From 4586d1c1086e09dcc816dc8a2892fa0ec4845858 Mon Sep 17 00:00:00 2001 From: Onur <2453968+osolmaz@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:23:04 +0100 Subject: [PATCH 1/3] chore: restore openclaw package repository metadata --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index db28956..89f95b3 100644 --- a/package.json +++ b/package.json @@ -37,11 +37,11 @@ "coding-agent", "ai" ], - "author": "Janitr AI", + "author": "", "license": "MIT", "repository": { "type": "git", - "url": "git+https://github.com/janitrai/acpx.git" + "url": "git+https://github.com/openclaw/acpx.git" }, "engines": { "node": ">=18" From 6088540ed0cce097a724b1b8d17da8ec6f06b542 Mon Sep 17 00:00:00 2001 From: Onur <2453968+osolmaz@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:24:15 +0100 Subject: [PATCH 2/3] chore: set package author metadata to OpenClaw Team --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 89f95b3..9e0d127 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "coding-agent", "ai" ], - "author": "", + "author": "OpenClaw Team ", "license": "MIT", "repository": { "type": "git", From 465762d77c4f74365263bc7b1c6bbf601b90b9f1 Mon Sep 17 00:00:00 2001 From: Onur <2453968+osolmaz@users.noreply.github.com> Date: Sun, 1 Mar 2026 17:29:47 +0100 Subject: [PATCH 3/3] ci: harden release metadata and prebuild artifacts --- .github/workflows/release.yml | 41 +++++++++++++++++++++++++++++++++++ package.json | 2 +- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 047834c..6a47f49 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,8 +31,49 @@ jobs: - run: git config user.name "github-actions[bot]" - run: git config user.email "github-actions[bot]@users.noreply.github.com" - run: npm ci + - name: Validate package metadata for trusted publishing + run: | + node - <<'NODE' + const { readFileSync } = require("node:fs"); + + const pkg = JSON.parse(readFileSync("package.json", "utf8")); + const expectedAuthor = "OpenClaw Team "; + const expectedRepoUrl = "https://github.com/openclaw/acpx"; + + const normalizeRepoUrl = (value) => + String(value ?? "") + .trim() + .replace(/^git\+/, "") + .replace(/\.git$/i, "") + .replace(/\/+$/, ""); + + const actualRepoUrl = normalizeRepoUrl(pkg?.repository?.url); + const expectedRepoUrlNormalized = normalizeRepoUrl(expectedRepoUrl); + + const errors = []; + if (actualRepoUrl !== expectedRepoUrlNormalized) { + errors.push( + `package.json repository.url must resolve to ${expectedRepoUrlNormalized}; found ${actualRepoUrl || ""}` + ); + } + if ((pkg?.author ?? "") !== expectedAuthor) { + errors.push( + `package.json author must be exactly "${expectedAuthor}"; found "${pkg?.author ?? ""}"` + ); + } + + if (errors.length > 0) { + for (const err of errors) { + console.error(err); + } + process.exit(1); + } + + console.log("Package metadata validated."); + NODE - run: npm run lint - run: npm run typecheck + - run: npm run build # Fetch latest version from npm, bump it, write to package.json. # Nothing is committed — the bumped version lives only in the CI # runner's working directory. release-it tags + publishes from it. diff --git a/package.json b/package.json index 9e0d127..b80b86b 100644 --- a/package.json +++ b/package.json @@ -41,7 +41,7 @@ "license": "MIT", "repository": { "type": "git", - "url": "git+https://github.com/openclaw/acpx.git" + "url": "https://github.com/openclaw/acpx" }, "engines": { "node": ">=18"