ci: use temporary pnpm for source deploy

.github/workflows/deploy.yml

@@ -68,29 +68,28 @@ jobs:
         run: |
           set -euo pipefail
           PACKAGE="${PLUGIN_NAME}@${VERSION}"
-          if npm view "${PACKAGE}" version >/dev/null 2>&1; then
-            PUBLISHED="$(npm view "${PACKAGE}" version)"
-            echo "::notice::${PLUGIN_NAME}@${PUBLISHED} is available on npm"
-            echo "source=npm" >> "$GITHUB_OUTPUT"
-            echo "install_spec=${PACKAGE}" >> "$GITHUB_OUTPUT"
-          else
-            ref="${GITHUB_REF_NAME:-release/v${VERSION}}"
-            install_spec="git+${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git#${ref}"
-            echo "::warning::${PACKAGE} is not published to npm yet; installing from ${install_spec}"
-            echo "source=github" >> "$GITHUB_OUTPUT"
-            echo "install_spec=${install_spec}" >> "$GITHUB_OUTPUT"
-          fi
+          ref="${GITHUB_REF_NAME:-release/v${VERSION}}"
+          repo_url="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          echo "::notice::Installing ${PACKAGE} from source repo ${repo_url} ref ${ref}"
+          echo "source=source" >> "$GITHUB_OUTPUT"
+          echo "install_ref=${ref}" >> "$GITHUB_OUTPUT"
+          echo "install_spec=${repo_url}" >> "$GITHUB_OUTPUT"
 
       - name: Configure SSH key
+        env:
+          SSH_PRIVATE_KEY: ${{ secrets.SINGLE_NODE_VPS_SSH_PRIVATE_KEY }}
         run: |
           set -euo pipefail
-          if [ -z "${{ secrets.OPENCLAW_SSH_KEY }}" ]; then
-            echo "::error::Secret OPENCLAW_SSH_KEY is not set."
+          if [ -z "${SSH_PRIVATE_KEY}" ]; then
+            echo "::error::Secret SINGLE_NODE_VPS_SSH_PRIVATE_KEY is not set."
             exit 1
           fi
           install -m 700 -d ~/.ssh
-          printf '%s' "${{ secrets.OPENCLAW_SSH_KEY }}" > ~/.ssh/openclaw_ed25519
+          printf '%s\n' "${SSH_PRIVATE_KEY}" \
+            | perl -pe 's/\\n/\n/g; s/\r$//' \
+            > ~/.ssh/openclaw_ed25519
           chmod 600 ~/.ssh/openclaw_ed25519
+          ssh-keygen -y -f ~/.ssh/openclaw_ed25519 >/dev/null
           ssh-keyscan -H openclaw.svc.plus >> ~/.ssh/known_hosts 2>/dev/null || true
 
       - name: Verify SSH connectivity
@@ -103,29 +102,42 @@ jobs:
           VERSION: ${{ steps.version.outputs.value }}
           INSTALL_SPEC: ${{ steps.install.outputs.install_spec }}
           INSTALL_SOURCE: ${{ steps.install.outputs.source }}
+          INSTALL_REF: ${{ steps.install.outputs.install_ref }}
           FORCE: ${{ inputs.force || 'false' }}
         run: |
           ssh -i ~/.ssh/openclaw_ed25519 -o BatchMode=yes -o ServerAliveInterval=30 \
-            "${SSH_HOST}" bash -s -- "${PLUGIN_NAME}" "${VERSION}" "${INSTALL_SPEC}" "${INSTALL_SOURCE}" "${FORCE}" <<'REMOTE'
+            "${SSH_HOST}" bash -s -- "${PLUGIN_NAME}" "${VERSION}" "${INSTALL_SPEC}" "${INSTALL_SOURCE}" "${INSTALL_REF}" "${FORCE}" <<'REMOTE'
           set -euo pipefail
           PLUGIN_NAME="$1"
           VERSION="$2"
           INSTALL_SPEC="$3"
           INSTALL_SOURCE="$4"
-          FORCE="$5"
+          INSTALL_REF="$5"
+          FORCE="$6"
           PACKAGE="${PLUGIN_NAME}@${VERSION}"
           STATE_DIR="/tmp/openclaw-deploy"
           mkdir -p "${STATE_DIR}"
 
           echo "==> Installing ${PACKAGE} from ${INSTALL_SOURCE} on $(hostname) (force=${FORCE})"
           echo "==> Install spec: ${INSTALL_SPEC}"
+          echo "==> Install ref: ${INSTALL_REF}"
+
+          get_installed_version() {
+            node -e '
+              const { execSync } = require("node:child_process");
+              const { join } = require("node:path");
+              const { existsSync, readFileSync } = require("node:fs");
+              const name = process.argv[1];
+              const root = execSync("npm root -g", { encoding: "utf8" }).trim();
+              const manifest = join(root, name, "package.json");
+              if (existsSync(manifest)) {
+                process.stdout.write(JSON.parse(readFileSync(manifest, "utf8")).version || "");
+              }
+            ' "${PLUGIN_NAME}" 2>/dev/null || true
+          }
 
           # Record the previously installed version for rollback.
-          PREVIOUS_VERSION=""
-          if command -v openclaw >/dev/null 2>&1; then
-            PREVIOUS_VERSION="$(npm ls -g "${PLUGIN_NAME}" --depth=0 2>/dev/null \
-              | awk -F'[@:]' '/'"${PLUGIN_NAME}"'@/ {print $2; exit}' || true)"
-          fi
+          PREVIOUS_VERSION="$(get_installed_version)"
           echo "==> Previously installed version: ${PREVIOUS_VERSION:-<none>}"
 
           # Skip when the requested version is already present unless forced.
@@ -155,7 +167,32 @@ jobs:
           trap rollback ERR
 
           install_plugin() {
-            if command -v openclaw >/dev/null 2>&1; then
+            global_root="$(npm root -g)"
+            global_target="${global_root}/${PLUGIN_NAME}"
+            if [ -e "${global_target}" ] && [ ! -d "${global_target}" ]; then
+              echo "::remote-warning::Removing invalid global package path ${global_target}"
+              rm -f "${global_target}"
+            fi
+
+            if [ "${INSTALL_SOURCE}" = "source" ]; then
+              SOURCE_DIR="${STATE_DIR}/source/${PLUGIN_NAME}"
+              rm -rf "${SOURCE_DIR}"
+              mkdir -p "${SOURCE_DIR}"
+              git -C "${SOURCE_DIR}" init
+              git -C "${SOURCE_DIR}" remote add origin "${INSTALL_SPEC}"
+              git -C "${SOURCE_DIR}" fetch --depth 1 origin "${INSTALL_REF}"
+              git -C "${SOURCE_DIR}" checkout --detach FETCH_HEAD
+              TOOL_DIR="${STATE_DIR}/tools"
+              npm install --prefix "${TOOL_DIR}" pnpm@10.28.2
+              PNPM="${TOOL_DIR}/node_modules/.bin/pnpm"
+              "${PNPM}" --dir "${SOURCE_DIR}" install --frozen-lockfile
+              "${PNPM}" --dir "${SOURCE_DIR}" build
+              npm install -g "${SOURCE_DIR}"
+            elif [ "${INSTALL_SOURCE}" = "github" ]; then
+              global_root="$(npm root -g)"
+              global_target="${global_root}/${PLUGIN_NAME}"
+              npm install -g "${INSTALL_SPEC}"
+            elif command -v openclaw >/dev/null 2>&1; then
               openclaw plugins install "${INSTALL_SPEC}" \
                 || openclaw plugins update "${INSTALL_SPEC}" \
                 || npm install -g "${INSTALL_SPEC}"
@@ -171,8 +208,7 @@ jobs:
           fi
 
           # Verify the installed version matches the requested version.
-          INSTALLED="$(npm ls -g "${PLUGIN_NAME}" --depth=0 2>/dev/null \
-            | awk -F'[@:]' '/'"${PLUGIN_NAME}"'@/ {print $2; exit}' || true)"
+          INSTALLED="$(get_installed_version)"
           if [ "${INSTALLED}" != "${VERSION}" ]; then
             echo "::remote-error::Verification failed: expected ${VERSION}, found ${INSTALLED:-<none>}"
             exit 1