Skip to content

ci(openclaw): Docker image build workflow with Renovate auto-bump #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bussyjd merged 6 commits into from
Feb 10, 2026
Merged

ci(openclaw): Docker image build workflow with Renovate auto-bump #143

bussyjd merged 6 commits into from
Feb 10, 2026

Conversation

@bussyjd
Copy link
Collaborator

@bussyjd bussyjd commented Feb 10, 2026
edited
Loading

Summary

  • Add GitHub Actions workflow to build and publish ghcr.io/obolnetwork/openclaw from upstream openclaw/openclaw at a pinned version
  • Add internal/openclaw/OPENCLAW_VERSION with Renovate inline hint for automatic upstream tracking
  • Add Renovate custom manager + package rule so new upstream releases auto-open bump PRs

How it works

  1. OPENCLAW_VERSION pins the upstream tag (e.g. v2026.2.3)
  2. Renovate detects new openclaw/openclaw GitHub releases → opens PR to bump the version file
  3. Merging the PR triggers the workflow (path filter on internal/openclaw/**)
  4. Workflow clones upstream at the pinned tag, builds multi-platform image (amd64+arm64), pushes to GHCR
  5. Trivy security scan runs on the published image

Files

File Purpose
.github/workflows/docker-publish-openclaw.yml Build + publish workflow (modeled on charon-dkg-sidecar)
internal/openclaw/OPENCLAW_VERSION Pinned upstream version with Renovate hint
renovate.json New custom manager + package rule for OpenClaw

Test plan

  • Verify workflow syntax is valid (Actions tab)
  • Trigger via push to feat/openclaw-ci branch (workflow_dispatch not available until workflow is on default branch)
  • Confirm image published to ghcr.io/obolnetwork/openclaw — verified with docker manifest inspect and docker pull
  • Confirm multi-platform manifest (amd64 + arm64)
  • Confirm Trivy security scan passes
  • Confirm Renovate picks up the version file (check dependency dashboard after merge)
  • Remove test branches from workflow triggers (limit to main only) — see TODO comments in workflow

Test runs

Run Result Link
#1 — build-and-push ✅ success 21860388194
#1 — security-scan ❌ failed (stale Trivy action SHA) fixed in subsequent commit
#2 — build-and-push ✅ success 21861952973
#2 — security-scan ✅ success 21861952973

Published image tags

  • ghcr.io/obolnetwork/openclaw:2026.2.3
  • ghcr.io/obolnetwork/openclaw:2026.2
  • ghcr.io/obolnetwork/openclaw:latest
  • ghcr.io/obolnetwork/openclaw:104c03b (git sha)

Note: Tags use semver without v prefix (e.g. 2026.2.3 not v2026.2.3). The chart values.yaml currently references v2026.2.3 — needs alignment.

Closes #142

@bussyjd
ci(openclaw): add Docker image build workflow with Renovate auto-bump
a2718de 
Add GitHub Actions workflow to build and publish the OpenClaw container
image to ghcr.io/obolnetwork/openclaw from the upstream openclaw/openclaw
repo at a pinned version. Renovate watches for new upstream releases and
auto-opens PRs to bump the version file.

Closes #142
@bussyjd
ci(openclaw): temporarily add test branches to workflow triggers
bf4039f 
Add integration-okr-1 and feat/openclaw-ci to push triggers for testing.
Remove after verifying the workflow runs successfully — limit to main only.
@bussyjd
ci(openclaw): trigger workflow test run
104c03b
@bussyjd
fix(ci): update Trivy and CodeQL action SHAs to latest
2fa8ae7 
The pinned SHAs from charon-dkg-sidecar were stale and caused the
security-scan job to fail at setup.
@bussyjd
ci(openclaw): re-trigger workflow to verify security scan fix
13f84ca
@github-advanced-security
Copy link

github-advanced-security bot commented Feb 10, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@bussyjd bussyjd requested a review from OisinKyne February 10, 2026 11:19
OisinKyne
OisinKyne approved these changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@OisinKyne OisinKyne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would prefer this to be in a separate repo tbh, not sure if it needs to be in this one

@bussyjd bussyjd merged commit ada01b8 into integration-okr-1 Feb 10, 2026
3 checks passed
@OisinKyne OisinKyne deleted the feat/openclaw-ci branch February 10, 2026 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OisinKyne OisinKyne OisinKyne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bussyjd @OisinKyne