ci: move npm promotion into trusted workflow

docs/reference/RELEASING.md

@@ -51,8 +51,8 @@ OpenClaw has three public release lanes:
   - real npm publish must pass a successful npm `preflight_run_id`
   - stable npm releases default to `beta`
   - stable npm publish can target `latest` explicitly via workflow input
-  - stable npm promotion from `beta` to `latest` is still available as a separate manual workflow step
-  - that promotion workflow exchanges the GitHub Actions OIDC token for a short-lived npm registry token instead of depending on a stored `NPM_TOKEN`
+  - stable npm promotion from `beta` to `latest` is still available as an explicit manual mode on the trusted `OpenClaw NPM Release` workflow
+  - that promotion mode exchanges the GitHub Actions OIDC token for a short-lived npm registry token instead of depending on a stored `NPM_TOKEN`
   - public `macOS Release` is validation-only
   - real private mac publish must pass successful private mac
     `preflight_run_id` and `validate_run_id`
@@ -87,6 +87,8 @@ OpenClaw has three public release lanes:
 - `preflight_run_id`: required on the real publish path so the workflow reuses
   the prepared tarball from the successful preflight run
 - `npm_dist_tag`: npm target tag for the publish path; defaults to `beta`
+- `promote_beta_to_latest`: `true` to skip publish and move an already-published
+  stable `beta` build onto `latest`
 
 Rules:
 
@@ -94,6 +96,10 @@ Rules:
 - Beta prerelease tags may publish only to `beta`
 - The real publish path must use the same `npm_dist_tag` used during preflight;
   the workflow verifies that metadata before publish continues
+- Promotion mode must use a stable or correction tag, `preflight_only=false`,
+  an empty `preflight_run_id`, and `npm_dist_tag=beta`
+- Promotion stays inside the trusted `OpenClaw NPM Release` workflow file
+  because npm trusted publishing is bound to that workflow identity
 
 ## Stable npm release sequence
 
@@ -105,11 +111,12 @@ When cutting a stable npm release:
 3. Save the successful `preflight_run_id`
 4. Run `OpenClaw NPM Release` again with `preflight_only=false`, the same
    `tag`, the same `npm_dist_tag`, and the saved `preflight_run_id`
-5. If the release landed on `beta`, run `OpenClaw NPM Promote Beta` later with
-   the exact stable version when you want to move that published build to
-   `latest`
+5. If the release landed on `beta`, run `OpenClaw NPM Release` later with the
+   same stable `tag`, `promote_beta_to_latest=true`, `preflight_only=false`,
+   `preflight_run_id` empty, and `npm_dist_tag=beta` when you want to move that
+   published build to `latest`
 
-The promotion workflow still requires the `npm-release` environment approval,
+The promotion mode still requires the `npm-release` environment approval,
 but it no longer depends on a long-lived npm publish token.
 
 That keeps the direct publish path and the beta-first promotion path both
@@ -118,7 +125,7 @@ documented and operator-visible.
 ## Public references
 
 - [`.github/workflows/openclaw-npm-release.yml`](https://github.com/openclaw/openclaw/blob/main/.github/workflows/openclaw-npm-release.yml)
-- [`.github/workflows/openclaw-npm-promote-beta.yml`](https://github.com/openclaw/openclaw/blob/main/.github/workflows/openclaw-npm-promote-beta.yml)
+- [`scripts/npm-oidc-exchange-token.mjs`](https://github.com/openclaw/openclaw/blob/main/scripts/npm-oidc-exchange-token.mjs)
 - [`scripts/openclaw-npm-release-check.ts`](https://github.com/openclaw/openclaw/blob/main/scripts/openclaw-npm-release-check.ts)
 - [`scripts/package-mac-dist.sh`](https://github.com/openclaw/openclaw/blob/main/scripts/package-mac-dist.sh)
 - [`scripts/make_appcast.sh`](https://github.com/openclaw/openclaw/blob/main/scripts/make_appcast.sh)