fix: add OpenClaw plugin to npm publishing

[mnajafian-nv]

Overview

Adds the OpenClaw plugin package to the npm release path so nemo-flow-openclaw can be published for the v0.2 user install flow.

• I confirm this contribution is my own work, or I have the right to submit it under this project's license.
• I searched existing issues and open pull requests, and this does not duplicate existing work.

Details

• Removes private: true from integrations/openclaw/package.json.
• Adds a package-openclaw release recipe that follows the existing npm package versioning pattern.
• Updates OpenClaw CI to validate the package payload and upload an npm tarball artifact.
• Updates the npm release job to require OpenClaw CI and publish the OpenClaw plugin package after nemo-flow-node.

Validation:

• just --set ci true test-openclaw
• just --set output_dir /private/tmp/nemo-openclaw-pack-final --set ref_name 0.2.0 package-openclaw
• git diff --check
• uv run pre-commit run --all-files passes except for existing generated Rust docs linkcheck failures unrelated to this PR.

Where should the reviewer start?

Start with justfile for the new package-openclaw recipe, then review .github/workflows/ci_openclaw.yml and .github/workflows/ci.yaml for artifact upload and npm publish wiring.

Related Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)

• Relates to docs(openclaw): add plugin guide #79

Summary by CodeRabbit

• New Features

  • OpenClaw is now published as npm packages to the registry.

• Chores

  • OpenClaw is now a required component in the publish pipeline (previously optional).
  • Enhanced validation checks for OpenClaw packages during the build process.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 90ad49dd-36fd-4d1a-aafa-735cf2b81d88

📥 Commits

Reviewing files that changed from the base of the PR and between a311e5f and 082ec80.

📒 Files selected for processing (4)

• .github/workflows/ci.yaml
• .github/workflows/ci_openclaw.yml
• integrations/openclaw/package.json
• justfile

💤 Files with no reviewable changes (1)

• integrations/openclaw/package.json

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (5)

.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (.agents/skills/maintain-ci/SKILL.md)

.github/workflows/**/*.{yml,yaml}: Put permissions: on each job that needs token access in GitHub Actions workflows
Avoid workflow-level permissions unless the repository intentionally centralizes them and the inheritance tradeoff is documented
Keep third-party actions pinned to full commit SHAs and preserve the readable version comment after the SHA
Prefer action-native or ecosystem-native caching over generic actions/cache in GitHub Actions workflows
Use lockfiles or dependency manifests to drive cache invalidation in GitHub Actions workflows
Keep deploy and publish permissions isolated to the jobs that need them
Read both caller and callee when a workflow uses workflow_call in GitHub Actions
Put release-tag validation in the earliest practical caller job when the pipeline has tag-based publish behavior
Keep release-tag policy aligned with RELEASING.md: raw SemVer tags only, no leading v
contents: read is the default minimum for checkout-based build, test, docs, and packaging jobs
pull-requests: read is required for PR metadata lookup jobs in GitHub Actions workflows
pages: write and id-token: write should be limited to Pages deployment jobs and any caller that invokes them through a reusable workflow
For reusable workflows, the caller must grant every permission the called jobs require and the callee cannot elevate beyond what the caller provides
Prefer astral-sh/setup-uv cache support with cache-dependency-glob anchored to uv.lock for Python dependency caching
Prefer Swatinem/rust-cache with explicit shared-key and workspaces instead of ad hoc target-directory caching
Avoid caching generated outputs that can hide stale behavior unless the repo already relies on them deliberately
Ensure each job has the minimum permissions it needs during GitHub Actions CI review
Ensure reusable workflow callers grant only the scopes their callees require
Ensure every external action is pinned to a full SHA in GitHub Actions workflows
Ensure cache ...

Files:

• .github/workflows/ci_openclaw.yml
• .github/workflows/ci.yaml

{.github/**/*.{yml,yaml},*.patch,scripts/**/*,*.sh,*.bat,Dockerfile*}

📄 CodeRabbit inference engine (.agents/skills/rename-surfaces/SKILL.md)

Update CI configuration, patch files, and build scripts with new functional identifiers after rename operations

Files:

• .github/workflows/ci_openclaw.yml
• .github/workflows/ci.yaml

{.github/workflows/*.{yml,yaml},.gitlab-ci.yml}

📄 CodeRabbit inference engine (.agents/skills/maintain-packaging/SKILL.md)

Ensure CI workflow references match local package names and installation methods

Files:

• .github/workflows/ci_openclaw.yml
• .github/workflows/ci.yaml

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}

⚙️ CodeRabbit configuration file

{.github/**,.gitlab-ci.yml,.pre-commit-config.yaml,justfile,scripts/**}: Review automation changes for reproducibility, pinned versions where appropriate, secret handling, and consistency with the documented validation matrix.
Pay attention to commands that need generated native artifacts, FFI libraries, or platform-specific environment variables.

Files:

• .github/workflows/ci_openclaw.yml
• .github/workflows/ci.yaml
• justfile

justfile

📄 CodeRabbit inference engine (.agents/skills/update-project-version/SKILL.md)

justfile: Keep set_project_version, set_cargo_workspace_version, and set_node_package_version helper functions aligned with actual version fields when editing helper code
Reuse set_npm_package_version helper function for both Node and WebAssembly packaging recipes

Files:

• justfile

🧠 Learnings (1)

📚 Learning: 2026-05-03T04:23:07.497Z

Learnt from: willkill07
Repo: NVIDIA/NeMo-Flow PR: 46
File: .github/workflows/ci_rust.yml:31-64
Timestamp: 2026-05-03T04:23:07.497Z
Learning: In GitHub Actions workflow YAML, it’s valid to conditionally disable a service container by setting the service container’s `image` to an empty string (`''`) via a matrix variable (e.g., `redis_service_image: ''`). This intentionally makes the runner skip service initialization for that matrix entry rather than failing the job. When reviewing workflows, don’t flag this as an error if the workflow uses an empty `image` to disable the service on specific matrix entries (e.g., OS-specific setups); verify the `image` is sourced from the matrix variable and that the service is only expected to be available when a non-empty image is provided.

Applied to files:

• .github/workflows/ci_openclaw.yml

🔇 Additional comments (7)

justfile (2)

901-901: Good addition to test gate for package integrity.

Running pack:check in test-openclaw is a solid pre-packaging safeguard and aligns CI verification with release expectations.

---

997-1022: package-openclaw recipe is correctly wired for CI packaging.

Version derivation, helper reuse (set_npm_package_version), and the explicit .tgz presence check are all consistent with the existing packaging pattern.

.github/workflows/ci_openclaw.yml (2)

8-16: Reusable workflow input contract looks correct.

Requiring ref_type and ref_name here cleanly supports tag/non-tag version behavior in downstream packaging steps.

---

70-97: OpenClaw packaging artifact flow is well implemented.

Deriving version, invoking just package-openclaw, and enforcing if-no-files-found: error provides a reliable handoff to publish jobs.

.github/workflows/ci.yaml (3)

205-207: Caller now correctly supplies reusable workflow ref inputs.

This matches the updated ci_openclaw.yml contract and keeps version derivation deterministic.

---

300-300: CI gating update for OpenClaw publish path is correct.

Requiring OpenClaw success when publish_packages is true properly protects release publishing.

---

445-474: OpenClaw npm publish wiring is consistent end-to-end.

Downloading openclaw-npm and publishing the tarball(s) in publish-npm cleanly completes the artifact handoff from ci_openclaw.

---

Walkthrough

This PR integrates OpenClaw as a publishable npm package into the CI pipeline. It adds workflow inputs for ref tracking, unprivates the OpenClaw package manifest, introduces build targets to package the plugin, and wires up the ci_openclaw workflow to build and upload npm artifacts, which the main CI pipeline then downloads and publishes to npm with version-based dist tags.

Changes

OpenClaw npm Package Publishing

Layer / File(s)	Summary
Workflow Input Contract and Package Configuration .github/workflows/ci_openclaw.yml, integrations/openclaw/package.json	Required workflow inputs ref_type and ref_name are declared to enable dynamic version computation. OpenClaw package.json removes the "private": true flag, making the package publishable.
Local Build Targets justfile	test-openclaw adds a pack:check step for the nemo-flow-openclaw workspace. New package-openclaw target computes the package version (commit-suffixed unless ref_name is provided), installs dependencies, and produces .tgz artifacts with validation.
Workflow Packaging and Upload .github/workflows/ci_openclaw.yml	Test job introduces NEMO_FLOW_CI_WORKSPACE_TMP environment variable and extends the job with steps to compute NEMO_FLOW_PACKAGE_VERSION, execute just package-openclaw, and upload generated .tgz artifacts as openclaw-npm with mandatory error handling.
Main CI Pipeline Integration and Publishing .github/workflows/ci.yaml	Main CI workflow forwards github.ref_type and github.ref_name to the ci_openclaw call, treats OpenClaw as a required job when publishing is enabled, downloads the openclaw-npm artifact, and publishes each .tgz file in ./openclaw-package/ to npm using the computed NEMO_FLOW_NPM_DIST_TAG.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with type 'fix' and concise imperative summary under 72 characters, accurately reflecting the main change of adding OpenClaw plugin to npm publishing.
Description check	✅ Passed	The description includes all required template sections: Overview with confirmation checkboxes, Details with specific changes, reviewer guidance, and related issues. Information is complete and actionable.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[willkill07]

Good catch