Skip to content

ci(release): smoke the public update paths after publishing#6040

Merged
SivanCola merged 1 commit into
esengine:main-v2from
SivanCola:ci/release-public-smoke
Jul 6, 2026
Merged

ci(release): smoke the public update paths after publishing#6040
SivanCola merged 1 commit into
esengine:main-v2from
SivanCola:ci/release-public-smoke

Conversation

@SivanCola

Copy link
Copy Markdown
Collaborator

Problem

The release smoke checks verify artifacts over the authenticated R2 S3 API (necessarily — dl.reasonix.io bot-blocks Actions egress), which means no release step ever exercises what end users' updaters actually reach. That blind spot is how #5826/#5858 (manifest 404) shipped broken for weeks, and why #6005 (gateway 403) was only visible in user reports.

Changes

  • release.yml — after uploading the desktop-manifest compatibility asset, fetch it back anonymously with a Go client UA via releases/latest/download/latest.json: the exact path pre-v1.16 updaters poll. GitHub serves its own runners (no bot wall), so this asserts hard; retries cover release-CDN propagation. Skips cleanly on prereleases / missing R2 secrets, mirroring the upload step's guards.
  • release-desktop.yml — probe the release gateway (crash.reasonix.io/v1/desktop/releases/<channel>/latest.json) the same way:
    • 200 must serve exactly the just-released version (stale pointer ⇒ fail),
    • 403 is the known bot-protection gap ([Bug]: 更新检查失败,获取 latest.json 清单返回 403 Forbidden #6005) → ::warning only, so releases aren't blocked until a WAF skip rule for that path lands — at which point this can be tightened to a hard assert,
    • 404/5xx/transport anomalies ⇒ routing or pointer regression ⇒ fail.

Both workflows pass YAML validation; the probe handles curl's 000 transport-failure code explicitly.

Refs #5826, #5858, #6005

The authenticated R2 smoke verifies the mirror landed but says nothing
about what end users' updaters actually reach — esengine#5826/esengine#5858 (manifest 404)
shipped broken for weeks because no release step exercised the public
edge, and esengine#6005 (gateway 403) was only visible in user reports.

- release.yml: after attaching the desktop-manifest compatibility asset,
  fetch it back anonymously with a Go client UA via GitHub's public
  releases/latest URL — the exact path pre-v1.16 updaters poll. GitHub
  serves its own runners (no bot wall), so this asserts hard.
- release-desktop.yml: probe the release gateway the same way. 200 must
  serve the just-released version; 403 is the known bot-protection gap
  (esengine#6005) and only warns until a WAF skip rule lands; 404/5xx/stale
  version fail the release.
@SivanCola SivanCola requested a review from esengine as a code owner July 5, 2026 20:26
@github-actions github-actions Bot added updater Auto-update / installer / release packaging v2 Go rewrite (1.x) — main-v2 branch, active development labels Jul 5, 2026
@SivanCola SivanCola merged commit 8d4cfad into esengine:main-v2 Jul 6, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

updater Auto-update / installer / release packaging v2 Go rewrite (1.x) — main-v2 branch, active development

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant