fix(ci): smoke release pointers via authenticated R2 S3 API#5995
Merged
Conversation
dl.reasonix.io (Cloudflare) persistently serves 403 to GitHub Actions egress IPs, so every stable release run failed at the public-edge curl steps even though the publish itself succeeded, and the failure skipped the two real follow-up steps (attach compatibility latest.json to the CLI release, refresh the site version). Read the mirrored manifests and head the platform objects over the authenticated S3 endpoint instead: - release-desktop.yml smoke: aws s3 cp / s3api head-object against the bucket, mapping each public URL back to its object key. Verifies the mirror landed; the public edge is unreachable from CI by Cloudflare policy and is exercised by real user traffic. - release.yml compatibility asset: fetch latest/latest.json via S3 using the same R2 secrets, skipping cleanly when they are absent (matching the desktop workflow's HAS_R2 guard).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every stable release run goes red at the
dl.reasonix.iocurl steps: Cloudflare bot protection persistently serves 403 to GitHub Actions egress IPs (confirmed across 1.16.0 and 1.17.0 — reruns don't help). The publish itself always succeeds, but the red smoke step also skips two real follow-up steps inrelease-desktop.yml's mirror job:v*release ends up missing itslatest.jsoncompatibility asset — the CLI-side attach step inrelease.ymlfails on the same 403)Both had to be completed by hand for 1.17.0.
Fix
Stop touching the public edge from CI and use the authenticated R2 S3 endpoint instead — the mirror job already has the AWS CLI configured with R2 credentials:
aws s3 cpfor the tag/pointer manifests,aws s3api head-objectfor every platform url/sig (public URL mapped back to its object key). This verifies what the job is responsible for — that the mirror landed; the public edge is unreachable from Actions by Cloudflare policy either way.latest/latest.jsonvia S3 with the same repo-level R2 secrets, with aHAS_R2guard that skips cleanly when they are absent (mirrors the desktop workflow's guard).The local manifest validation (version, download_page, URL prefixes) is unchanged.
Verification
actionlintpasses on both workflows.v*/desktop-v*tag; object keys were cross-checked against the mirror step's upload layout (s3://$R2_BUCKET/$TAG/and pointer dirs).🤖 Generated with Claude Code