diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml new file mode 100644 index 0000000..7cf12cb --- /dev/null +++ b/.github/workflows/docker-publish-openclaw.yml @@ -0,0 +1,119 @@ +name: Build and Publish OpenClaw Image + +on: + push: + branches: + - main + - integration-okr-1 # TODO: remove after testing — limit to main only + - feat/openclaw-ci # TODO: remove after testing — limit to main only + paths: + - 'internal/openclaw/OPENCLAW_VERSION' + workflow_dispatch: + inputs: + version: + description: 'OpenClaw version to build (e.g. v2026.2.3)' + required: false + type: string + +env: + REGISTRY: ghcr.io + IMAGE_NAME: obolnetwork/openclaw + +jobs: + build-and-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout obol-stack + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Read pinned version + id: version + run: | + if [ -n "${{ github.event.inputs.version }}" ]; then + VERSION="${{ github.event.inputs.version }}" + else + VERSION=$(grep -v '^#' internal/openclaw/OPENCLAW_VERSION | tr -d '[:space:]') + fi + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + echo "Building OpenClaw $VERSION" + + - name: Checkout upstream OpenClaw + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + repository: openclaw/openclaw + ref: ${{ steps.version.outputs.version }} + path: openclaw-src + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{version}},value=${{ steps.version.outputs.version }} + type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }} + type=sha,prefix= + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + labels: | + org.opencontainers.image.title=OpenClaw + org.opencontainers.image.description=AI agent gateway for Obol Stack + org.opencontainers.image.vendor=Obol Network + org.opencontainers.image.source=https://github.com/openclaw/openclaw + org.opencontainers.image.version=${{ steps.version.outputs.version }} + + - name: Build and push Docker image + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + context: openclaw-src + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: true + sbom: true + + security-scan: + needs: build-and-push + runs-on: ubuntu-latest + permissions: + security-events: write + + steps: + - name: Read pinned version + id: version + run: | + # Re-derive for the scan job + echo "Scanning latest pushed image" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1 # main + with: + sarif_file: 'trivy-results.sarif' + if: always() diff --git a/internal/openclaw/OPENCLAW_VERSION b/internal/openclaw/OPENCLAW_VERSION new file mode 100644 index 0000000..04b5d69 --- /dev/null +++ b/internal/openclaw/OPENCLAW_VERSION @@ -0,0 +1,3 @@ +# renovate: datasource=github-releases depName=openclaw/openclaw +# Pins the upstream OpenClaw version to build and publish. +v2026.2.9 diff --git a/renovate.json b/renovate.json index afab9bf..81e8188 100644 --- a/renovate.json +++ b/renovate.json @@ -33,6 +33,17 @@ "datasourceTemplate": "github-releases", "depNameTemplate": "kubernetes-sigs/gateway-api", "versioningTemplate": "semver" + }, + { + "customType": "regex", + "description": "Update OpenClaw version from upstream GitHub releases", + "matchStrings": [ + "#\\s*renovate:\\s*datasource=(?.*?)\\s+depName=(?.*?)\\n(?v[0-9]+\\.[0-9]+\\.[0-9]+)" + ], + "fileMatch": [ + "^internal/openclaw/OPENCLAW_VERSION$" + ], + "versioningTemplate": "semver" } ], "packageRules": [ @@ -89,6 +100,22 @@ ], "dependencyDashboardApproval": true, "prBodyTemplate": "⚠️ **MAJOR VERSION UPDATE** ⚠️\n\nThis PR updates **obol-stack-front-end** from `{{currentVersion}}` to `{{newVersion}}`.\n\n### ⚠️ Breaking Changes Expected\n\nMajor version updates may include breaking changes. Please review the release notes carefully.\n\n### Release Notes\n\n{{{changelog}}}\n\n### Migration Checklist\n- [ ] Review breaking changes in release notes\n- [ ] Test the new version in staging environment\n- [ ] Update any integration code if needed\n- [ ] Verify deployment scripts still work\n\n---\n**⚠️ This PR requires manual approval due to major version change**\n**Auto-generated by Renovate Bot**" + }, + { + "description": "Group OpenClaw updates", + "matchDatasources": [ + "github-releases" + ], + "matchPackageNames": [ + "openclaw/openclaw" + ], + "labels": [ + "renovate/openclaw" + ], + "schedule": [ + "every hour" + ], + "groupName": "OpenClaw updates" } ] }