chore(deps): bump openclaw/clawhub/.github/workflows/package-publish.yml from 0.12.0 to 0.15.0

[dependabot]

Bumps openclaw/clawhub/.github/workflows/package-publish.yml from 0.12.0 to 0.15.0.

Changelog

Sourced from openclaw/clawhub/.github/workflows/package-publish.yml's changelog.

0.15.0 - 2026-05-12

Changes

• Web: polish dashboard artifact cards, loading skeletons, skill summary/detail layout, and adoption metrics after the 0.14 release (#2150, #2153, #2156, #2157, #2158, #2160).
• Docs/dev: clarify pre-PR validation gates for local contributors (#2161).

Fixes

• Web: show plugin settings actions to package managers and preserve manager access in dashboard rows (#2163, #2168).
• Web: refresh skill star state after mutations and keep skill tabs from causing horizontal scroll (#2154, #2155).
• Web: show owner names when handles are hidden, and clarify editable skill summary settings copy (#2151, #2162).
• Dashboard: add a publisher switcher so org-owned skills and plugins are visible to org admins after transfer or publish (#2132).
• Web: let org publishers/admins republish transferred org-owned skills without the publish form treating the existing slug as taken, including legacy users with synthesized personal publishers (#2171).
• CLI: send skill ownership command payloads as JSON objects so rename/merge operations reach the API correctly (#1300).
• CLI: keep an install fingerprint in skill origin metadata so clawhub update <skill> does not report fresh installs as local changes when the server cannot resolve the current hash (#169).
• CLI: migrate cached registry.clawhub.ai registries back to clawhub.ai so clawhub explore no longer talks to the retired Vercel deployment (#1098).
• CLI: publish .tsv, .conf, .properties, .dat, and safe extensionless text files while excluding dotfiles and sampling extensionless files before full reads (#874).
• Tests: remove obsolete rescan e2e probes that no longer match current moderation behavior (#2152).

0.14.0 - 2026-05-11

Changes

• Web: add publisher notes and unify ClawScan review pages (#2111).
• Dev: auto-start services for Codex worktrees and add a local dev persona FAB (#2146, #2147).
• Dev: add a local ClawScan dry-run helper script (#2143).

Fixes

• API: return deterministic 403 responses for skill/package rescan and package transfer permission denials, with CI e2e coverage for protected write endpoints.

0.13.0 - 2026-05-11

Changes

• Web: redesign Settings into focused account, organization, API token, and account deletion views with responsive desktop and mobile layouts (#2134) (thanks @​vyctorbrzezowski).
• Web: replace the Users directory with a Publishers discovery surface covering builders and organizations, add /publishers as the canonical route, and keep /users compatibility (#2087) (thanks @​vyctorbrzezowski).
• Web: polish browse/listing surfaces across skills, plugins, and search, including plugin card view parity, clearer search controls, visible safety filtering, and more consistent card metadata treatment (#2084) (thanks @​vyctorbrzezowski).
• Web: allow skill owners and publisher admins to edit a skill summary from the detail page (#1411) (thanks @​SylvanXiao).
• CLI/Auth: add device-code login for remote or headless shells, backed by ClawHub device authorization endpoints (#1867) (thanks @​LumenFromTheFuture).
• CLI: add per-skill pinning so installed skills can be frozen against direct updates, bulk updates, and force reinstalls (#1806) (thanks @​deepujain).
• Web: rename the skills and plugins browse alternate view from Cards to Grid while keeping legacy view=cards URLs compatible (#2119) (thanks @​vyctorbrzezowski).
• Dev docs: refresh generated Convex AI guidance files (#2000).

Fixes

• Moderation: stop treating VirusTotal Code Insight/Palm verdicts as a hide authority for skills; real AV-engine hits and ClawScan findings still contribute moderation verdicts.
• Moderation: stop treating static suspicious-only findings as a verdict; keep file/line evidence for review while VT/LLM decide public suspicious status.
• ClawScan: reduce false positives for scoped uninstall cleanup, declared provider login flows, Basic Auth/base64 handling, and user-directed provider uploads while hard-blocking stealth browser abuse patterns.

... (truncated)

Commits

• 5b10c21 ci: ignore overbroad tanstack history advisory
• c107523 fix: prepare clawhub 0.15.0
• 09cbd9c Update styles.css
• 22950d1 Update .gitignore
• 53b64d1 fix: show plugin settings action to managers (#2168)
• b80b942 fix: show plugin settings action to managers (#2163)
• 426a2a7 fix: clarify skill summary settings copy (#2162)
• ee8e339 docs: clarify pre-pr validation gates (#2161)
• 0c4d044 fix: show full skill description on detail pages (#2160)
• 3b2d3dc fix: expand skill summary clamp (#2158)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Superseded by #2173.