Pipeline shows triggered but OpenClaw never runs on the Mac

Confirm the job uses the correct runner tag, SSH host key pinning, and that the schedule injected the expected CI variables. Check GitLab job logs for auth errors before debugging OpenClaw.

Webhook returns four zero one even with a fresh token

Validate allowed IP lists, rotate the shared secret header, and ensure the reverse proxy forwards the Authorization header. Compare request timestamps with Mac local time skew under five minutes.

Morning summary is empty while night jobs succeeded

Point the digest job at the artifact path from the prior schedule and confirm expire_in keeps files until morning. Add a guard step that fails when no log files match the date glob.

How many retries should nightly OpenClaw jobs use

Use two automatic retries with exponential backoff for network blips, then page humans. Avoid unbounded retries that mask quota or credential failures.

2026 OpenClaw on Rented Mac Mini: GitLab CI Scheduled Pipelines for Night Patrol and Morning Summary

Mar 30, 2026

RunMini Tech Team

Read time: 9 mins

Platform teams want OpenClaw on a rented Mac Mini to run night patrol checks without babysitting SSH, yet they still need a trustworthy clock that wakes jobs and ships a morning summary.

This guide gives a GitLab CI scheduled pipeline pattern with least privilege tokens, webhook hardening, failure retries, and log archive checkpoints you can audit line by line. Pair it with the OpenClaw quota and retry HowTo, the seven by twenty four scheduling matrix, and the blog index for broader coverage.

Why GitLab schedules still fail OpenClaw tenants

Broad tokens. Personal access tokens with api scope let any leaked secret fork your entire org.
Webhook sprawl. A public webhook without IP allow lists and rotating headers invites replay noise.
Silent log loss. Jobs pass while artifacts expire before the morning summary stage reads them.

Decision matrix: scheduled trigger versus API polling

Pick one primary path. Mixing both without documentation doubles audit work.

Pattern	Best when	Minimal credential
GitLab schedule only	You control the repo and want GitLab to own the clock	Project trigger token with trigger_job scope only
Inbound webhook to Mac	OpenClaw must start within seconds of an external signal	HMAC shared secret plus reverse proxy allow list
Read only API poll	You need status for a dashboard without executing remote code	Project token with read_api and narrow path filters

Six-step runbook for night patrol and morning digest

Create a trigger token under Settings then CI/CD and store it in a masked variable named OPENCLAW_TRIGGER_TOKEN.
Add schedule A at local night with variable OPENCLAW_MODE=patrol and schedule B before stand-up with OPENCLAW_MODE=digest.
Pin Mac work behind a dedicated runner tag such as runmini-mac-mini or invoke ssh with known hosts pinning.
In .gitlab-ci.yml set retry to max two on runner_system_failure and stuck_or_timeout_failure.
Publish artifacts with expire_in at least twelve hours and path logs/openclaw/.
Document rollback by disabling schedules and revoking the trigger token in one change request.

Reproducible commands and checkpoints

Run these from a secure admin workstation. Replace placeholders before paste.

Dry run a schedule without waiting for cron

curl --request POST \
  --form token="$OPENCLAW_TRIGGER_TOKEN" \
  --form ref=main \
  --form "variables[OPENCLAW_MODE]=patrol" \
  "$CI_API_V4_URL/projects/$CI_PROJECT_ID/trigger/pipeline"

Checkpoint one: pipeline created

curl --header "PRIVATE-TOKEN: $READ_API_TOKEN" \
  "$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines?per_page=1"

Checkpoint two: artifact exists after patrol

test -f logs/openclaw/patrol-$(date +%Y%m%d).log && echo ok

Align timezone with your RunMini region. Cross check Help Center notes on SSH stability before you trust overnight jobs.

Log archive on the rented Mac

Write OpenClaw stdout and stderr under ~/Library/Logs/OpenClaw/ with daily file names.
Compress prior days with gzip before the digest job uploads artifacts.
Keep at least seven rotated files local so you can diff a bad night patrol without waiting for GitLab restore or ticket queues.

Citeable parameters:

Two retries cover most transient runner blips without hiding auth failures.
Twelve hour minimum artifact retention bridges a typical night window to morning digest.
Five minute maximum acceptable clock skew between GitLab and the Mac when validating webhook signatures.
Separate CI variables per schedule keep patrol side effects away from read only digest logic.

Troubleshooting FAQ

Pipeline shows triggered but OpenClaw never runs on the Mac: Verify the job targets the correct runner tag or SSH host. Read the GitLab job log for authentication failures before you tune OpenClaw.
Webhook returns four zero one with a fresh token: Check proxy rules for stripped Authorization headers, refresh the HMAC secret, and tighten the IP allow list.
Morning summary is empty while patrol succeeded: Confirm expire_in survived until digest, and point the digest job at the same artifact path with a date glob guard.
Should patrol and digest share one token: Use distinct variables per schedule so revoking one lane does not blind the read only summary path.

Closing CTA. Put OpenClaw on dedicated Apple Silicon: open Pricing, pick a Mac Mini tier, complete Purchase with no login required at checkout. Use Help Center for remote access playbooks.

Choose your Mac node for OpenClaw and GitLab CI

Run scheduled pipelines against a stable rented host. Start from Home, compare Pricing, then Rent now—no login required at checkout. See Help Center for SSH and the Blog for ops guides.

View Plans Rent Now Help Center

Automate nightly OpenClaw—Purchase, Help, Blog.