From a2718dea9d1e891dc64db019d464997fdd7eb91f Mon Sep 17 00:00:00 2001 From: bussyjd Date: Mon, 9 Feb 2026 22:51:52 +0400 Subject: [PATCH 1/6] ci(openclaw): add Docker image build workflow with Renovate auto-bump Add GitHub Actions workflow to build and publish the OpenClaw container image to ghcr.io/obolnetwork/openclaw from the upstream openclaw/openclaw repo at a pinned version. Renovate watches for new upstream releases and auto-opens PRs to bump the version file. Closes #142 --- .github/workflows/docker-publish-openclaw.yml | 117 ++++++++++++++++++ internal/openclaw/OPENCLAW_VERSION | 2 + renovate.json | 27 ++++ 3 files changed, 146 insertions(+) create mode 100644 .github/workflows/docker-publish-openclaw.yml create mode 100644 internal/openclaw/OPENCLAW_VERSION diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml new file mode 100644 index 0000000..777e73b --- /dev/null +++ b/.github/workflows/docker-publish-openclaw.yml @@ -0,0 +1,117 @@ +name: Build and Publish OpenClaw Image + +on: + push: + branches: + - main + paths: + - 'internal/openclaw/OPENCLAW_VERSION' + workflow_dispatch: + inputs: + version: + description: 'OpenClaw version to build (e.g. v2026.2.3)' + required: false + type: string + +env: + REGISTRY: ghcr.io + IMAGE_NAME: obolnetwork/openclaw + +jobs: + build-and-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout obol-stack + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Read pinned version + id: version + run: | + if [ -n "${{ github.event.inputs.version }}" ]; then + VERSION="${{ github.event.inputs.version }}" + else + VERSION=$(grep -v '^#' internal/openclaw/OPENCLAW_VERSION | tr -d '[:space:]') + fi + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + echo "Building OpenClaw $VERSION" + + - name: Checkout upstream OpenClaw + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + repository: openclaw/openclaw + ref: ${{ steps.version.outputs.version }} + path: openclaw-src + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{version}},value=${{ steps.version.outputs.version }} + type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }} + type=sha,prefix= + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + labels: | + org.opencontainers.image.title=OpenClaw + org.opencontainers.image.description=AI agent gateway for Obol Stack + org.opencontainers.image.vendor=Obol Network + org.opencontainers.image.source=https://github.com/openclaw/openclaw + org.opencontainers.image.version=${{ steps.version.outputs.version }} + + - name: Build and push Docker image + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + context: openclaw-src + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: true + sbom: true + + security-scan: + needs: build-and-push + runs-on: ubuntu-latest + permissions: + security-events: write + + steps: + - name: Read pinned version + id: version + run: | + # Re-derive for the scan job + echo "Scanning latest pushed image" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@915b19bbe73b92421caafd48a29a70a5d22ba401 # v0.30.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.28.0 + with: + sarif_file: 'trivy-results.sarif' + if: always() diff --git a/internal/openclaw/OPENCLAW_VERSION b/internal/openclaw/OPENCLAW_VERSION new file mode 100644 index 0000000..06196e4 --- /dev/null +++ b/internal/openclaw/OPENCLAW_VERSION @@ -0,0 +1,2 @@ +# renovate: datasource=github-releases depName=openclaw/openclaw +v2026.2.3 diff --git a/renovate.json b/renovate.json index afab9bf..81e8188 100644 --- a/renovate.json +++ b/renovate.json @@ -33,6 +33,17 @@ "datasourceTemplate": "github-releases", "depNameTemplate": "kubernetes-sigs/gateway-api", "versioningTemplate": "semver" + }, + { + "customType": "regex", + "description": "Update OpenClaw version from upstream GitHub releases", + "matchStrings": [ + "#\\s*renovate:\\s*datasource=(?.*?)\\s+depName=(?.*?)\\n(?v[0-9]+\\.[0-9]+\\.[0-9]+)" + ], + "fileMatch": [ + "^internal/openclaw/OPENCLAW_VERSION$" + ], + "versioningTemplate": "semver" } ], "packageRules": [ @@ -89,6 +100,22 @@ ], "dependencyDashboardApproval": true, "prBodyTemplate": "⚠️ **MAJOR VERSION UPDATE** ⚠️\n\nThis PR updates **obol-stack-front-end** from `{{currentVersion}}` to `{{newVersion}}`.\n\n### ⚠️ Breaking Changes Expected\n\nMajor version updates may include breaking changes. Please review the release notes carefully.\n\n### Release Notes\n\n{{{changelog}}}\n\n### Migration Checklist\n- [ ] Review breaking changes in release notes\n- [ ] Test the new version in staging environment\n- [ ] Update any integration code if needed\n- [ ] Verify deployment scripts still work\n\n---\n**⚠️ This PR requires manual approval due to major version change**\n**Auto-generated by Renovate Bot**" + }, + { + "description": "Group OpenClaw updates", + "matchDatasources": [ + "github-releases" + ], + "matchPackageNames": [ + "openclaw/openclaw" + ], + "labels": [ + "renovate/openclaw" + ], + "schedule": [ + "every hour" + ], + "groupName": "OpenClaw updates" } ] } From bf4039fe01d0dade80fa9a1ee1c86fcc4137a5f7 Mon Sep 17 00:00:00 2001 From: bussyjd Date: Tue, 10 Feb 2026 13:58:46 +0400 Subject: [PATCH 2/6] ci(openclaw): temporarily add test branches to workflow triggers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add integration-okr-1 and feat/openclaw-ci to push triggers for testing. Remove after verifying the workflow runs successfully — limit to main only. --- .github/workflows/docker-publish-openclaw.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml index 777e73b..c666948 100644 --- a/.github/workflows/docker-publish-openclaw.yml +++ b/.github/workflows/docker-publish-openclaw.yml @@ -4,6 +4,8 @@ on: push: branches: - main + - integration-okr-1 # TODO: remove after testing — limit to main only + - feat/openclaw-ci # TODO: remove after testing — limit to main only paths: - 'internal/openclaw/OPENCLAW_VERSION' workflow_dispatch: From 104c03b7a9fd8c7dee8711bee972da0feae5c10f Mon Sep 17 00:00:00 2001 From: bussyjd Date: Tue, 10 Feb 2026 14:03:35 +0400 Subject: [PATCH 3/6] ci(openclaw): trigger workflow test run --- internal/openclaw/OPENCLAW_VERSION | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/openclaw/OPENCLAW_VERSION b/internal/openclaw/OPENCLAW_VERSION index 06196e4..9bf0820 100644 --- a/internal/openclaw/OPENCLAW_VERSION +++ b/internal/openclaw/OPENCLAW_VERSION @@ -1,2 +1,3 @@ # renovate: datasource=github-releases depName=openclaw/openclaw +# This file pins the upstream OpenClaw version to build and publish. v2026.2.3 From 2fa8ae7d78ba1c29ff3d7cee799564abddab7c72 Mon Sep 17 00:00:00 2001 From: bussyjd Date: Tue, 10 Feb 2026 14:21:06 +0400 Subject: [PATCH 4/6] fix(ci): update Trivy and CodeQL action SHAs to latest The pinned SHAs from charon-dkg-sidecar were stale and caused the security-scan job to fail at setup. --- .github/workflows/docker-publish-openclaw.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish-openclaw.yml b/.github/workflows/docker-publish-openclaw.yml index c666948..7cf12cb 100644 --- a/.github/workflows/docker-publish-openclaw.yml +++ b/.github/workflows/docker-publish-openclaw.yml @@ -105,7 +105,7 @@ jobs: echo "Scanning latest pushed image" - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@915b19bbe73b92421caafd48a29a70a5d22ba401 # v0.30.0 + uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest format: 'sarif' @@ -113,7 +113,7 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.28.0 + uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1 # main with: sarif_file: 'trivy-results.sarif' if: always() From 13f84ca6d909f7ce0e01d67581778cb813cbba63 Mon Sep 17 00:00:00 2001 From: bussyjd Date: Tue, 10 Feb 2026 14:52:04 +0400 Subject: [PATCH 5/6] ci(openclaw): re-trigger workflow to verify security scan fix --- internal/openclaw/OPENCLAW_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/openclaw/OPENCLAW_VERSION b/internal/openclaw/OPENCLAW_VERSION index 9bf0820..50df0a3 100644 --- a/internal/openclaw/OPENCLAW_VERSION +++ b/internal/openclaw/OPENCLAW_VERSION @@ -1,3 +1,3 @@ # renovate: datasource=github-releases depName=openclaw/openclaw -# This file pins the upstream OpenClaw version to build and publish. +# Pins the upstream OpenClaw version to build and publish. v2026.2.3 From e27de5861f9727ed3408b1649e93458ff17951f8 Mon Sep 17 00:00:00 2001 From: bussyjd Date: Tue, 10 Feb 2026 16:43:21 +0400 Subject: [PATCH 6/6] chore(openclaw): bump version to v2026.2.9 --- internal/openclaw/OPENCLAW_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/openclaw/OPENCLAW_VERSION b/internal/openclaw/OPENCLAW_VERSION index 50df0a3..04b5d69 100644 --- a/internal/openclaw/OPENCLAW_VERSION +++ b/internal/openclaw/OPENCLAW_VERSION @@ -1,3 +1,3 @@ # renovate: datasource=github-releases depName=openclaw/openclaw # Pins the upstream OpenClaw version to build and publish. -v2026.2.3 +v2026.2.9