Audience: platform engineers who want a remote Mac running OpenClaw as the automation gateway between CircleCI and internal tooling—accepting signed outbound webhooks, scanning lockfile drift after workflows finish, and pushing human-readable summaries to chat or ticket systems without over-provisioned CI minutes. Follow docs.openclaw.ai for gateway defaults. For capacity planning see the remote Mac build node guide; SSH basics stay public on Help (no login required to read).

Why a gateway matters: CircleCI should not own every secret for mirrors, model caches, and long-lived git credentials. An OpenClaw listener on stable Apple Silicon consolidates verification, audit logs, and outbound callbacks so pipelines stay thin while the Mac holds least-privilege tokens for pulls and scans.

  • Reproducibility checklist — Node major pinned in launchd; openclaw doctor clean; TLS terminates before loopback; webhook secret at mode 600; handler returns 2xx within ~10s; summaries use three POST attempts with 2s / 4s / 8s backoff.
  • CircleCI workflow-completed (or job-completed) subscribed; payload fields for pipeline, VCS revision, and workflow status recorded in a runbook.
  • Per-delivery workdir under /var/tmp/circleci-openclaw/ (or similar); idempotency store for duplicate id values from CircleCI.
  • Silent signature failures: proxies buffer JSON and your HMAC no longer matches the bytes CircleCI signed.
  • Timeout storms: a full npm ci inside the webhook path exceeds CircleCI’s short delivery window and triggers retries.
  • Permission friction: only org admins can register outbound webhooks—developers may mistake that for a broken Mac listener.

Prerequisites: Node, OpenClaw CLI, tokens, and minimal permissions

Install Node 22 LTS (or newer supported by your OpenClaw build) for the service account that owns the gateway. Install the CLI with the official curl installer or npm install -g openclaw, run openclaw onboard, then openclaw doctor until warnings about PATH, ports, and Node mismatch disappear.

Store the CircleCI webhook signing secret and any git read tokens under ~/.config/openclaw/ with mode 600. Prefer a read-only deploy key or fine-grained credential that can fetch the repository referenced in the webhook payload—never reuse a token that can merge or bypass branch protection.

Control Purpose Minimal pattern
Gateway bind Reduce attack surface on the Mac 127.0.0.1 listener + reverse proxy TLS + allow-listed egress from CircleCI
CLI identity Same runtime under SSH and launchd Set NODE_BINARY and an explicit PATH in the plist
VCS token Clone private repos for lockfile diffs Repo-scoped read; rotate when pasted into tickets

Least privilege in one sentence: the Mac gateway verifies CircleCI, reads git, diffs lockfiles, and posts summaries—it never needs CircleCI project settings API keys on the same filesystem unless you intentionally automate webhook management.

CircleCI webhook and verification configuration steps

CircleCI outbound webhooks are configured per project (maximum five). Adding them requires organization administrator permissions. In the CircleCI app open Project Settings → Webhooks → Add Webhook, paste your public HTTPS URL, keep certificate validation enabled for production, and set a secret token so CircleCI emits a circleci-signature header.

Each POST includes circleci-event-type (for example workflow-completed), User-Agent: CircleCI-Webhook/1.0, and JSON describing the pipeline, workflow, and VCS revision. CircleCI expects a 2xx response within roughly ten seconds; otherwise it treats delivery as failed and retries later. Plan the synchronous phase accordingly.

Official verification: the circleci-signature header lists versioned digests such as v1=<hex>. Today you should validate v1, which is HMAC-SHA256 of the raw request body using your configured secret (CircleCI outbound webhooks). Use constant-time comparison to prevent timing leaks.

1
Expose HTTPS to the OpenClaw route documented for inbound automation; confirm curl from outside matches the hostname CircleCI will call.
2
Create the webhook with a strong random secret; store it only on the Mac and in CircleCI’s UI.
3
Subscribe to workflow-completed (lockfile summary per pipeline) or job-completed (finer granularity).
4
Send Test Ping, capture headers, and verify signature locally before enabling filters.
5
Filter in code: ignore non-terminal statuses you do not care about, and skip branches outside an allow list.
// Node sketch: rawBody is a Buffer or string before JSON.parse
// const pairs = headers['circleci-signature'].split(',').map(p => p.trim().split('='));
// const v1 = pairs.find(([k]) => k === 'v1')[1];
// const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
// crypto.timingSafeEqual(Buffer.from(v1, 'hex'), Buffer.from(expected, 'hex'))

OpenClaw skill / script template: parse payload, diff lockfiles, emit summary

After signature verification, parse JSON and extract the git remote, revision, branch, workflow status, and pipeline number from the payload keys defined in CircleCI’s reference. Create /var/tmp/circleci-openclaw/$ID, perform a shallow fetch of the reported revision, then compare lockfiles against your default branch using git show origin/main:package-lock.json or git diff origin/main -- Gemfile.lock Cargo.lock pnpm-lock.yaml depending on the stack.

Return a compact JSON acknowledgment immediately—example fields: ok, lockfileDrift boolean, pipelineId, and bytesOfDiff—so CircleCI sees success quickly. Spawn a background task (LaunchAgent queue, worker thread, or OpenClaw skill continuation) to POST the long-form markdown summary to Slack, Discord, or an internal HTTP API.

#!/usr/bin/env bash
set -euo pipefail
REPO_URL="$1" REV="$2" DEFAULT_BRANCH="${3:-main}"
WORKDIR="$(mktemp -d "/tmp/circleci-lock-XXXXXX")"
trap 'rm -rf "$WORKDIR"' EXIT
git clone --depth 50 "$REPO_URL" "$WORKDIR/repo"
cd "$WORKDIR/repo"
git fetch origin "$REV" && git checkout --detach FETCH_HEAD
git fetch origin "$DEFAULT_BRANCH"
# Example: fail if package-lock.json differs from default branch at same tree paths
if ! git diff --quiet "origin/$DEFAULT_BRANCH" -- package-lock.json; then
  git diff "origin/$DEFAULT_BRANCH" -- package-lock.json | head -n 120
  exit 1
fi

For the same lockfile topic on GitHub-native flows, compare notes with OpenClaw + GitHub Check Suite lockfile scan. Broader dependency automation loops are covered in other OpenClaw posts in this blog category.

Common errors: signature, timeout, and permissions (FAQ)

Every circleci-signature check fails

The edge proxy probably altered the body or charset. Disable middleware that re-serializes JSON, verify you hash the raw TCP buffer, and confirm the secret in CircleCI matches the file on disk.

CircleCI keeps retrying; we always hit timeouts

Shrink synchronous work: verify, shallow fetch, small diff, respond 200. Offload package installs or OpenClaw model calls to async workers. Remember the delivery budget is about ten seconds.

403 when teammates try to add the webhook

Outbound webhooks require org admin. Either elevate temporarily or use the Webhooks API with a stored personal token that has admin scope—still rotate after setup.

Duplicate deliveries create double summaries

Persist the webhook payload id for twenty four hours, short-circuit if seen, but always return 2xx when the event is authentic—even when skipping work.

Connecting to CI pull scenarios

Treat this webhook as a post-merge intelligence layer: CircleCI already exercised tests; the Mac confirms lockfiles still match policy before caches warm elsewhere. When drift is detected, trigger a follow-up job or OpenClaw playbook that aligns mirrors and pre-pulls described in your internal runbooks—without blocking the original webhook response.

Teams combining cross-border mirrors and git acceleration can chain the summary output to the same gateway routes used for pull optimization so operators see one narrative: workflow status, lockfile delta bytes, and recommended mirror endpoints.

Summary callback pattern: POST JSON with workflowStatus, revision, truncated diff, and links back to CircleCI. Retry three times with sleeps of 2, 4, and 8 seconds; cap client timeouts around 25 seconds per attempt. Log correlation ids from OpenClaw for audits.

Closing checklist

  1. Doctor-clean gateway user with pinned Node.
  2. TLS → loopback OpenClaw route; raw body preserved.
  3. Webhook secret + v1 HMAC verification.
  4. Shallow clone + lockfile diff + fast 2xx.
  5. Async summary with bounded retries and deduplication.

Rent a remote Mac when you need a 24/7 listener: laptops sleep; data-center Mac Minis do not. Compare plans on Pricing, provision from Purchase, then follow Help for SSH connection steps (readable without signing in). Browse more automation notes on the Technical Blog.

MacPull supplies hosted Apple Silicon so OpenClaw gateways stay reachable for CircleCI webhooks, lockfile enforcement, and downstream pull automation.

Keep your OpenClaw + CircleCI gateway online

Use a dedicated remote Mac Mini for TLS endpoints, webhook verification, and stable launchd automation. Home, purchase, help, and blog pages are public—no login wall for reading.