steipete/clawpatch-release
skills/clawpatch-release/SKILL.md
clawpatch release: version/changelog, CI, npm publish, GitHub release, verify.
$ install --global
skillsauthnpx skillsauth add steipete/agent-scripts clawpatch-releaseInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 24, 2026, 4:17 AM125.2s2 files scanned
SKILL.md
- name:
- clawpatch-release
- description:
- clawpatch release: version/changelog, CI, npm publish, GitHub release, verify.
Clawpatch Release
Scope
Release ~/Projects/clawpatch as the public npm package clawpatch.
Use $npm and $one-password rules for registry auth. Keep all op and npm secret work inside one persistent tmux session and temp npmrc. Never print tokens, passwords, or OTPs.
Workflow
-
Start clean on
main.cd ~/Projects/clawpatchgit status --short --branchgit pull --ff-only- Confirm target version is not already tagged or released:
git tag --list "vX.Y.Z"andgh release view vX.Y.Z --repo openclaw/clawpatch. - Confirm npm state:
npm view clawpatch version dist-tags time --json.
-
Prep release files.
- Set
package.jsonversion to target. - Change top changelog section from
UnreleasedtoX.Y.Z - YYYY-MM-DD. - Ensure release notes are the changelog body for that version and include all user-facing changes.
- Run
pnpm install --lockfile-only; commit lockfile only if it actually changes.
- Set
-
Prove locally before publishing.
- Run
pnpm typecheck && pnpm lint && pnpm format:check && pnpm test && pnpm build && pnpm pack:smoke. - Fix failures before continuing.
- Run
-
Commit and push release prep.
- Commit with
committer "chore(release): X.Y.Z" CHANGELOG.md package.json [pnpm-lock.yaml]. git push origin main.- Watch CI/CodeQL for the release commit:
gh run list --repo openclaw/clawpatch --branch main --commit <sha> --json databaseId,workflowName,status,conclusion,url,headShagh run view <run_id> --repo openclaw/clawpatch --json status,conclusion,url,jobs
- Do not publish until release-commit CI and CodeQL are green.
- Commit with
-
Publish npm.
- Use a temp npmrc, never the default user npmrc.
- First try
npm whoami; if unauthenticated, use npm web login in the tmux session:NPM_CONFIG_USERCONFIG="$tmp_npmrc" npm login --auth-type=web --registry=https://registry.npmjs.org/- Open/approve browser login if prompted.
- For publish, fetch a fresh OTP from the
npmjs1Password item inside the same tmux session. - Publish with
NPM_CONFIG_USERCONFIG="$tmp_npmrc" npm publish --access public --otp "$NPM_OTP". - Clean temp npmrc/work dirs after publish.
- If publish says the version already exists, verify npm metadata and continue only if it matches the release commit/package contents.
-
Verify npm before GitHub release.
npm view [email protected] version dist-tags dist.tarball dist.integrity time --json- Required: version is
X.Y.Z,latestpoints toX.Y.Z, tarball URL exists, integrity exists, publish time exists.
-
Tag and create GitHub release.
- Build release notes from changelog plus npm/proof:
- npm version page
- registry tarball
- integrity string
- CI and CodeQL run URLs
- local proof command
- Use temp files for public GitHub bodies.
git tag -a vX.Y.Z <release_sha> -m "vX.Y.Z"git push origin vX.Y.Zgh release create vX.Y.Z --repo openclaw/clawpatch --title "vX.Y.Z" --notes-file "$notes"
- Build release notes from changelog plus npm/proof:
-
Release verify.
npm view [email protected] version dist-tags.latest dist.tarball dist.integrity time.X.Y.Z --jsongh release view vX.Y.Z --repo openclaw/clawpatch --json tagName,url,body,isDraft,isPrerelease- Confirm release body contains changelog notes, npm version link, tarball, integrity, and CI/proof.
- Confirm tag points at the release commit:
git rev-list -n1 vX.Y.Z.
-
Post-release closeout.
- Add next patch section at top of
CHANGELOG.md:## X.Y.(Z+1) - Unreleased. - Commit with
committer "docs(changelog): open X.Y.(Z+1)" CHANGELOG.md. - Push
main. - Watch closeout CI until green.
- Final:
git checkout main && git pull --ff-only && git status --short --branch.
- Add next patch section at top of
Notes
- Do not create the GitHub release before npm publish is verified; the release body must include npm proof.
- If npm auth scripts fail, keep the same tmux session. Do not start a second secret session unless the first is unusable.
- Avoid broad secret inspection. Query exact
npmjsfields only. - Public
ghcomments/releases should use temp--body-file/--notes-file, not inline quoted bodies.
Related Skills
steipete/openclaw-relay
data-ai
VerifiedTrustedCommunity
OpenClaw session relay: prompts/posts via local/remote acpx over SSH.
4,005SKILL.mdUpdated Apr 26, 2026
steipete/wrangler
tools
VerifiedTrustedCommunity
Wrangler CLI: Workers, KV, tail, deploy, account routing.
3,701SKILL.mdUpdated May 27, 2026
steipete/twilio-sms
tools
VerifiedTrustedCommunity
Twilio SMS CLI: buy/list/keep numbers, send/check messages, credential routing.
3,701SKILL.mdUpdated May 27, 2026
steipete/skill-cleaner
development
VerifiedTrustedCommunity
Audit Codex/OpenClaw skills: loaded roots, duplicate skills, unused skills, prompt-budget costs, compact descriptions.
3,701SKILL.mdUpdated May 27, 2026