public handoff validation:
gh workflow run macos-release.yml --repo openclaw/openclaw \
--ref release/YYYY.M.PATCH \
-f tag=vYYYY.M.PATCH \
-f preflight_only=true \
-f public_release_branch=release/YYYY.M.PATCH
release/YYYY.M.PATCH, matching prior stable macOS handoff runs.--ref main or --ref vYYYY.M.PATCH for this public handoff
validation. The workflow checks out the tag from the tag input internally.Release-ops preflight:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases --ref main \
-f tag=vYYYY.M.PATCH \
-f source_ref=release/YYYY.M.PATCH \
-f preflight_only=true \
-f smoke_test_only=false \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.PATCH
Wait for the run to reach the mac-release environment approval if GitHub
pauses it, then get approval from Vincent or another configured environment
reviewer. Record the successful preflight run id.
Release-ops validation for a branch-variation preflight:
gh workflow run openclaw-macos-validate.yml --repo openclaw/releases --ref main \
-f tag=vYYYY.M.PATCH \
-f source_ref=release/YYYY.M.PATCH
Record the successful validation run id.
Real publish:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases --ref main \
-f tag=vYYYY.M.PATCH \
-f preflight_only=false \
-f smoke_test_only=false \
-f preflight_run_id=<successful-preflight-run> \
-f validate_run_id=<successful-validation-run> \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.PATCH
Wait for the mac-release environment approval again if GitHub pauses the real
publish run before it promotes assets.
openclaw/releases publish/validate workflows run from their own
trusted main workflow ref. Real publish has a guard that rejects any other
workflow ref. That displayed main ref is expected; the public OpenClaw
source is selected by tag and optional source_ref.gh release view vYYYY.M.PATCH --repo openclaw/openclaw shows zip, dmg, dSYM zip, not draft, not prerelease.main appcast.xml points at OpenClaw-YYYY.M.PATCH.zip.sparkle:version, sparkle:shortVersionString, length, and sparkle:edSignature.