chore(deps): update ghcr.io/openclaw/openclaw docker tag to v2026.4.29 #26
No reviewers
Labels
No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
les_clankeurs/openclaw-image-2!26
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/docker-images"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
2026.4.26→2026.4.29Release Notes
openclaw/openclaw (ghcr.io/openclaw/openclaw)
v2026.4.29Compare Source
Highlights
Changes
tools.exec,tools.fs) no longer implicitly widen restrictive profiles (messaging,minimal). Users who need those tools under a restricted profile must add explicitalsoAllowentries; a startup warning identifies affected configs. Fixes #47487. Thanks @amknight.commitments.enabled/commitments.maxPerDayconfig, and heartbeat-interval due-time clamping so magical check-ins do not echo immediately. (#74189) Thanks @vignesh07.steerdrain all pending Pi steering messages at the next model boundary, keep legacy one-at-a-time steering asqueue, and add a dedicated steering queue docs page. Thanks @vincentkoc.steerwith a 500ms followup fallback debounce, and document the queue modes, precedence, and drop policies on the command queue page. Thanks @vincentkoc.messages.visibleRepliesso operators can require visible output to go throughmessage(action=send)for any source chat, whilemessages.groupChat.visibleRepliesstays available as the group/channel override. Thanks @scoootscooob.spawnedByon subagent chat and agent broadcast payloads so clients can route child session events without an extra session lookup. (#63244) Thanks @samzong.allowedChatIdsanddeniedChatIdsfilters so operators can enable recall only for selected direct, group, or channel conversations while keeping broad sessions skipped. (#67977) Thanks @quengh.doctor.memory.remHarnessRPC so operator clients can preview bounded REM dreaming output without running mutation paths. (#66673) Thanks @samzong.openclaw doctor --fixcannot bypass the manifest capability block and cause repeated assistant-turn failures when the runtime switches to that model on ChatGPT-backed Codex accounts. Conditional suppressions (e.g. qwen Coding Plan endpoint guards) remain bypassable by explicit user configuration. (#74451) Thanks @0xCyda, @hclsys, and @Marvae.api.runtime.state.openKeyedStore) for restart-safe keyed registries with TTL, eviction, and automatic plugin isolation. Thanks @amknight.@deprecatedtags. Thanks @vincentkoc.pnpm gateway:watchthrough a named tmux session by default, withgateway:watch:rawandOPENCLAW_GATEWAY_WATCH_TMUX=0for foreground mode, so repeated starts respawn an inspectable watcher without trapping the invoking agent shell. Thanks @vincentkoc.fa,nl,vi, andzh-TWdocs glossaries, so the docs translation pipeline and the Control UI language picker stay aligned across surfaces. Thanks @vincentkoc.OPENCLAW_SKIP_ONBOARDINGso automated Docker installs can skip the interactive onboarding step while still applying gateway defaults. (#55518) Thanks @jinjimz.Fixes
<script>sequence behind. Thanks @vincentkoc.console.*, so gateway payload fields cannot forge extra log lines when debug logging is enabled. Thanks @vincentkoc.allowQQBotDataDownloadswhen sending slash command file attachments, align clear-storage with actual downloads directory, and add/bot-meto display sender user ID. (#73616) Thanks @cxyhhhhh.openclaw agents, textagents list, and plain textstatuson read-only metadata paths so human output no longer preloads plugin runtimes or live channel scans before printing. Fixes #74195. Thanks @NianJiuZst.file://URL lookup failures. Fixes #51455; carries forward #70936, #54447, and #62175. Thanks @anyech, @JuanRdBO, and @solomonneas.application/mswordorapplication/x-cfbMIME as binary so printable-looking.docfiles are not embedded into prompts as text. Fixes #54176; carries forward #54380. Thanks @andyliu.browser.tabCleanupkeys in strict root config validation, so configured tab cleanup no longer fails before runtime reads it. Fixes #74577. Thanks @lonexreb and @ezdlp.openclaw cron add --messageomits a nonblank--agent, including blank agent values and session-key jobs, so scheduled agent-turn jobs make default-agent fallback explicit while system events stay quiet. Fixes #42196; carries forward #42245. Thanks @ethanclaw.modelFallbackPolicywarning and config help somodelFallbackis described as a chain-resolution last resort, not runtime failover. (#74602) Thanks @jeffrey701.chat,agent, andsessionsserver methods so abort RPCs return after the targeted sessions actually halt instead of resolving early while runs are still draining. (#74751) Thanks @BunsDev.[assistant copied inbound metadata omitted]as model output. Fixes #74745. Thanks @adamwdear and @Marvae.{"text":""}) that carry no media, so no blank user turn is written to the session and downstream LLM providers cannot reject the request with "messages must not be empty". (#74634) Thanks @xdengli and @hclsys.--attach-only/--no-launchdno longer uninstalls the Gateway LaunchAgent or drops active sessions. (#72174) Thanks @DolencLuka.plugin-sdk/zalousercommand-auth facade so published Lark/Zalo plugins that import it load on current hosts. Fixes #74702. Thanks @Goron01.models.providers, auth profiles, agent defaults, or subagent model refs configure that provider, while keeping inactive default-enabled provider plugins out of doctor repair. Refs #74307. Thanks @Skeptomenos.api.resolvePathinputs against the plugin root instead of the host working directory, while keeping absolute and home paths user-resolved. Fixes #74718. Thanks @jimdawdy-hub.requireconditional exports when building staged dependency aliases, so CommonJS-only plugin runtime deps such aswsdo not resolve to ESM wrappers under Jiti. Fixes #74547. Thanks @aderius.ajv/MCP SDK installs after update instead of failing after restart on a missingajv/dist/ajv.js. Refs #74630. Thanks @spickeringlr.responsePrefixtemplate variables with the selected provider, model, and thinking context before delivering alerts or suppressing prefixedHEARTBEAT_OKreplies. Fixes #43064; repairs #43065; supersedes #46858. Thanks @yweiii and @JunJD.memory_forgetcandidate list so agents can pass the displayed ID back to targeted deletion without hitting the full-UUID validator. (#66913) Thanks @amittell.file.fetch, fail closed whendir.fetchpreflight entries are missing, absolute, or traversing, and recheck returned archive entries before handing archive bytes to callers. Carries forward #74134. Thanks @omarshahine.mediaafter a Feishu/Lark HTTP 502 and preserve the original 502 when the fallback also fails. Fixes #49855; carries forward #50164 and #73986. Thanks @alex-xuweilong.xhigh,adaptive, andmax) for Bedrock model refs, while keeping Opus/Sonnet 4.6 on adaptive-by-default, so/thinkmenus and validation match the Anthropic transport behavior. Fixes #74701. Thanks @prasad-yashdeep, @sparkleHazard, @Sanjays2402, and @hclsys.client_secret_*.jsondownloads so local client-secret files do not appear as commit candidates. (#74689) Thanks @jeongdulee.sqlite-vecinto packaged bundled-plugin runtime deps for the default memory plugin, so builtin vector search does not lose its SQLite extension after upgrading to 2026.4.27. Fixes #74692. Thanks @mozi1924.status --all,status --deep, channel, and doctor paths do not crash when an external channel plugin needs setup metadata. Fixes #74693. Thanks @giangthb.rawEvents. Refs #74704. Thanks @BunsDev.agent.waittimeout snapshots with lifecycle metadata astimed_outwhile keeping bare wait deadlines non-terminal. Thanks @clawsweeper.speechReadydiagnostics so login, admission, permission, and audio-bridge blockers no longer look like successful speech. Refs #72478. Thanks @DougButdorf.chat.updaterejectsmsg_too_long. Thanks @slackapi.msg_too_long. Thanks @slackapi.chat.updatecalls withmsg_too_long. Thanks @slackapi.19:...@​thread.tacv2and legacy19:...@​thread.skypeteam/channel IDs as already resolved during startup, avoiding falsechannels unresolvedwarnings while preserving Graph name lookup for display-name entries. Fixes #74683. Thanks @dseravalli.openclaw browser --json openandopenclaw browser --json tabskeep machine-readable output after reparsing. Fixes #74574. Thanks @devintegeritsm.turnSourceChannelasmessageProvideron approval-followup runs sotools.elevated.allowFrom.<provider>checks no longer fail withprovider=nullafter the user approves an async elevated command. Fixes #74646. Thanks @xhd2015.openclaw plugins depsinspection and repair with script-free package-manager defaults shared across plugin installers, so operators can repair missing bundled runtime deps without corrupting JSON output or blocking unrelated conflict-free deps. Thanks @vincentkoc.[tool calls omitted]replay placeholders from user-facing replies while preserving visible reply whitespace. Fixes #74573. Thanks @blaspat.--sessiontoken cannot be resolved while preserving the bad-token diagnostic when no thread binding exists, so Discord slash commands that auto-fill the current thread ID as the positional ACP target no longer return "Unable to resolve session target" errors. Fixes #66299. Thanks @hclsys, @kindomLee, and @martingarramon.agent_end, so Gateway sessions no longer stay stuck inrunningafter failover surfaces a timeout. Fixes #74607. Thanks @millerc79.xhighandmaxthinking levels through the providerresolveThinkingProfilehook so/think xhigh|maxapplies the intended effort instead of falling back to base levels. (#73008) Thanks @ai-hpc.No session found. Fixes #74595. Thanks @gkoch02.tools.web.fetch.ssrfPolicy.allowIpv6UniqueLocalRangeopt-in and thread it through cache keys and DNS/IP checks so trusted fake-IP proxy stacks usingfc00::/7can work without broad private-network access. Fixes #74351. Thanks @jeffrey701./verbose fullpersistence and app-server tool-output forwarding, and retry Gateway E2E temp-home cleanup so debug runs do not regress on stale validation or cleanup flakes. Thanks @vincentkoc.content_block_startin anthropic-messages streams, so[thinking, text]replies no longer persist as empty turns or trigger empty-response fallbacks. Fixes #74410. Thanks @vyctorbrzezowski.openclaw matrix verify confirm-sasso the operator's other Matrix device clears itsVerifying…loop instead of staying stuck after the agent confirms. (#74542) Thanks @nklock.openclaw status. Thanks @HemantSudarshan.openclaw ltm list(with optional--limitand createdAt ordering) instead of an empty placeholder, so the CLI surface matches the documented LTM listing contract. (#67952) Thanks @zhangyue19921010.Cron Jobsagent tab label and the security-audit command styling. Carries forward #39692 repair context. Thanks @hepeng154833488 and @vincentkoc.silentReply.direct: "allow"for clean empty or reasoning-only direct chat turns while keeping the default direct-chat empty-response guard conservative. Fixes #74409. Thanks @jesuskannolis.input: []. Fixes #73820. Thanks @woodhouse-bot.functions.execdispatch asexecinstead of missing configured tools. Fixes #74487. Thanks @afurm and @carreipeia.gateway-fallback-*sessions so accepted Gateway runs cannot race transcript locks or replace the routed conversation session. Fixes #62981. Thanks @HemantSudarshan./models, and model setup pickers while keeping explicit full-catalog browse paths throughview: "all",/models <provider> all, andmodels list --all. Fixes #74423. Thanks @guarismo and @SymbolStar.interactiveRepliesguidance instead of genericinlineButtonsconfig hints so enabled Slack button directives are not contradicted. Fixes #46647. Thanks @jeremykoerber.already_reactedresponses as idempotent success so repeated agent reaction adds no longer surface as tool failures. Fixes #69005. Thanks @shipitsteven and @martingarramon.channels.discord.applicationIdas an app-id lookup bypass, sanitize HTML bodies before logging, and honor Retry-After before falling back to a conservative cooldown. Fixes #38853. (#74489) Thanks @djgeorg3 and @Garyko0730.fileIdin the shared message tool schema sodownload-filecan receive Slack attachment IDs from inbound placeholders. Fixes #45574. Thanks @chadvegas.hostvalues instead of silently falling back to the default target, so hostname-like values fail before commands run. Fixes #74426. Thanks @scr00ge-00 and @vyctorbrzezowski.contents is not specifiedAPI errors. Thanks @CaoYuhaoCarl.HEARTBEAT.mdcontext aroundtasks:blocks and applyagents.defaults.heartbeatto all agents unless per-agent heartbeat entries restrict scope. Thanks @Sekhar03.processingafter a timeout. Thanks @vincentkoc.models list --all --provider <id>rows for providers without manifest/static catalog coverage, including Anthropic and Amazon Bedrock, while keeping the compatibility fallback off expensive availability and resolver paths. Thanks @shakkernerd.models status, auth probes, and PI model discovery so workspace-scoped provider auth does not disagree between listing, probing, and execution. Thanks @shakkernerd.models listAuth column through one command-local provider auth index so row rendering no longer repeats auth profile, env, configured-provider, AWS, or synthetic-auth checks per model row. Thanks @shakkernerd.models list --all --provider openaiuses the manifest fast path instead of loading provider runtime normalization hooks. Thanks @shakkernerd.tools.*RPC namespace out of plugin command discovery and managed proxy startup, so stray commands likeopenclaw tools effectivefail quickly instead of cold-loading plugin metadata. Refs #73477. Thanks @oromeis.openclaw status --usageon metadata-only channel scans unless--deepor--allis set, and send strayopenclaw tools --helpthrough the precomputed root-help fast path so latency-triage commands avoid plugin/runtime cold loads before printing. Refs #73477 and #74220. Thanks @oromeis and @NianJiuZst.subagents/runs.jsonon controller/list/status hot paths. Refs #72338. Thanks @argus-as.wmic, so restart health can recognize OpenClaw listeners on modern Windows installs and avoid long anonymous-port waits. Refs #74280. Thanks @zym951223..openclaw-runtime-deps.lockdirectories without waiting through repeated five-minute timeouts. Fixes #74346. (#74361) Thanks @jhsmith409.dm.allowFromprecedence over inherited rootallowFrom. (#74303) Thanks @Squirbie.dm.policy/dm.allowFromcompatibility migrates to canonicaldmPolicy/allowFromwithout divergent access checks. Thanks @Squirbie.ALL_PROXY/all_proxyand service-levelOPENCLAW_PROXY_URLwhen constructing the HTTP/1-only Telegram Bot API transport, so Windows and service installs that rely on those proxy settings no longer fall back to direct egress. Fixes #74014; refs #74086. Thanks @SymbolStar.Configuration
📅 Schedule: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.