OpenClaw · GitHub Deployments API · Lighthouse · Remote Mac · Webhooks · 2026

2026 OpenClaw Frontend Practice on a Remote Mac:
GitHub Deployments, Lighthouse Regression, Thresholds, and PR-Readable Summaries

April 22, 2026 Web automation / Release gates 10 min read

Audience: teams that already run OpenClaw on a remote Mac and want one vendor-neutral thread in GitHub that shows whether a preview regressed—without giving the automation a carte-blanche token. This HowTo stitches webhooks, the Deployments API, Lighthouse, numeric thresholds, and a short PR comment. Single slug (no nested directories): 2026-openclaw-remote-mac-github-deployments-lighthouse.html. Prerequisite reads: scheduled Lighthouse alerts, predeploy Lighthouse + link hygiene, Vercel deploy-hook smoke, build metrics PR summaries.

Preview URLs move fast: cold caches, auth cookies, and HTTP/3 negotiation differ between CI containers and a real desktop browser. A leased remote Mac gives you stable GPU compositing, consistent font rendering, and the same Safari or Chromium channel your designers use—while still keeping automation outside the vendor PaaS console. The missing piece is usually where the verdict lands in GitHub. Pull request checks are precise yet noisy for executives; deployment rows are calmer and map cleanly to an environment_url. OpenClaw becomes the orchestrator: accept a signed webhook, create or resume a deployment, run Lighthouse locally, compare thresholds, then flip deployment_status and mirror the digest into the PR.

What “done” looks like. Reviewers see a deployment named preview/lighthouse move from pending to success or failure with a four-line summary, plus an optional comment that repeats the same text. No duplicate spam: dedupe keys live on the gateway, not in each script copy.

01 Linkage model: webhook, deployment, and status

Treat the webhook as intent, the deployment object as correlation id, and deployment_status as human-readable state. Your platform (Vercel, Netlify, Cloudflare Pages, or Actions) already proves that a commit reached an edge URL; OpenClaw on the Mac proves that the user-visible performance envelope still holds.

Signal Best for Common pitfall
Repository webhook Kick the Mac job with repository_dispatch payloads that include preview_url and pr_number. Replays without idempotency create duplicate deployments.
Deployment + status Single row per commit/environment with clear pending → success/failure semantics. Mixing production environment names makes rollback audits painful.
PR comment Searchable narrative for reviewers who never open the Deployments tab. Pasting secrets or signed URLs with long TTLs into comments.

Align this flow with the observability fields described in token and auth smoke summaries so gateway counters and Lighthouse timings share the same OPENCLAW_RUN_ID tuple.

02 Reproducible HowTo steps

  1. Freeze identifiers. Export GIT_SHA, PREVIEW_URL, PR_NUMBER, REPO (owner/name), OPENCLAW_RUN_ID, and optional BASELINE_REF for median lookups.
  2. Create a deployment. POST /repos/{owner}/{repo}/deployments with ref set to the commit SHA, environment such as preview/lighthouse, and metadata JSON that echoes OPENCLAW_RUN_ID. Capture deployment.id.
  3. Emit pending. POST /repos/{owner}/{repo}/deployments/{id}/statuses with state=pending and a description like remote-mac: warming preview.
  4. Warm the preview. From the Mac, run two idempotent GETs (HTML + main JS) with the same user agent Lighthouse will use; sleep briefly if the platform returns 429.
  5. Run Lighthouse. Use the CLI or LHCI with a pinned Chromium build; write lhr.json to .openclaw/reports/${OPENCLAW_RUN_ID}.lhr.json.
  6. Threshold pass/fail. Parse performance score, LCP, CLS, and TBT. Compare to baselines committed under perf/baselines.json or a rolling median artifact—same spirit as alert thresholds.
  7. Update deployment status. POST success or failure with a compact description: deltas only, no cookies. Optionally set environment_url to PREVIEW_URL and log_url to a pre-signed object store path that expires quickly.
  8. Mirror to the PR. POST an issue comment on the pull request with identical text so the conversation timeline stays truthful.
  9. Idempotency. Require gateway clients to send Idempotency-Key: ${GIT_SHA}:${OPENCLAW_RUN_ID}:lighthouse so double webhooks do not fork deployments.
  10. Close the loop in OpenClaw NDJSON. Append one line with phase=lighthouse_github, deployment_id, verdict, and duration_ms for later triage alongside service worker PR summaries.
# Example header your gateway should enforce before touching GitHub
curl -H "Authorization: Bearer ${GITHUB_TOKEN}" \
     -H "Accept: application/vnd.github+json" \
     -H "X-GitHub-Api-Version: 2022-11-28" \
     -H "Idempotency-Key: ${GIT_SHA}:${OPENCLAW_RUN_ID}:lighthouse" \
     https://api.github.com/repos/${REPO}/deployments
Citable fact

Keep deployment descriptions under ~4 KB; GitHub truncates aggressively and mobile clients ellipsize early.

03 Least-privilege tokens

Classic PATs with full repo scope are easy but unsafe for a long-lived Mac in a shared lab. Prefer a fine-grained PAT limited to one repository, or a GitHub App installation token minted per job.

Permission Why the Mac needs it What to avoid
Contents: Read Clone or fetch baselines and threshold files from the same commit. Write access unless the runner must push baselines—split roles if needed.
Deployments: Read and write Create deployments and post deployment_status transitions. Org-level admin tokens shared across dozens of repos.
Pull requests: Write Post the PR-readable digest as a comment. Reusing a bot token that can merge or edit branch protection.
Metadata: Read Always on for fine-grained tokens; keep audit logs elsewhere. Embedding the PAT in client-side scripts or preview bundles.

Store secrets in the OpenClaw gateway or macOS keychain; never export them into Lighthouse HTML reports. Rotate on a shorter cadence than your longest-lived preview URL.

04 Troubleshooting

  • 404 on deployments. Confirm the PAT/App can see the repo; fine-grained tokens silently fail if the resource list omits the repository.
  • Duplicate deployments per commit. Add server-side dedupe on (environment, ref) or reuse the latest deployment id returned by the list API before creating another.
  • Lighthouse passes locally but fails on previews. Missing auth cookies or geo headers—inject only test credentials via env vars, never hard-code in the PR body.
  • Wild LCP swings. Pin Chromium, disable unrelated background apps on the Mac, and compare against a median of the last three green runs instead of a single golden number.
  • Comments flood. Upsert a single comment keyed by a hidden HTML comment marker such as <!-- openclaw-lh:${GIT_SHA} --> using the issues API update endpoint when your bot owns the comment.

For cross-browser smoke after Lighthouse, chain pre-deploy web smoke and E2E log triage patterns so failures stay categorized.

05 FAQ

Why not only GitHub Actions artifacts?

Artifacts help engineers but hide from executives. Deployment rows travel with the environment URL and read cleanly on phones; keep artifacts for raw lhr.json, deployments for the verdict.

Can Safari drive the same deployment status?

Yes—swap Lighthouse for WebKit-driven metrics, but keep the same deployment id and dedupe key so dashboards do not fork per browser.

Do I need admin:repo_hook?

No for posting statuses if you already have a webhook configured at the org/repo level. The Mac job only needs deployment and pull-request scopes plus a way to verify webhook signatures at the gateway.

OpenClaw · Remote Mac · No login

Ship Performance Gates Without Over-Provisioning Tokens

Browse home, pricing, help, and rent or buy without signing in. Continue reading Lighthouse alerts, Vercel deploy hooks, and the blog index for more OpenClaw playbooks.

Deployments API Lighthouse Least privilege
Rent Mac Pricing Blog
Rent Mac — OpenClaw QA