Skip to content

fix(ci): smoke release pointers via authenticated R2 S3 API#5995

Merged
esengine merged 1 commit into
main-v2from
fix/release-smoke-via-r2-api
Jul 5, 2026
Merged

fix(ci): smoke release pointers via authenticated R2 S3 API#5995
esengine merged 1 commit into
main-v2from
fix/release-smoke-via-r2-api

Conversation

@esengine

@esengine esengine commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Problem

Every stable release run goes red at the dl.reasonix.io curl steps: Cloudflare bot protection persistently serves 403 to GitHub Actions egress IPs (confirmed across 1.16.0 and 1.17.0 — reruns don't help). The publish itself always succeeds, but the red smoke step also skips two real follow-up steps in release-desktop.yml's mirror job:

  • Attach desktop manifest to matching CLI release (the v* release ends up missing its latest.json compatibility asset — the CLI-side attach step in release.yml fails on the same 403)
  • Refresh site to the new version (the site keeps the old baked version)

Both had to be completed by hand for 1.17.0.

Fix

Stop touching the public edge from CI and use the authenticated R2 S3 endpoint instead — the mirror job already has the AWS CLI configured with R2 credentials:

  • release-desktop.yml smoke: aws s3 cp for the tag/pointer manifests, aws s3api head-object for every platform url/sig (public URL mapped back to its object key). This verifies what the job is responsible for — that the mirror landed; the public edge is unreachable from Actions by Cloudflare policy either way.
  • release.yml compatibility asset: fetch latest/latest.json via S3 with the same repo-level R2 secrets, with a HAS_R2 guard that skips cleanly when they are absent (mirrors the desktop workflow's guard).

The local manifest validation (version, download_page, URL prefixes) is unchanged.

Verification

  • actionlint passes on both workflows.
  • Runtime path exercises on the next v* / desktop-v* tag; object keys were cross-checked against the mirror step's upload layout (s3://$R2_BUCKET/$TAG/ and pointer dirs).

🤖 Generated with Claude Code

dl.reasonix.io (Cloudflare) persistently serves 403 to GitHub Actions
egress IPs, so every stable release run failed at the public-edge curl
steps even though the publish itself succeeded, and the failure skipped
the two real follow-up steps (attach compatibility latest.json to the
CLI release, refresh the site version).

Read the mirrored manifests and head the platform objects over the
authenticated S3 endpoint instead:

- release-desktop.yml smoke: aws s3 cp / s3api head-object against the
  bucket, mapping each public URL back to its object key. Verifies the
  mirror landed; the public edge is unreachable from CI by Cloudflare
  policy and is exercised by real user traffic.
- release.yml compatibility asset: fetch latest/latest.json via S3
  using the same R2 secrets, skipping cleanly when they are absent
  (matching the desktop workflow's HAS_R2 guard).
@esengine esengine requested a review from SivanCola as a code owner July 5, 2026 07:50
@github-actions github-actions Bot added v2 Go rewrite (1.x) — main-v2 branch, active development updater Auto-update / installer / release packaging labels Jul 5, 2026
@esengine esengine merged commit b9612ef into main-v2 Jul 5, 2026
15 checks passed
@esengine esengine deleted the fix/release-smoke-via-r2-api branch July 5, 2026 07:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

updater Auto-update / installer / release packaging v2 Go rewrite (1.x) — main-v2 branch, active development

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant