name: Deploy env: VAULT_ADDR: https://vault.svc.plus on: push: tags: - "[0-9]+.[0-9]+.[0-9]+" - "v[0-9]+.[0-9]+.[0-9]+" release: types: - published workflow_run: workflows: - Publish types: - completed workflow_dispatch: inputs: version: description: "Plugin version to install (e.g. 2026.6.1). Leave blank to use the release tag." required: false default: "" force: description: "Reinstall even if the same version is already installed." required: false default: "false" type: choice options: - "false" - "true" concurrency: group: openclaw-deploy cancel-in-progress: false permissions: contents: read id-token: write jobs: install-on-host: name: Update plugin on ubuntu@openclaw.svc.plus runs-on: ubuntu-latest if: github.event_name != 'workflow_run' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'release') env: SSH_HOST: ubuntu@openclaw.svc.plus PLUGIN_NAME: openclaw-multi-session-plugins steps: - name: Checkout source uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 with: ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.ref }} - name: Load Vault secrets id: vault uses: hashicorp/vault-action@v2 with: url: ${{ env.VAULT_ADDR }} method: jwt role: github-actions-openclaw-multi-session-plugins jwtGithubAudience: vault secrets: | kv/data/github-actions/openclaw-multi-session-plugins OPENCLAW_SSH_KEY | OPENCLAW_SSH_KEY ; kv/data/github-actions/openclaw-multi-session-plugins OPENCLAW_SSH_KEY_B64 | OPENCLAW_SSH_KEY_B64 ; kv/data/github-actions/openclaw-multi-session-plugins SINGLE_NODE_VPS_SSH_PRIVATE_KEY | SINGLE_NODE_VPS_SSH_PRIVATE_KEY ; kv/data/github-actions/openclaw-multi-session-plugins SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 | SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 - name: Resolve target version id: version run: | set -euo pipefail if [ -n "${{ inputs.version }}" ]; then value="${{ inputs.version }}" elif [ "${{ github.event_name }}" = "workflow_run" ]; then if [ ! -f package.json ]; then echo "::error::package.json not found after checking out workflow_run source" exit 1 fi value="$(node -p "require('./package.json').version")" else ref="${GITHUB_REF_NAME:-}" value="${ref}" fi value="${value##*/}" value="${value#v}" if ! [[ "${value}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "::error::Resolved value '${value}' is not a valid X.Y.Z version" exit 1 fi if [ -z "${value}" ]; then echo "::error::Could not resolve plugin version from inputs or GITHUB_REF_NAME" exit 1 fi echo "value=${value}" >> "$GITHUB_OUTPUT" echo "Resolved plugin version: ${value}" - name: Resolve install source id: install env: VERSION: ${{ steps.version.outputs.value }} FORCE: ${{ inputs.force || 'false' }} run: | set -euo pipefail PACKAGE="${PLUGIN_NAME}@${VERSION}" if [ "${FORCE}" != "true" ] && npm view "${PACKAGE}" version >/dev/null 2>&1; then PUBLISHED="$(npm view "${PACKAGE}" version)" echo "::notice::${PLUGIN_NAME}@${PUBLISHED} is available on npm" echo "source=npm" >> "$GITHUB_OUTPUT" echo "install_spec=${PACKAGE}" >> "$GITHUB_OUTPUT" else install_spec="/tmp/${PLUGIN_NAME}-${VERSION}-${GITHUB_SHA}.tgz" echo "::warning::Building and installing ${install_spec} from the checked-out source" echo "source=archive" >> "$GITHUB_OUTPUT" echo "install_spec=${install_spec}" >> "$GITHUB_OUTPUT" fi - name: Setup Node if: steps.install.outputs.source == 'archive' uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 with: node-version: 22 - name: Setup pnpm if: steps.install.outputs.source == 'archive' run: | corepack enable corepack prepare pnpm@10.28.2 --activate - name: Build archive install source id: archive if: steps.install.outputs.source == 'archive' env: VERSION: ${{ steps.version.outputs.value }} run: | set -euo pipefail pnpm install --frozen-lockfile pnpm test pnpm typecheck pnpm pack tarball="${PLUGIN_NAME}-${VERSION}.tgz" test -f "${tarball}" echo "tarball=${tarball}" >> "$GITHUB_OUTPUT" - name: Configure SSH key env: OPENCLAW_SSH_KEY: ${{ steps.vault.outputs.OPENCLAW_SSH_KEY }} OPENCLAW_SSH_KEY_B64: ${{ steps.vault.outputs.OPENCLAW_SSH_KEY_B64 }} SINGLE_NODE_VPS_SSH_PRIVATE_KEY: ${{ steps.vault.outputs.SINGLE_NODE_VPS_SSH_PRIVATE_KEY }} SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64: ${{ steps.vault.outputs.SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64 }} run: | set -euo pipefail SSH_KEY="" if [ -n "${OPENCLAW_SSH_KEY_B64:-}" ]; then SSH_KEY="$(printf '%s' "${OPENCLAW_SSH_KEY_B64}" | base64 -d)" elif [ -n "${OPENCLAW_SSH_KEY:-}" ]; then SSH_KEY="${OPENCLAW_SSH_KEY}" fi if [ -z "${SSH_KEY}" ] && [ -n "${SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64:-}" ]; then SSH_KEY="$(printf '%s' "${SINGLE_NODE_VPS_SSH_PRIVATE_KEY_B64}" | base64 -d)" elif [ -z "${SSH_KEY}" ] && [ -n "${SINGLE_NODE_VPS_SSH_PRIVATE_KEY:-}" ]; then SSH_KEY="${SINGLE_NODE_VPS_SSH_PRIVATE_KEY}" fi if [ -z "${SSH_KEY}" ]; then echo "::error::Neither OPENCLAW_SSH_KEY nor SINGLE_NODE_VPS_SSH_PRIVATE_KEY is set." exit 1 fi install -m 700 -d ~/.ssh printf '%s\n' "${SSH_KEY}" > ~/.ssh/openclaw_ed25519 chmod 600 ~/.ssh/openclaw_ed25519 ssh-keyscan -H openclaw.svc.plus >> ~/.ssh/known_hosts 2>/dev/null || true - name: Verify SSH connectivity run: | ssh -i ~/.ssh/openclaw_ed25519 -o BatchMode=yes -o ConnectTimeout=10 \ "${SSH_HOST}" 'echo "connected to $(hostname) as $(whoami)"' - name: Upload archive install source if: steps.install.outputs.source == 'archive' run: | scp -i ~/.ssh/openclaw_ed25519 -o BatchMode=yes \ "${{ steps.archive.outputs.tarball }}" "${SSH_HOST}:${{ steps.install.outputs.install_spec }}" - name: Install or update plugin on remote host env: VERSION: ${{ steps.version.outputs.value }} INSTALL_SPEC: ${{ steps.install.outputs.install_spec }} INSTALL_SOURCE: ${{ steps.install.outputs.source }} FORCE: ${{ inputs.force || 'false' }} run: | ssh -i ~/.ssh/openclaw_ed25519 -o BatchMode=yes -o ServerAliveInterval=30 \ "${SSH_HOST}" bash -s -- "${PLUGIN_NAME}" "${VERSION}" "${INSTALL_SPEC}" "${INSTALL_SOURCE}" "${FORCE}" <<'REMOTE' set -euo pipefail PLUGIN_NAME="$1" VERSION="$2" INSTALL_SPEC="$3" INSTALL_SOURCE="$4" FORCE="$5" PACKAGE="${PLUGIN_NAME}@${VERSION}" STATE_DIR="/tmp/openclaw-deploy" mkdir -p "${STATE_DIR}" echo "==> Installing ${PACKAGE} from ${INSTALL_SOURCE} on $(hostname) (force=${FORCE})" echo "==> Install spec: ${INSTALL_SPEC}" # Record the previously installed version for rollback. PREVIOUS_VERSION="" if command -v openclaw >/dev/null 2>&1; then PREVIOUS_VERSION="$(npm ls -g "${PLUGIN_NAME}" --depth=0 2>/dev/null \ | awk -F'[@:]' '/'"${PLUGIN_NAME}"'@/ {print $2; exit}' || true)" fi echo "==> Previously installed version: ${PREVIOUS_VERSION:-}" # Skip when the requested version is already present unless forced. if [ "${FORCE}" != "true" ] && [ "${PREVIOUS_VERSION}" = "${VERSION}" ]; then echo "==> ${PACKAGE} already installed and force=false; nothing to do" exit 0 fi printf '%s\n' "${PREVIOUS_VERSION}" > "${STATE_DIR}/previous-version" rollback() { local rc=$? echo "::remote-error::Install failed (exit ${rc}); attempting rollback" local prev prev="$(cat "${STATE_DIR}/previous-version" 2>/dev/null || true)" if [ -n "${prev}" ] && [ "${prev}" != "${VERSION}" ]; then echo "::remote-warning::Reinstalling ${PLUGIN_NAME}@${prev}" npm install -g "${PLUGIN_NAME}@${prev}" || true if command -v openclaw >/dev/null 2>&1; then openclaw plugins enable "${PLUGIN_NAME}" || true fi else echo "::remote-warning::No previous version recorded; leaving host as-is" fi exit "${rc}" } trap rollback ERR install_plugin() { if command -v openclaw >/dev/null 2>&1; then openclaw plugins install --force "${INSTALL_SPEC}" \ || openclaw plugins install "${INSTALL_SPEC}" \ || openclaw plugins update "${INSTALL_SPEC}" \ || npm install -g "${INSTALL_SPEC}" else npm install -g "${INSTALL_SPEC}" fi } install_plugin if command -v openclaw >/dev/null 2>&1; then openclaw plugins enable "${PLUGIN_NAME}" || true systemctl --user restart openclaw-gateway.service || true fi # Verify the installed version matches the requested version. GLOBAL_ROOT="$(npm root -g)" INSTALLED="" if [ -f "${GLOBAL_ROOT}/${PLUGIN_NAME}/package.json" ]; then INSTALLED="$(node -p "require('${GLOBAL_ROOT}/${PLUGIN_NAME}/package.json').version")" fi if [ "${INSTALLED}" != "${VERSION}" ]; then echo "::remote-error::Verification failed: expected ${VERSION}, found ${INSTALLED:-}" exit 1 fi trap - ERR rm -f "${STATE_DIR}/previous-version" echo "==> Installed plugin state:" if command -v openclaw >/dev/null 2>&1; then openclaw plugins info "${PLUGIN_NAME}" || true fi npm ls -g "${PLUGIN_NAME}" || true echo "==> ${PACKAGE} is now active on $(hostname)" REMOTE - name: Summarize deploy if: always() env: VERSION: ${{ steps.version.outputs.value }} run: | if [ "${{ job.status }}" = "success" ]; then echo "::notice::openclaw-multi-session-plugins@${VERSION} deployed to ubuntu@openclaw.svc.plus" else echo "::error::Deploy to ubuntu@openclaw.svc.plus failed for openclaw-multi-session-plugins@${VERSION}" exit 1 fi