Skip to content

feat(update): add release status check#882

Merged
steipete merged 3 commits into
openclaw:mainfrom
titus7490:feat/update-status
Jul 1, 2026
Merged

feat(update): add release status check#882
steipete merged 3 commits into
openclaw:mainfrom
titus7490:feat/update-status

Conversation

@titus7490

@titus7490 titus7490 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add gog update status with check alias for read-only release status checks
  • report current/latest versions, update availability, platform release asset, checksum URL/SHA-256, and install method
  • fall back from GitHub's rate-limited API to the canonical releases/latest redirect, then validate the published checksum before reporting it
  • generate command docs for the new update namespace

Notes

  • This intentionally does not write binaries, restart services, or perform self-update.
  • The command gives automation and production wrappers a stable JSON primitive they can gate with their own health checks and rollback policy.

Testing

  • make ci
  • go test ./internal/cmd -run 'Test(Update|Fetch)' -count=1
  • built-binary live JSON, plain, and check alias proof against the current GitHub release and checksums.txt
  • forced the API-rate-limit path; the release-page redirect fallback still returned the exact tag, platform asset, and validated 64-hex checksum
  • timeout failure behavior verified
  • maintainer pre-commit and exact-head autoreview: clean

Maintainer repair rebased the contributor commit onto current main, removed an unrelated constant coupling and misleading self-update capability field, bounded checksum reads, added strict digest validation, and added the changelog entry with contributor credit.

@titus7490 titus7490 force-pushed the feat/update-status branch from b5eeb53 to f85ffd2 Compare June 26, 2026 13:12
@clawsweeper

clawsweeper Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Codex review: needs maintainer review before merge. Reviewed July 1, 2026, 4:01 AM ET / 08:01 UTC.

Summary
The PR adds gog update status with a check alias, GitHub release/checksum lookup, version/platform/install-method reporting, generated command docs, and unit tests.

Reproducibility: not applicable. This PR adds a new release-status command rather than reporting broken existing behavior. The review path is source/diff inspection plus posted terminal proof for the new CLI behavior.

Review metrics: 2 noteworthy metrics.

  • Command surface: 1 namespace, 1 subcommand, 1 alias. The PR creates a new user-facing CLI contract whose shape should be accepted intentionally before release.
  • Diff scope: 9 files changed, +735/-1. Most of the change is one new command with generated docs and tests, which is reviewable but not a narrow bug fix.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Get maintainer confirmation that gog update status and its JSON/plain fields belong in core before release.

Risk before merge

  • [P1] Merging publishes a new top-level gog update status/check command plus JSON/plain fields that automation may treat as stable; CI can validate behavior but cannot decide whether core should own that contract.

Maintainer options:

  1. Accept the command contract before merge (recommended)
    A maintainer can explicitly accept the gog update status namespace, check alias, and JSON/plain fields as stable core surface for the next release.
  2. Narrow or relocate the surface
    If the top-level namespace or fields are too broad, revise the PR to the maintainer-preferred command placement or smaller output contract before merge.
  3. Pause if core should not own this
    If release-status checks belong in wrappers or distribution tooling, pause or close the PR without treating the implementation quality as the blocker.

Next step before merge

  • [P2] The remaining action is maintainer product/API review for a new command and output contract, not a narrow automated code repair.

Security
Cleared: The diff adds unauthenticated read-only GitHub release metadata and checksum reads without new dependencies, workflow changes, credentials, secrets, or binary write paths.

Review details

Best possible solution:

Land this as a core release-status command only after maintainers explicitly accept the namespace, alias, and output contract; otherwise keep release checks in external automation or revise the command placement before release.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR adds a new release-status command rather than reporting broken existing behavior. The review path is source/diff inspection plus posted terminal proof for the new CLI behavior.

Is this the best way to solve the issue?

Unclear: the implementation is narrow and tested, but the repository vision asks for discussion before new product/API surfaces and command-structure changes. A maintainer should decide whether this belongs in core as gog update status before release.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against cc86bfe0a00e.

Label changes

Label justifications:

  • P3: This is a low-urgency optional CLI feature with limited blast radius and no confirmed correctness or security defect.
  • merge-risk: 🚨 other: The main merge risk is product/API-surface commitment: the new command and output fields become stable automation surface once released.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR includes terminal output from a fresh build for JSON and plain modes, and the updated body records live release, fallback, alias, timeout, and exact-head validation after the maintainer repair.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR includes terminal output from a fresh build for JSON and plain modes, and the updated body records live release, fallback, alias, timeout, and exact-head validation after the maintainer repair.
Evidence reviewed

What I checked:

  • Repository policy read: AGENTS.md was read fully; its PR-review guidance, generated-docs expectations, and parseable-output guidance informed the review. (AGENTS.md:1, cc86bfe0a00e)
  • Product-surface guidance: VISION.md says new product/API surfaces and command-structure changes should be discussed first, which applies to a new top-level update namespace and output contract. (VISION.md:20, cc86bfe0a00e)
  • Current main lacks the command: Current main's root command registry goes from Time to Gmail; there is no UpdateCmd registration on main. (internal/cmd/root.go:88, cc86bfe0a00e)
  • PR registers new CLI surface: The PR head adds Update UpdateCmd as a top-level command and defines status with the check alias. (internal/cmd/root.go:89, 0df2cb33b8c3)
  • PR implements release status reporting: The new command reports current/latest versions, update availability, platform asset URL/checksum, install method, executable, and warnings, then emits JSON or TSV-style text. (internal/cmd/update.go:45, 0df2cb33b8c3)
  • Tests cover core behavior: The PR adds httptest-backed JSON output coverage, malformed checksum rejection, GitHub redirect fallback, the check alias, and version comparison cases. (internal/cmd/update_test.go:13, 0df2cb33b8c3)

Likely related people:

  • steipete: Current-main blame for the root command registry, version metadata, and GoReleaser asset naming points to this contributor, and GitHub history shows recent work across the same CLI/release paths. (role: recent CLI/release area contributor; confidence: high; commits: 608aa46e7b9c, 4cac149d75a7, 2c9c1dcc8bbb; files: internal/cmd/root.go, internal/cmd/version.go, .goreleaser.yaml)
  • LeanSheng: Authored the embedded VERSION fallback that resolvedVersion uses, which this PR relies on for current-version reporting and User-Agent construction. (role: version metadata contributor; confidence: medium; commits: 51283d56c705; files: internal/cmd/version.go, internal/cmd/VERSION, docs/RELEASING.md)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jun 26, 2026
@titus7490

Copy link
Copy Markdown
Contributor Author

Added real behavior proof for the current PR head f85ffd26ceea.

Fresh build:

$ make build
$ ./bin/gog --json update status

Output:

{
  "current_version": "v0.31.1-3-gf85ffd26",
  "current_commit": "f85ffd26ceea",
  "current_date": "2026-06-26T17:29:58Z",
  "latest_version": "v0.31.1",
  "latest_url": "https://github.com/openclaw/gogcli/releases/tag/v0.31.1",
  "update_available": false,
  "platform": "linux/amd64",
  "platform_asset": "gogcli_0.31.1_linux_amd64.tar.gz",
  "platform_asset_url": "https://github.com/openclaw/gogcli/releases/download/v0.31.1/gogcli_0.31.1_linux_amd64.tar.gz",
  "checksum_available": true,
  "checksums_url": "https://github.com/openclaw/gogcli/releases/download/v0.31.1/checksums.txt",
  "platform_asset_sha256": "5f5c35eb8c5603a59ee1eaf31909463f4e8c5f645130d9a4296571966a77aef2",
  "install_method": "standalone",
  "executable": "/root/.openclaw/workspace/upstream/gogcli-update-status/bin/gog",
  "self_update_supported": true
}

Plain output also works:

current_version	v0.31.1-3-gf85ffd26
current_commit	f85ffd26ceea
current_date	2026-06-26T17:29:58Z
latest_version	v0.31.1
update_available	false
platform	linux/amd64
platform_asset	gogcli_0.31.1_linux_amd64.tar.gz
platform_asset_sha256	5f5c35eb8c5603a59ee1eaf31909463f4e8c5f645130d9a4296571966a77aef2
install_method	standalone
self_update_supported	true

The command is read-only: it only reads GitHub release metadata and local executable/build metadata; it does not write binaries, restart services, or modify local state.

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. and removed rating: 🧂 unranked krab Not merge-ready due to missing proof or serious correctness/safety concerns. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jun 26, 2026
@steipete steipete force-pushed the feat/update-status branch from f85ffd2 to 0df2cb3 Compare July 1, 2026 07:33
@steipete steipete merged commit d405310 into openclaw:main Jul 1, 2026
5 checks passed
@steipete

steipete commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Landed by rebase after maintainer repair and exact-head proof.

Maintainer decision: accept gog update status / update check as a core contract. It is a small, read-only, agent-friendly release primitive; no self-update or write path is implied.

Proof on source head 0df2cb33b8c3591f1aab3904aca1d7f9d683dbe8:

  • make ci — format, lint, full Go tests, docs generation/coverage, and script tests passed.
  • go test ./internal/cmd -run 'Test(Update|Fetch)' -count=1 passed.
  • Source-blind built-binary validation passed JSON, plain TSV, check alias, impossible-timeout failure, and read-only workspace probes.
  • The unauthenticated GitHub API returned HTTP 403 during proof; the canonical releases/latest fallback still resolved v0.31.1, constructed the correct platform asset URL, and matched the published 64-hex SHA-256 from checksums.txt.
  • Final autoreview: clean, no accepted/actionable findings (0.86).
  • Exact-head CI: Linux test/lint/deadcode/docs, Windows, Darwin CGO, worker, and Docker image all passed.

Landed commits: contributor-authored 85b7d501, maintainer hardening 38a84717, lint closeout d405310c.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

merge-risk: 🚨 other 🚨 Merging this PR has meaningful risk outside the owned taxonomy. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. proof: sufficient Contributor real behavior proof is sufficient. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants