Skip to content

ci: add workflow to check for new OpenClaw releases#675

Open
pandemicsyn wants to merge 6 commits intomainfrom
florian/auto/pr
Open

ci: add workflow to check for new OpenClaw releases#675
pandemicsyn wants to merge 6 commits intomainfrom
florian/auto/pr

Conversation

@pandemicsyn
Copy link
Contributor

@pandemicsyn pandemicsyn commented Feb 27, 2026

Summary

Adds a scheduled GitHub Actions workflow (.github/workflows/bump-openclaw.yml) that checks for new stable OpenClaw releases every 12 hours.

When a new non-beta release is detected that:

  1. Differs from the version pinned in kiloclaw/Dockerfile
  2. Was published less than 24 hours ago

It will:

  • POST to the openclaw-bump webhook at hooks.kilosessions.ai
  • Send a Slack notification (same channel as deploy notifications) with current/new versions and a link to the release notes

Required secrets

  • KILOCLAW_GITHUB_WEBHOOK_TRIGGER_TOKEN — used as x-webhook-secret header for the webhook POST
  • DEPLOY_NOTIFY_SLACK_WEBHOOK_URL — already exists (used by deploy-kiloclaw workflow)

@pandemicsyn
ci: add workflow to check for new OpenClaw releases
d0e585a 
Scheduled every 12 hours. When a new stable (non-beta) openclaw
release is detected that differs from the version pinned in
kiloclaw/Dockerfile and is less than 24 hours old:
- POSTs to the openclaw-bump webhook
- Sends a Slack notification with current/new versions and release link
@pandemicsyn pandemicsyn marked this pull request as ready for review February 27, 2026 21:57
kilo-code-bot[bot]
kilo-code-bot bot reviewed Feb 27, 2026
View reviewed changes
@kilo-code-bot
Copy link
Contributor

kilo-code-bot bot commented Feb 27, 2026
edited
Loading

Code Review Summary

Status: No New Issues Found | Recommendation: Address existing comments before merge

Overview

All issues in this PR have already been flagged by prior reviewers. No additional issues were found during this review pass.

The existing inline comments cover:

  • Script injection risk from external git tag values interpolated into shell (line 47)
  • grep pattern fragility if Dockerfile format changes (line 20)
  • Missing error handling for empty tag_date (line 65)
  • Duplicate notification window — 12h schedule with 24h age gate (line 5)
  • Webhook failure considerations (line 88) — note: continue-on-error: true on line 82 already mitigates this
Files Reviewed (1 file)
  • .github/workflows/bump-openclaw.yml — 0 new issues (5 existing inline comments from prior reviewers)

Fix these issues in Kilo Cloud

@pandemicsyn
ci: fix script injection risk and add input validation
dceb73e 
- Move step output interpolations to env vars to prevent shell injection
  from external openclaw/openclaw tag names
- Validate extracted version matches expected numeric format
- Add guards with descriptive errors for grep/API failures
kilo-code-bot[bot]
kilo-code-bot bot reviewed Feb 27, 2026
View reviewed changes
.github/workflows/bump-openclaw.yml

on:
schedule:
- cron: '0 */12 * * *' # Every 12 hours (midnight and noon UTC)
Copy link
Contributor

@kilo-code-bot kilo-code-bot bot Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SUGGESTION: Potential duplicate notifications per release

The workflow runs every 12 hours (line 5) but the age gate on line 69 allows releases up to 24 hours old. This means a single new release can trigger the webhook + Slack notification twice — once in each 12-hour window.

If the webhook endpoint is not idempotent, this could cause duplicate processing. And Slack will receive two identical notifications. Consider either:

  • Reducing the age threshold to 12 hours to match the schedule interval, or
  • Adding state (e.g., a cache key or artifact) to track whether a notification was already sent for a given version.

Copy link
Contributor Author

@pandemicsyn pandemicsyn Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rather have 2 than 0 if the webhook doesn't fire, and we can always add instructions on the webhook agent side to check for other PRs

@pandemicsyn
ci: add tag date guard and reduce age threshold to 12 hours
a3bb4bc 
- Fail with descriptive error if tag date API call returns empty
- Reduce age threshold from 24h to 12h to match cron interval,
  preventing duplicate notifications per release
@pandemicsyn
ci: restore 24-hour age threshold for release detection
e3fd7d3 
The webhook endpoint is idempotent, so duplicate calls are harmless.
A 24h window provides better coverage in case the first notification
fails to produce a PR.
kilo-code-bot[bot]
kilo-code-bot bot reviewed Feb 27, 2026
View reviewed changes
@pandemicsyn
ci: move webhook URL to secret and suppress curl response output
bd33012 
- Reference OPENCLAW_BUMP_WEBHOOK_URL secret instead of hardcoding URL
- Add -o /dev/null to curl to prevent response body leaking to logs
@pandemicsyn
ci: add continue-on-error to webhook step
3e90f4a 
Prevents a webhook outage from blocking the Slack notification.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@St0rmz1 St0rmz1 St0rmz1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pandemicsyn @St0rmz1