Run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion.
Auto Review closeout. Codex review is the default when no engine is set and is the recommended reviewer.
Run, watch, debug, and summarize OpenClaw full release CI, release checks, live provider gates, install/update proofs, and release-secret preflights.
Prepare or verify OpenClaw stable/beta releases, changelogs, release notes, publish commands, and artifacts.
Triage, redact, clean up, and resolve OpenClaw GitHub Secret Scanning alerts in issues or PRs.
Use immediately for any pasted OpenClaw GitHub issue or PR URL/number, and for OpenClaw issue/PR review, triage, duplicate search, opener identity/who wrote it, author account age/activity, comments, labels, close, land, or maintainer evidence checks.
Use when controlling web pages with the OpenClaw browser tool, especially multi-step flows, login checks, tab management, or recovery from stale refs/timeouts.
| name | release-openclaw-mac |
| description | Run or recover OpenClaw macOS release signing, notarization, appcast, and asset promotion. |
Use with $release-openclaw-maintainer, $release-openclaw-ci, $one-password, and $release-private if it exists when stable macOS assets, private mac preflight, notarization, appcast promotion, or mac release recovery is involved.
$release-private.private_key_p8, key_id, issuer_id.xcrun notarytool submit fails with HTTP status code: 401. Unauthenticated.xcrun notarytool history before setting GitHub secrets.$one-password: all op work inside one persistent tmux session, no secret output.$release-private when available.op whoami; never print token values.OP_BIOMETRIC_UNLOCK_ENABLED=false for the manual op account add --signin path.Target private repo environment: openclaw/releases-private, env mac-release.
Set only after local notary auth validation:
APP_STORE_CONNECT_API_KEY_P8APP_STORE_CONNECT_KEY_IDAPP_STORE_CONNECT_ISSUER_IDDo not update these from mixed sources. All three ASC fields must come from the same 1Password item.
source_ref=release/YYYY.M.D for private mac preflight/validation when building that branch variation.tag=vYYYY.M.D pointing at the original stable release commit.source_ref; promotion rejects mismatched proof.scripts/notarize-mac-artifact.sh.xcrun notarytool submit should use --no-s3-acceleration; accelerated upload can surface misleading 401s even when notarytool history succeeds.Private preflight:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-f tag=vYYYY.M.D \
-f source_ref=release/YYYY.M.D \
-f preflight_only=true \
-f smoke_test_only=false \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.D
Private validation for a branch-variation preflight:
gh workflow run openclaw-macos-validate.yml --repo openclaw/releases-private --ref main \
-f tag=vYYYY.M.D \
-f source_ref=release/YYYY.M.D
Real publish:
gh workflow run openclaw-macos-publish.yml --repo openclaw/releases-private --ref main \
-f tag=vYYYY.M.D \
-f preflight_only=false \
-f smoke_test_only=false \
-f preflight_run_id=<successful-preflight-run> \
-f validate_run_id=<successful-validation-run> \
-f allow_late_calver_recovery=false \
-f public_release_branch=release/YYYY.M.D
gh release view vYYYY.M.D --repo openclaw/openclaw shows zip, dmg, dSYM zip, not draft, not prerelease.main appcast.xml points at OpenClaw-YYYY.M.D.zip.sparkle:version, sparkle:shortVersionString, length, and sparkle:edSignature.