Plugin packages are published through the plugin release workflow, separately from the main CLI package flow.
For official plugin packages, the recommended long-term automation model is:
- Keep the shared plugin workflow in
.github/workflows/publish-plugin.yml - Configure one reusable
NPM_TOKENsecret in the publishing repository - Publish every plugin through the same workflow
This is the only fully automated path for brand-new plugin packages because npm Trusted Publishing is configured per package after the package already exists.
The workflow still keeps id-token: write enabled so existing packages may also use npm OIDC trust later, but the plugin system should assume NPM_TOKEN is the always-available automation path.
- Create a granular npm access token for the
@clawplaysscope with:- package read and write access
- bypass 2FA enabled
- package selection broad enough to cover future official plugins
- Add the token to the GitHub repository as the
NPM_TOKENsecret. - Keep plugin package metadata accurate:
nameversionrepositoryhomepagebugs
- Merge the workflow changes to
main.
When provenance is unavailable for the publishing repository, the workflow can publish without --provenance.
- Update
plugins/<id>/ - Run
npm run plugins:check -- --plugin <id> - Optionally run
npm run plugins:pack -- --plugin <id> - Tag the release as
plugin-<id>@<version> - Publish through the plugin workflow or with
npm run plugins:publish -- --plugin <id>
- Commit and push the plugin changes.
- Push a tag named
plugin-<id>@<version>. - GitHub Actions validates the plugin metadata and publishes the package.
- The same workflow also supports
workflow_dispatchfor manual retries.
You can also run the workflow manually with workflow_dispatch and pass:
plugin_idexpected_version(optional)ref(optional)
For Checkpoint or any plugin that contributes archive gates, release readiness must include runtime evidence checks, not only package metadata:
- Run
npm run plugins:check -- --plugin <id>. - For Checkpoint changes, run
ospec plugins doctor checkpoint [path]and fixroutes.yaml/flows.yamldiagnostics before publishing. - Confirm the plugin records evidence coverage for screenshots, traces, visual diffs, routes, flows, assertions, console events, network events, and accessibility checks when those steps are active.
- Confirm missing baselines or missing runtime evidence produce actionable repair guidance instead of a generic pass/fail message.
- Run a project-level
ospec verify [changes/active/<change>]andospec archive [changes/active/<change>] --checkagainst a Checkpoint-enabled sample change before release when the plugin changes gate behavior.
- Create
plugins/<id>/package.json. - Add the plugin entry to
plugins/catalog.json. - Run
npm run plugins:sync. - Run
npm run plugins:check -- --plugin <id>. - Optionally run
npm run plugins:pack -- --plugin <id>to review the tarball contents. - Merge the plugin to
main. - Publish the plugin through the shared workflow using
NPM_TOKEN. - Keep the public plugin registry snapshot in
clawplays/ospec/plugins/registry.jsonin sync so existing CLI installs can discover the new plugin without waiting for the next CLI npm release.
No workflow changes are required for a new plugin as long as it follows the same plugins/<id> layout and tag format.
@clawplays/ospec-clikeeps its existing package release flow- plugin packages keep a separate publish flow from the main CLI package
- the public plugin registry snapshot is kept in sync so official plugin metadata can refresh independently of plugin package publishing