ci(openclaw): Docker image build workflow with Renovate auto-bump

.github/workflows/docker-publish-openclaw.yml

@@ -0,0 +1,119 @@
+name: Build and Publish OpenClaw Image
+
+on:
+  push:
+    branches:
+      - main
+      - integration-okr-1 # TODO: remove after testing — limit to main only
+      - feat/openclaw-ci   # TODO: remove after testing — limit to main only
+    paths:
+      - 'internal/openclaw/OPENCLAW_VERSION'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'OpenClaw version to build (e.g. v2026.2.3)'
+        required: false
+        type: string
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: obolnetwork/openclaw
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout obol-stack
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Read pinned version
+        id: version
+        run: |
+          if [ -n "${{ github.event.inputs.version }}" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            VERSION=$(grep -v '^#' internal/openclaw/OPENCLAW_VERSION | tr -d '[:space:]')
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Building OpenClaw $VERSION"
+
+      - name: Checkout upstream OpenClaw
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: openclaw/openclaw
+          ref: ${{ steps.version.outputs.version }}
+          path: openclaw-src
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}},value=${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }}
+            type=sha,prefix=
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+          labels: |
+            org.opencontainers.image.title=OpenClaw
+            org.opencontainers.image.description=AI agent gateway for Obol Stack
+            org.opencontainers.image.vendor=Obol Network
+            org.opencontainers.image.source=https://github.com/openclaw/openclaw
+            org.opencontainers.image.version=${{ steps.version.outputs.version }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: openclaw-src
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true
+
+  security-scan:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Read pinned version
+        id: version
+        run: |
+          # Re-derive for the scan job
+          echo "Scanning latest pushed image"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac # master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1 # main
+        with:
+          sarif_file: 'trivy-results.sarif'
+        if: always()

internal/openclaw/OPENCLAW_VERSION

@@ -0,0 +1,3 @@
+# renovate: datasource=github-releases depName=openclaw/openclaw
+# Pins the upstream OpenClaw version to build and publish.
+v2026.2.9

renovate.json

@@ -33,6 +33,17 @@
       "datasourceTemplate": "github-releases",
       "depNameTemplate": "kubernetes-sigs/gateway-api",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Update OpenClaw version from upstream GitHub releases",
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>.*?)\\s+depName=(?<depName>.*?)\\n(?<currentValue>v[0-9]+\\.[0-9]+\\.[0-9]+)"
+      ],
+      "fileMatch": [
+        "^internal/openclaw/OPENCLAW_VERSION$"
+      ],
+      "versioningTemplate": "semver"
     }
   ],
   "packageRules": [
@@ -89,6 +100,22 @@
       ],
       "dependencyDashboardApproval": true,
       "prBodyTemplate": "⚠️ **MAJOR VERSION UPDATE** ⚠️\n\nThis PR updates **obol-stack-front-end** from `{{currentVersion}}` to `{{newVersion}}`.\n\n### ⚠️ Breaking Changes Expected\n\nMajor version updates may include breaking changes. Please review the release notes carefully.\n\n### Release Notes\n\n{{{changelog}}}\n\n### Migration Checklist\n- [ ] Review breaking changes in release notes\n- [ ] Test the new version in staging environment\n- [ ] Update any integration code if needed\n- [ ] Verify deployment scripts still work\n\n---\n**⚠️ This PR requires manual approval due to major version change**\n**Auto-generated by Renovate Bot**"
+    },
+    {
+      "description": "Group OpenClaw updates",
+      "matchDatasources": [
+        "github-releases"
+      ],
+      "matchPackageNames": [
+        "openclaw/openclaw"
+      ],
+      "labels": [
+        "renovate/openclaw"
+      ],
+      "schedule": [
+        "every hour"
+      ],
+      "groupName": "OpenClaw updates"
     }
   ]
 }