Commit graph

6 commits

Author SHA1 Message Date
rcourtman
20fc5d2649 Fix validation workflow to download draft release assets using GitHub API
The gh release download command doesn't work with draft releases.
Switch to using curl with GitHub API and authentication token to download assets.
This allows validation to work properly with draft releases.

Related to #695
2025-11-12 14:02:19 +00:00
rcourtman
c89f5ae773 Re-enable validation with Docker image pull retry logic
Added exponential backoff retry logic to handle Docker Hub CDN
propagation delays (2-5 minutes after push).

Validation workflow now:
- Retries Docker image pull up to 10 times
- Uses exponential backoff: 30s, 60s, 120s, 120s...
- Total timeout: ~10 minutes max
- Continues with asset-only validation if image unavailable

This keeps validation enabled (important for quality) while
fixing the race condition that caused consistent failures.

Related to #695
2025-11-12 13:24:54 +00:00
rcourtman
5fa78c3e36 Fix YAML syntax error in validate-release-assets workflow
The Python heredoc was not indented, causing YAML parsers to interpret
the Python code as YAML syntax. This caused workflow_dispatch runs to
fail instantly with 'workflow file issue' error before any jobs could start.

The fix indents the heredoc content and changes delimiter from 'PY' to
'EOF' to match standard conventions.
2025-11-11 22:54:37 +00:00
rcourtman
ea6cad10ce Release workflow guardrails (related to #695) 2025-11-11 22:34:00 +00:00
rcourtman
b604a63322 Fix critical release workflow issues identified in review
Addresses 3 critical issues from 4-dev team review:

1. CRITICAL: Fix non-deterministic checksum generation (Dev 2 & 3)
   - Add explicit sorting to checksums.txt generation
   - Prevents #671 checksum mismatches between builds
   - Location: scripts/build-release.sh:348

2. CRITICAL: Fix upload/validation race condition (Dev 1)
   - Change validation trigger from 'release: created' to 'workflow_run'
   - Prevents validation from running while assets still uploading
   - Prevents valid releases from being incorrectly deleted
   - Location: .github/workflows/validate-release-assets.yml:4-8

3. CRITICAL: Fix GitHub token exposure in logs (Dev 1)
   - Replace curl commands with gh CLI
   - Prevents token leakage in workflow logs
   - Location: .github/workflows/validate-release-assets.yml:44, 63

All three issues were blocking issues that could cause release failures.
Remaining high/medium priority issues to be addressed in follow-up PRs.
2025-11-11 11:32:44 +00:00
Claude
4620c1d2b3
Add post-upload validation gate for release assets
Create GitHub Actions workflow that validates release assets AFTER they're uploaded
to catch issues even if someone manually uploads or modifies assets.

Features:
- Triggers on release created/edited (draft only)
- Downloads all assets from GitHub release
- Re-runs scripts/validate-release.sh on downloaded assets
- On validation failure:
  * Deletes all assets from the release
  * Sets commit status to failed
  * Updates release description with error details
- On validation success:
  * Sets commit status to success
  * Updates release description with validation summary

This acts as a safety gate to prevent publishing releases with:
- Missing required files
- Checksum mismatches
- Incorrect version strings in binaries
- Corrupted or incomplete uploads
2025-11-11 09:23:06 +00:00