feat: argumentizing OpenClaw version#1600
Closed
hunglp6d wants to merge 10 commits intoNVIDIA:mainfrom
Closed
Conversation
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughParameterizes OpenClaw via a build argument: GitHub Actions accepts an optional Changes
Sequence DiagramsequenceDiagram
participant User
participant GH as "GitHub Actions"
participant Docker as "Docker Build"
participant FS as "File System"
participant Blueprint as "nemoclaw-blueprint/blueprint.yaml"
participant NPM as "npm Registry"
User->>GH: Trigger workflow (optional openclaw_version)
GH->>Docker: Start build (with/without OPENCLAW_VERSION)
Docker->>FS: Read `Dockerfile.base` (ARG/default)
Docker->>Blueprint: Read `min_openclaw_version`
Blueprint-->>Docker: Return minimum version
Docker->>Docker: Validate OPENCLAW_VERSION format
Docker->>Docker: Compare OPENCLAW_VERSION >= min_openclaw_version
Docker->>NPM: npm view openclaw@{OPENCLAW_VERSION} version
NPM-->>Docker: Version exists?
Docker->>Docker: npm install -g openclaw@{OPENCLAW_VERSION}
Docker-->>GH: Build complete (success/failure)
GH-->>User: Notify result
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
84b5086 to
b8b8e05
Compare
thaihuynhxyz
reviewed
Apr 8, 2026
thaihuynhxyz
left a comment
There was a problem hiding this comment.
Can we have some tests prove this change work?
namng-n4a
suggested changes
Apr 8, 2026
|
LGTM! |
thaihuynhxyz
reviewed
Apr 8, 2026
561844c to
9c66129
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/base-image.yaml (1)
17-26:⚠️ Potential issue | 🟠 MajorAlso rebuild the base image when the blueprint minimum changes.
Dockerfile.basenow readsnemoclaw-blueprint/blueprint.yamlduring the build, so a push that only changesmin_openclaw_versionwill skip this workflow and leavesandbox-base:latestbehind the repo's declared minimum until somebody manually dispatches a rebuild.🐛 Proposed fix
push: branches: [main] paths: - "Dockerfile.base" + - "nemoclaw-blueprint/blueprint.yaml"Also applies to: 71-83
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/base-image.yaml around lines 17 - 26, Update the GitHub Actions trigger so changes to the blueprint's minimum version cause a rebuild: include the blueprint file path (nemoclaw-blueprint/blueprint.yaml) and any blueprint directory patterns in the push.paths array alongside "Dockerfile.base" (and mirror the same addition in the other push trigger region around lines 71-83) so pushes that modify min_openclaw_version will run the workflow to rebuild sandbox-base:latest.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile.base`:
- Around line 132-140: The RUN step that extracts OPENCLAW_MIN_VERSION (via
grep/awk/tr) must fail the build if parsing yields an empty value; update the
Dockerfile RUN block to validate OPENCLAW_MIN_VERSION after assignment (check if
OPENCLAW_MIN_VERSION is non-empty and matches a semantic-version regex) and if
not, print a clear error and exit 1 before the sort -V comparison or npm check;
reference the variable name OPENCLAW_MIN_VERSION and the existing RUN pipeline
so you add a conditional that aborts when parsing fails.
---
Outside diff comments:
In @.github/workflows/base-image.yaml:
- Around line 17-26: Update the GitHub Actions trigger so changes to the
blueprint's minimum version cause a rebuild: include the blueprint file path
(nemoclaw-blueprint/blueprint.yaml) and any blueprint directory patterns in the
push.paths array alongside "Dockerfile.base" (and mirror the same addition in
the other push trigger region around lines 71-83) so pushes that modify
min_openclaw_version will run the workflow to rebuild sandbox-base:latest.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d3395301-d9a0-429c-b713-80bf3e38e4e7
📒 Files selected for processing (4)
.github/workflows/base-image.yamlDockerfile.basescripts/install.shtest/install-preflight.test.js
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (1)
Dockerfile.base (1)
132-140:⚠️ Potential issue | 🟠 MajorFail closed if
min_openclaw_versioncannot be parsed.The
OPENCLAW_MIN_VERSIONextraction pipeline (grep | awk | tr) silently yields an empty string if the key is missing or renamed inblueprint.yaml. When empty, thesort -Vcomparison trivially passes because an empty string sorts before any version, effectively disabling the minimum-version guard without failing the build.🐛 Proposed fix to validate OPENCLAW_MIN_VERSION is non-empty
RUN --mount=type=bind,source=nemoclaw-blueprint/blueprint.yaml,target=/tmp/blueprint.yaml \ echo "$OPENCLAW_VERSION" | grep -qxE '[0-9]+(\.[0-9]+)*' \ || { echo "Error: OPENCLAW_VERSION='$OPENCLAW_VERSION' is invalid (expected e.g. 2026.3.11)."; exit 1; }; \ OPENCLAW_MIN_VERSION=$(grep 'min_openclaw_version' /tmp/blueprint.yaml | awk '{print $2}' | tr -d '"') \ + && [ -n "$OPENCLAW_MIN_VERSION" ] \ + || { echo "Error: Could not parse min_openclaw_version from nemoclaw-blueprint/blueprint.yaml"; exit 1; }; \ && if [ "$(printf '%s\n%s' "$OPENCLAW_MIN_VERSION" "$OPENCLAW_VERSION" | sort -V | head -n1)" != "$OPENCLAW_MIN_VERSION" ]; then \ echo "Error: OpenClaw version ${OPENCLAW_VERSION} is below the minimum required version ${OPENCLAW_MIN_VERSION}"; \ echo "Hint: Update min_openclaw_version in nemoclaw-blueprint/blueprint.yaml or use a newer version."; exit 1; \ fi \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.base` around lines 132 - 140, The min-version guard can be bypassed when OPENCLAW_MIN_VERSION is empty; update the RUN step that sets OPENCLAW_MIN_VERSION (the grep/awk/tr pipeline reading nemoclaw-blueprint/blueprint.yaml) to validate the extracted OPENCLAW_MIN_VERSION is non-empty and fail the build if it is missing or cannot be parsed: after computing OPENCLAW_MIN_VERSION check if it is empty (e.g. test -z "$OPENCLAW_MIN_VERSION") and emit a clear error message and exit non-zero before proceeding to the sort -V comparison and npm view check so the build fails fast when min_openclaw_version is absent or malformed.
🧹 Nitpick comments (1)
test/install-preflight.test.js (1)
1519-1523: Consider aligning regex with install.sh or adding a guard for missing match.The regex
/ARG OPENCLAW_VERSION=(\S+)/doesn't allow whitespace around=, but the install.sh awk pattern does ([[:space:]]*=[[:space:]]*). If someone reformats the Dockerfile toARG OPENCLAW_VERSION = 2026.3.11, the test would extractundefinedand fail with a confusing assertion message.🔧 Optional: Add guard or align regex
it("resolve_openclaw_version: falls back to Dockerfile.base when package.json omits it", () => { - const expected = fs.readFileSync(path.join(import.meta.dirname, "..", "Dockerfile.base"), "utf-8") - .match(/ARG OPENCLAW_VERSION=(\S+)/)?.[1]; + const dockerfileContent = fs.readFileSync(path.join(import.meta.dirname, "..", "Dockerfile.base"), "utf-8"); + const expected = dockerfileContent.match(/ARG\s+OPENCLAW_VERSION\s*=\s*(\S+)/)?.[1]; + expect(expected).toBeDefined(); // fail fast with clear message if format changes const r = callInstallerFn('resolve_openclaw_version "$PWD"'); expect(r.stdout.trim()).toBe(expected); });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@test/install-preflight.test.js` around lines 1519 - 1523, The test in resolve_openclaw_version uses a strict regex /ARG OPENCLAW_VERSION=(\S+)/ which fails if there is whitespace around '='; update the extraction in the test that reads Dockerfile.base to either use a whitespace-tolerant pattern (e.g. allow \s* around '=') or check the match before indexing (guard match and fail with a clear message), and keep the rest of the test using callInstallerFn('resolve_openclaw_version "$PWD"') and expect(r.stdout.trim()).toBe(expected) so the test either extracts the version robustly or asserts a helpful error when expected is missing.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@Dockerfile.base`:
- Around line 132-140: The min-version guard can be bypassed when
OPENCLAW_MIN_VERSION is empty; update the RUN step that sets
OPENCLAW_MIN_VERSION (the grep/awk/tr pipeline reading
nemoclaw-blueprint/blueprint.yaml) to validate the extracted
OPENCLAW_MIN_VERSION is non-empty and fail the build if it is missing or cannot
be parsed: after computing OPENCLAW_MIN_VERSION check if it is empty (e.g. test
-z "$OPENCLAW_MIN_VERSION") and emit a clear error message and exit non-zero
before proceeding to the sort -V comparison and npm view check so the build
fails fast when min_openclaw_version is absent or malformed.
---
Nitpick comments:
In `@test/install-preflight.test.js`:
- Around line 1519-1523: The test in resolve_openclaw_version uses a strict
regex /ARG OPENCLAW_VERSION=(\S+)/ which fails if there is whitespace around
'='; update the extraction in the test that reads Dockerfile.base to either use
a whitespace-tolerant pattern (e.g. allow \s* around '=') or check the match
before indexing (guard match and fail with a clear message), and keep the rest
of the test using callInstallerFn('resolve_openclaw_version "$PWD"') and
expect(r.stdout.trim()).toBe(expected) so the test either extracts the version
robustly or asserts a helpful error when expected is missing.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: bd71718b-5403-4b1f-9c3c-f8ac26659a46
📒 Files selected for processing (4)
.github/workflows/base-image.yamlDockerfile.basescripts/install.shtest/install-preflight.test.js
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/base-image.yaml
afc9d58 to
f812cb8
Compare
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
Dockerfile.base (1)
146-146: Optional: Quote the variable for defensive consistency.While the format validation ensures
OPENCLAW_VERSIONonly contains safe characters, quoting the argument is a shell best practice that protects against future regex changes.Suggested change
- npm install -g openclaw@${OPENCLAW_VERSION} \ + npm install -g "openclaw@${OPENCLAW_VERSION}" \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.base` at line 146, The npm install line uses an unquoted variable (OPENCLAW_VERSION)—change the npm install invocation that references openclaw@${OPENCLAW_VERSION} to quote the version argument (e.g., wrap the openclaw@... value in double quotes) so the shell treats it as a single, defensive token even if regex/validation changes in the future; update the line containing openclaw@${OPENCLAW_VERSION} accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@Dockerfile.base`:
- Line 146: The npm install line uses an unquoted variable
(OPENCLAW_VERSION)—change the npm install invocation that references
openclaw@${OPENCLAW_VERSION} to quote the version argument (e.g., wrap the
openclaw@... value in double quotes) so the shell treats it as a single,
defensive token even if regex/validation changes in the future; update the line
containing openclaw@${OPENCLAW_VERSION} accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: be80cf7b-59ba-4120-bd2b-0b13bd7fc134
📒 Files selected for processing (4)
.github/workflows/base-image.yamlDockerfile.basescripts/install.shtest/install-preflight.test.js
✅ Files skipped from review due to trivial changes (1)
- scripts/install.sh
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/base-image.yaml
f812cb8 to
8d49b82
Compare
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
Dockerfile.base (1)
135-137: Anchor the blueprint version extraction to the actual YAML key for robustness.While the current
grep+awkextraction works correctly (exactly one uncommentedmin_openclaw_versionentry exists), a more anchored extractor prevents accidental consumption of commented or similarly named lines in future maintenance. The suggestedawkpattern with format validation adds defensive structure:♻️ Suggested hardening
- OPENCLAW_MIN_VERSION=$(grep 'min_openclaw_version' /tmp/blueprint.yaml | awk '{print $2}' | tr -d '"'); \ - [ -n "$OPENCLAW_MIN_VERSION" ] \ - || { echo "Error: Could not parse min_openclaw_version from nemoclaw-blueprint/blueprint.yaml"; exit 1; }; \ + OPENCLAW_MIN_VERSION=$(awk -F': *' '/^[[:space:]]*min_openclaw_version:[[:space:]]*/ { gsub(/"/, "", $2); print $2; exit }' /tmp/blueprint.yaml); \ + echo "$OPENCLAW_MIN_VERSION" | grep -qxE '[0-9]+(\.[0-9]+)*' \ + || { echo "Error: Could not parse a valid min_openclaw_version from nemoclaw-blueprint/blueprint.yaml"; exit 1; }; \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.base` around lines 135 - 137, The extraction of OPENCLAW_MIN_VERSION should be made robust by anchoring to the YAML key and validating the format: replace the current grep+awk pipeline that sets OPENCLAW_MIN_VERSION with a single awk (or grep -P) command that matches lines beginning with the literal key "min_openclaw_version" (e.g. /^min_openclaw_version[[:space:]]*:/), extracts the value after the colon, strips surrounding quotes, and assigns it to OPENCLAW_MIN_VERSION; keep the existing check that the variable is non-empty and the error/exit branch unchanged so a missing or malformed value still triggers the same failure path.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@Dockerfile.base`:
- Around line 135-137: The extraction of OPENCLAW_MIN_VERSION should be made
robust by anchoring to the YAML key and validating the format: replace the
current grep+awk pipeline that sets OPENCLAW_MIN_VERSION with a single awk (or
grep -P) command that matches lines beginning with the literal key
"min_openclaw_version" (e.g. /^min_openclaw_version[[:space:]]*:/), extracts the
value after the colon, strips surrounding quotes, and assigns it to
OPENCLAW_MIN_VERSION; keep the existing check that the variable is non-empty and
the error/exit branch unchanged so a missing or malformed value still triggers
the same failure path.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 537b5cd3-06e2-4a30-9b82-7fd9006cc462
📒 Files selected for processing (4)
.github/workflows/base-image.yamlDockerfile.basescripts/install.shtest/install-preflight.test.js
✅ Files skipped from review due to trivial changes (2)
- scripts/install.sh
- test/install-preflight.test.js
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/base-image.yaml
cv
requested changes
Apr 8, 2026
Contributor
cv
left a comment
There was a problem hiding this comment.
Security Review — WARNING (non-blocking findings)
The version validation in Dockerfile.base is well done — strict regex with -x, minimum-version check against blueprint.yaml, and npm registry confirmation. Good defense-in-depth.
Requested change
Workflow input validation: The format('OPENCLAW_VERSION={0}', inputs.openclaw_version) expression in base-image.yaml doesn't validate the input before assembling build-args. A newline in the input could inject extra build-args that bypass the Dockerfile regex. Add an input validation step before the Docker build:
- name: Validate OpenClaw version input
if: inputs.openclaw_version != ''
run: echo "${{ inputs.openclaw_version }}" | grep -qxE '[0-9]+(\.[0-9]+)*'Minor (non-blocking)
- Consider quoting
"openclaw@${OPENCLAW_VERSION}"innpm installfor style (already safe due to regex gate) make checkandnpm testboxes are unchecked in the PR description
43c6b6a to
b794547
Compare
262f08e to
027c5b9
Compare
cv
reviewed
Apr 9, 2026
f0ec12a to
16c49fd
Compare
Contributor
|
I ported this branch across the JS→TS migration and merged the latest Validation rerun:
|
added 5 commits
April 10, 2026 03:08
…e stale comments | handle potential broken in install script
added 4 commits
April 10, 2026 03:08
c0b95bc to
39d3d18
Compare
cv
approved these changes
Apr 9, 2026
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Argumentizing the OpenClaw version in the base image build so it can be overridden at build time via
--build-argor workflow dispatch, while keeping the default version. This is the first step toward an OpenClaw version integration pipeline that validates how different OpenClaw releases adapt to NemoClaw.Related Issue
Closes #1525
Changes
Dockerfile.base: Replace the hardcodedopenclaw@2026.3.11install with anARG OPENCLAW_VERSION(default2026.3.11). At build time, the provided version is validated against:min_openclaw_versiondeclared innemoclaw-blueprint/blueprint.yaml..github/workflows/base-image.yaml: Add anopenclaw_versioninput toworkflow_dispatchand forward it as abuild-argsentry to the Docker build step, falling back to2026.3.11when left blank.Type of Change
Testing
npx prek run --all-filespasses (or equivalentlymake check).npm testpasses.make checkpasses.Checklist
General
Code Changes
npx prek run --all-filesauto-fixes formatting (ormake formatfor targeted runs).Summary by CodeRabbit
New Features
Improvements
Tests
Signed-off-by: Hung Le hple@nvidia.com