Skip to content

chore(deps): bump openclaw/clawhub/.github/workflows/package-publish.yml from 0.12.0 to 0.19.0#2438

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/openclaw/clawhub/dot-github/workflows/package-publish.yml-0.19.0
Closed

chore(deps): bump openclaw/clawhub/.github/workflows/package-publish.yml from 0.12.0 to 0.19.0#2438
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/openclaw/clawhub/dot-github/workflows/package-publish.yml-0.19.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor

Bumps openclaw/clawhub/.github/workflows/package-publish.yml from 0.12.0 to 0.19.0.

Release notes

Sourced from openclaw/clawhub/.github/workflows/package-publish.yml's releases.

clawhub 0.18.0

0.18.0 - 2026-05-25

Changes

  • CLI/API: add Skill Card verification surfaces, including clawhub skill verify <slug> JSON output and --card Markdown retrieval (#2382).
  • Web/API: surface an "API key required" attribute on skills so listings, cards, and detail views show whether a skill needs an LLM API key, with publish-time inference from skill prompts and metadata (#2353) (thanks @​momothemage).

Fixes

  • API: fix GET /api/v1/skills pagination so cursor advances to the next page instead of repeating the first page for supported non-trending sorts (#2275) (thanks @​vyctorbrzezowski, @​enerj).

Release Proof

clawhub 0.17.0

0.17.0 - 2026-05-19

  • CLI/API: add self-serve org publisher creation with clawhub publisher create <handle> and scoped package publish errors that point to the command.

Release Proof

clawhub 0.16.0

0.16.0 - 2026-05-18

Fixes

  • CLI/API: make package publishes robust under parallel same-publisher release jobs by avoiding unnecessary shared publisher writes, retrying transient Convex contention, and labeling contention separately from package validation failures (#2291).
  • Security: move upload ClawScan classification to a GitHub Actions Codex worker, treat VirusTotal as telemetry-only signal, and trust verified @openclaw/* plugin packages by default.
  • Security: cancel pending skill ownership transfers before rejecting accept attempts when the requester is inactive or the skill is hidden, removed, or malicious (#2276, #2277) (thanks @​vyctorbrzezowski).
  • API/CLI: fix package delete returning 500 for packages with capability tags when no capability search digest row existed yet (#2212) (thanks @​momothemage).
  • API: return a clear 400 for /api/v1/packages/search without a non-empty q instead of treating search as a package name (thanks @​vyctorbrzezowski).
  • Web/API: keep search results limited to items with match evidence, preserve trust and popularity as tie-breakers, and show N+ counts without exact count queries (#2206) (thanks @​vyctorbrzezowski).
  • Web: preserve ownerHandle through legacy skill publish redirects so org admins land in the correct new-version owner context (#2177).
  • Settings: save display name/bio changes even when a legacy personal publisher handle conflict prevents publisher profile sync (#1199).
  • Auth: show a visible error if the GitHub sign-in request fails before the provider redirect starts (#2197).
  • Schema: include .tsv, .conf, .properties, and .dat in the exported text-file allowlist and regenerate the committed schema package runtime (#2172, #874) (thanks @​alexuser).
  • API: return 400 for invalid known public package filters and invalid skill list sort values, while continuing to ignore unknown query parameters (#2184).

... (truncated)

Changelog

Sourced from openclaw/clawhub/.github/workflows/package-publish.yml's changelog.

0.19.0 - 2026-06-03

Changes

  • CLI/API: add authenticated clawhub scan submit/poll support for ephemeral local skill bundles and owner-authorized published skill scans, including JSON output and report ZIP downloads (#2479).

Fixes

  • Auth/Ops: keep GitHub account-age lookups on immutable numeric IDs, retry without auth when a configured GitHub token is rejected, and add an operator backfill for missing cached account ages.
  • API/CLI: report Skill Card verification with flattened skill/version metadata, ClawScan verdict fields at security.*, and supporting scanner evidence under security.signals.

0.18.0 - 2026-05-25

Changes

  • CLI/API: add Skill Card verification surfaces, including clawhub skill verify <slug> JSON output and --card Markdown retrieval (#2382).
  • Web/API: surface an "API key required" attribute on skills so listings, cards, and detail views show whether a skill needs an LLM API key, with publish-time inference from skill prompts and metadata (#2353) (thanks @​momothemage).

Fixes

  • API: fix GET /api/v1/skills pagination so cursor advances to the next page instead of repeating the first page for supported non-trending sorts (#2275) (thanks @​vyctorbrzezowski, @​enerj).
  • Web: block collaborative membership on personal publishers while allowing the linked owner to clean up stale extra membership rows (thanks @​vyctorbrzezowski).
  • Security/API: hide owned package/plugin catalog entries, revoke package publish tokens, and restore only matching ban-hidden packages on user unban (thanks @​vyctorbrzezowski).
  • API: block public raw skill files when moderation already blocks downloads and reject skill tags that point at another skill's version (thanks @​vyctorbrzezowski).
  • Web: stop stale unban restore batches from reactivating skills after the owner is banned again or deactivated (thanks @​vyctorbrzezowski).
  • Security/API: reject direct skill owner transfers when the skill is hidden, suspicious, or malicious (thanks @​vyctorbrzezowski).
  • Security/API: revalidate package publish actor, owner, and owner publisher active state in the final release insert (thanks @​vyctorbrzezowski).

0.17.0 - 2026-05-19

  • CLI/API: add self-serve org publisher creation with clawhub publisher create <handle> and scoped package publish errors that point to the command.

0.16.0 - 2026-05-18

Fixes

  • CLI/API: make package publishes robust under parallel same-publisher release jobs by avoiding unnecessary shared publisher writes, retrying transient Convex contention, and labeling contention separately from package validation failures (#2291).
  • Security: move upload ClawScan classification to a GitHub Actions Codex worker, treat VirusTotal as telemetry-only signal, and trust verified @openclaw/* plugin packages by default.
  • Security: cancel pending skill ownership transfers before rejecting accept attempts when the requester is inactive or the skill is hidden, removed, or malicious (#2276, #2277) (thanks @​vyctorbrzezowski).
  • API/CLI: fix package delete returning 500 for packages with capability tags when no capability search digest row existed yet (#2212) (thanks @​momothemage).
  • API: return a clear 400 for /api/v1/packages/search without a non-empty q instead of treating search as a package name (thanks @​vyctorbrzezowski).
  • Web/API: keep search results limited to items with match evidence, preserve trust and popularity as tie-breakers, and show N+ counts without exact count queries (#2206) (thanks @​vyctorbrzezowski).
  • Web: preserve ownerHandle through legacy skill publish redirects so org admins land in the correct new-version owner context (#2177).
  • Settings: save display name/bio changes even when a legacy personal publisher handle conflict prevents publisher profile sync (#1199).
  • Auth: show a visible error if the GitHub sign-in request fails before the provider redirect starts (#2197).
  • Schema: include .tsv, .conf, .properties, and .dat in the exported text-file allowlist and regenerate the committed schema package runtime (#2172, #874) (thanks @​alexuser).
  • API: return 400 for invalid known public package filters and invalid skill list sort values, while continuing to ignore unknown query parameters (#2184).
  • API/docs: document v1 plain-text error responses and expose owner metadata in the OpenAPI search result schema (#2187) (thanks @​vyctorbrzezowski).
  • Web: rank publisher card preview items by downloads instead of recent publish order (thanks @​vyctorbrzezowski).
  • Web: remove the desktop Files tab height cap and make mobile truncation explicit (thanks @​vyctorbrzezowski).

... (truncated)

Commits
  • 909a471 chore: bump clawhub cli to 0.19.0 (#2486)
  • e8cfbdd feat: add clawhub scan command (#2479)
  • 162528a feat: show plugin download counts (#2484)
  • 74aa610 fix: gate local Codex workers (#2472)
  • 858a121 fix(plugins): rewrite relative README image URLs to source-host raw URLs (#2412)
  • 953358a fix: use GitHub App auth for GitHub account lookups
  • 0a79612 feat: add security audit download export (#2477)
  • 9b5d2e0 fix: speed GitHub account-age backfill scan
  • ce62df9 fix: batch GitHub account-age backfill writes
  • 0abdbf4 fix: harden GitHub account age lookup
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump openclaw/clawhub/.github/workflows/package-publish.yml
308bd30 
Bumps [openclaw/clawhub/.github/workflows/package-publish.yml](https://github.com/openclaw/clawhub) from 0.12.0 to 0.19.0.
- [Release notes](https://github.com/openclaw/clawhub/releases)
- [Changelog](https://github.com/openclaw/clawhub/blob/main/CHANGELOG.md)
- [Commits](openclaw/clawhub@v0.12.0...v0.19.0)

---
updated-dependencies:
- dependency-name: openclaw/clawhub/.github/workflows/package-publish.yml
  dependency-version: 0.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 4, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot mentioned this pull request Jun 4, 2026
Closed
@dependabot @github

dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #2561.

@dependabot dependabot Bot closed this Jun 11, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/openclaw/clawhub/dot-github/workflows/package-publish.yml-0.19.0 branch June 11, 2026 10:23
@github-project-automation github-project-automation Bot moved this from Backlog to Done in OpenViking project Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

OpenViking project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants