ci(release): smoke the public update paths after publishing#6040
Merged
Conversation
The authenticated R2 smoke verifies the mirror landed but says nothing about what end users' updaters actually reach — esengine#5826/esengine#5858 (manifest 404) shipped broken for weeks because no release step exercised the public edge, and esengine#6005 (gateway 403) was only visible in user reports. - release.yml: after attaching the desktop-manifest compatibility asset, fetch it back anonymously with a Go client UA via GitHub's public releases/latest URL — the exact path pre-v1.16 updaters poll. GitHub serves its own runners (no bot wall), so this asserts hard. - release-desktop.yml: probe the release gateway the same way. 200 must serve the just-released version; 403 is the known bot-protection gap (esengine#6005) and only warns until a WAF skip rule lands; 404/5xx/stale version fail the release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The release smoke checks verify artifacts over the authenticated R2 S3 API (necessarily — dl.reasonix.io bot-blocks Actions egress), which means no release step ever exercises what end users' updaters actually reach. That blind spot is how #5826/#5858 (manifest 404) shipped broken for weeks, and why #6005 (gateway 403) was only visible in user reports.
Changes
releases/latest/download/latest.json: the exact path pre-v1.16 updaters poll. GitHub serves its own runners (no bot wall), so this asserts hard; retries cover release-CDN propagation. Skips cleanly on prereleases / missing R2 secrets, mirroring the upload step's guards.crash.reasonix.io/v1/desktop/releases/<channel>/latest.json) the same way:200must serve exactly the just-released version (stale pointer ⇒ fail),403is the known bot-protection gap ([Bug]: 更新检查失败,获取 latest.json 清单返回 403 Forbidden #6005) →::warningonly, so releases aren't blocked until a WAF skip rule for that path lands — at which point this can be tightened to a hard assert,404/5xx/transport anomalies ⇒ routing or pointer regression ⇒ fail.Both workflows pass YAML validation; the probe handles curl's
000transport-failure code explicitly.Refs #5826, #5858, #6005