Add pre-built armv7 (32-bit ARM hard-float) binary to all release
workflows: stable, beta, and cross-platform manual build. Uses
gcc-arm-linux-gnueabihf cross-compiler on ubuntu-22.04 for glibc 2.35
compatibility.
The install script already maps armv7l/armv6l to this target, so
users on Raspberry Pi and similar devices will be able to install
directly via the install script once binaries are published.
Closes#3759
Add channel-lark to the cargo --features flag in all release and
cross-platform build workflows, and to the Docker build-args. This
gives users Feishu/Lark channel support out of the box without needing
to compile from source.
The channel-lark feature depends only on dep:prost (pure Rust protobuf),
so it is safe to enable on all platforms (Linux, macOS, Windows, Android).
The GHCR image v0.5.0 fails to start when users configure the postgres
memory backend because the binary was compiled without the
memory-postgres cargo feature. Add it to all build configurations:
Dockerfiles (default ARG), release workflows (cargo build --features),
and Docker push steps (ZEROCLAW_CARGO_FEATURES build-arg).
Fixes#3946
The Debian compatibility image was building from source with QEMU
cross-compilation for ARM64, which is extremely slow and was getting
cancelled by the concurrency group. Switch to using pre-built binaries
(same as the distroless image) with a debian:bookworm-slim runtime base.
- Add Dockerfile.debian.ci (mirrors Dockerfile.ci with Debian runtime)
- Update release-beta-on-push.yml to use docker-ctx + pre-built bins
- Update release-stable-manual.yml with same fix
- Drop GHA cache layers (no longer building from source)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Remove tweet job from beta workflow. Update tweet-release.yml to diff
against previous stable tag (excluding betas) to capture all features
across the full release cycle. Simplify tweet format to feature-focused
style without contributor counts.
Supersedes #3575.
Instead of compiling Rust from source inside Docker (~60 min),
download the already-built linux binaries from the build matrix
and copy them into a minimal distroless image (~2 min).
- Add Dockerfile.ci for release workflows (no Rust toolchain needed)
- Update both beta and stable workflows to use pre-built artifacts
- Drop Docker job timeout from 60 to 15 minutes
- Original Dockerfile unchanged for local dev builds
Remove Docker from the tweet job's dependency chain in both beta and
stable release workflows. Docker multi-platform builds are slow and
can be cancelled by concurrency groups, which was blocking the tweet
from ever firing. The tweet announces the GitHub Release, not the
Docker image.
- Tweet workflow: stable releases always tweet (no feature-check gate);
beta tweets now also trigger on fix() commits, not just feat()
- Beta release: use cancel-in-progress to avoid queued runs getting
stuck when rapid merges hit the concurrency group
The aarch64-unknown-linux-gnu build runs on ubuntu-22.04 (glibc 2.35)
but was restoring cached build-script binaries compiled on ubuntu-latest
(24.04, glibc 2.39), causing GLIBC_2.39 not found failures.
Adding prefix-key with the OS image and target ensures each matrix entry
gets its own isolated cache, preventing cross-image glibc mismatches.
The auto-generated What's New and Recent Contributors README sections
have been removed, so the sync-readme workflow and its backing script
are no longer needed.
The tweet was firing on `release: published` immediately when the GitHub
Release was created, but Docker push, crates.io publish, and website
redeploy were still in-flight. This meant users saw the tweet before
they could actually pull the new Docker image or install from crates.io.
Convert tweet-release.yml and sync-readme.yml to reusable workflows
(workflow_call) and call them as the final jobs in both release
pipelines, gated on completion of docker, crates-io, and
redeploy-website jobs.
Before: gh release create → tweet fires immediately (race condition)
After: gh release create → docker + crates + website → tweet + readme
Add prebuilt binary support for Termux/Android devices:
- Add aarch64-linux-android to stable and beta release matrices with NDK setup
- Detect Termux in install.sh and map to the correct android target
- Add Termux pkg manager support for system dependency installation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Multi-platform Docker builds (linux/amd64 + linux/arm64) with fat LTO
and codegen-units=1 consistently exceed 30 minutes. Bump to 60m.
Also skip crates.io publish when the version already exists (the
auto-sync workflow may have published it before the stable release
runs).
- Use --notes-file instead of --notes to safely handle multiline
release notes with special characters
- Add explicit --repo flag for resilience
- Simplify redeploy-website condition to only run on publish success
The softprops/action-gh-release action creates the release first, then
uploads assets in separate API calls. GitHub's immutable release policy
rejects those subsequent uploads, causing "Cannot upload assets to an
immutable release" errors. The gh CLI uploads assets atomically with
release creation, avoiding this race condition.
Also moves website redeploy into a separate job that runs regardless of
publish outcome, so the site stays in sync even if asset upload fails.
* feat(release): bump to v0.2.0, auto-tweet with features + contributors
- Bump version from 0.1.9 to 0.2.0
- Release notes now auto-generate from feat() commits only (no bug
fixes) keeping them clean and concise
- Contributors are always featured in release notes, pulled from
git log authors and Co-Authored-By trailers
- Tweet workflow now fires on all releases (beta + stable), auto-
generates punchy feature-focused tweets with contributor shoutouts
- Stable release workflow gets the same release notes treatment
- Tweet gracefully skips if Twitter secrets aren't configured
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(release): credit all contributors, wider range, filter bots
- Use wider git range for contributor collection — skips same-version
betas to capture everyone who contributed to the release, not just
the last incremental push
- Filter out bot accounts (dependabot, github-actions, copilot, etc.)
from contributor lists
- Tweet shows up to 6 contributors with "+ N more" when there are
extras, ensuring everyone gets credit
- Deduplicate contributors across git authors and Co-Authored-By
- Deduplicate features with sort -uf for cleaner notes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(release): use last stable tag for contributor range, not last beta
Ensures the tweet and release notes capture ALL contributors since the
last stable release (e.g. v0.1.9a), not just since the last beta tag.
This gives proper credit to everyone who contributed across the full
release cycle.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The website at zeroclawlabs.ai shows a copy button with
curl -fsSL https://zeroclawlabs.ai/install.sh | bash but the website
does not serve the script, returning 404.
Add install.sh as a GitHub release asset in both beta and stable
workflows so it is always available at a stable URL. Pass the raw
GitHub URL in the website redeploy dispatch payload so the website
can configure a redirect or proxy for /install.sh.
Closes#3463
After publishing a beta or stable release, dispatch a
repository_dispatch event to zeroclaw-website so it rebuilds
with the latest version tag automatically.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The default GITHUB_TOKEN cannot bypass the "Release Tags - Restricted
Operators" ruleset, causing beta releases to fail with a 422 validation
error. Switch to a PAT stored as RELEASE_TOKEN that has bypass permissions.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Argenis <theonlyhennygod@gmail.com>
CI workflows use ubuntu-latest (24.04, glibc 2.39) while release
workflows used ubuntu-22.04 (glibc 2.35). Swatinem/rust-cache keys
on runner.os ("Linux"), not the specific version, so cached build
scripts compiled on 24.04 would fail on 22.04 with GLIBC_2.39 not
found errors.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(onboard): add --reinit flag to prevent accidental config overwrite
Add --reinit flag to onboard command that:
- Backs up existing ~/.zeroclaw directory with timestamp
- Starts fresh initialization after backup
- Requires --interactive mode to work
- Prevents accidental configuration loss
This addresses issue #3013 where onboard could accidentally
overwrite all configuration without warning.
Closes#3013🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(ci): SHA-pin all third-party GitHub Actions
Replace mutable version tags with immutable commit SHAs to prevent
tag-hijacking supply chain attacks (P1 finding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: retrigger CI after startup_failure
* fix(onboard): address PR #3102 review issues for --reinit flag
- Use resolve_runtime_dirs_for_onboarding() instead of hardcoded ~/.zeroclaw
- Remove unsafe relative path fallback, bail instead
- Add user confirmation prompt before reinitializing config
- Update docs/reference/cli/commands-reference.md with --reinit docs
* style: fix cargo fmt and clippy violations
- Fix import ordering in src/config/mod.rs (rustfmt)
- Collapse single-arg encrypt/decrypt calls in src/config/schema.rs (rustfmt)
- Box::pin large onboard futures to fix clippy::large_futures in src/main.rs
These violations were blocking CI lint checks.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Simian Astronaut 7 <simianastronaut7@gmail.com>
Instead of each build matrix job independently installing Node.js and
running npm ci/build, extract web dashboard build into a single job
that uploads web/dist/ as an artifact. Build jobs download it before
cargo build. Reduces total CI time by ~3 Node installs + builds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
RustEmbed requires web/dist/ to exist at compile time. The PR checks
workflow used a placeholder mkdir, but release workflows need real
built assets since they produce the distributed binary. Add Node.js
setup and npm ci/build before cargo build in all three release/build
workflows.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Narrow workflow-level permissions to contents:read and grant
write access only to the specific jobs that need it (publish
gets contents:write, docker gets packages:write). Reduces blast
radius if a build step is compromised (P1 finding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace mutable version tags with immutable commit SHAs to prevent
tag-hijacking supply chain attacks (P1 finding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename all 4 workflow files to match trigger and purpose
- Expand PR quality gate with dedicated lint and security audit jobs
- Align workflow display names, concurrency groups, and all doc references
