Related to systematic release workflow failures. The workflow has never successfully completed from start to finish since validation was added. Root causes identified and fixed: 1. **GraphQL node_id vs numeric release ID**: The create-release job was using `gh release view --json id` which returns a GraphQL node_id (RE_kwDON5nJtM4PmlTt) instead of the numeric database ID (261772525) needed by the REST API. The validation workflow then failed with 404 when trying to download assets. Fixed by using `gh api` to get the numeric ID from the releases list endpoint. 2. **Missing binaries in Docker image**: The validation script expects 26 binaries + 3 Windows symlinks in /opt/pulse/bin/, but the Dockerfile was only copying a subset. Missing binaries included the main pulse server binary, armv6/386 builds for all agents, and caused immediate validation failure. Fixed by copying all built binaries from backend-builder stage. 3. **Assets-only validation fallback broken**: When Docker image pull times out, the workflow falls back to assets-only validation but was still calling the validation script without --skip-docker flag, causing it to fail on the first docker command. Fixed by passing --skip-docker flag in the fallback path. 4. **Asset download pagination**: The asset download was not using --paginate, which would cause silent failures once we exceed 30 assets (currently at 27). Fixed by adding --paginate to gh api call. All fixes verified locally and address the complete failure chain. |
||
|---|---|---|
| .. | ||
| helm-ci.yml | ||
| helm-pages.yml | ||
| promote-floating-tags.yml | ||
| publish-helm-chart.yml | ||
| README.md | ||
| release.yml | ||
| test-updates.yml | ||
| update-demo-server.yml | ||
| validate-release-assets.yml | ||
GitHub Actions Workflows
Update Demo Server
File: update-demo-server.yml
Automatically updates the public demo server when a new stable release is published.
Configuration Required
Add these secrets to your GitHub repository settings (Settings → Secrets and variables → Actions):
-
DEMO_SERVER_SSH_KEY
- The private SSH key for accessing the demo server
- Generate with:
cat ~/.ssh/id_ed25519(or your key file) - Should be the full private key including
-----BEGINand-----ENDlines
-
DEMO_SERVER_HOST
- The hostname or IP of the demo server
- Value:
174.138.72.137(or hostname if using DNS)
-
DEMO_SERVER_USER
- The SSH username for the demo server
- Value:
root(or the appropriate user with sudo access)
How It Works
- Trigger: Runs automatically when a GitHub release is published
- Filter: Only runs for stable releases (skips RC/pre-releases)
- Update: SSHs to demo server and runs the install script
- Verify: Checks that the new version is running and mock mode is active
- Cleanup: Removes SSH key from runner
Testing
To test without publishing a release:
- Go to
Actionstab in GitHub - Select
Update Demo Serverworkflow - Click
Run workflow(if manual trigger is enabled)
Benefits
- ✅ Demo server always showcases latest stable release
- ✅ Validates install script works on real server
- ✅ Removes manual step from release process
- ✅ Free to run (public repos get unlimited GitHub Actions minutes)
Helm CI
File: helm-ci.yml
Runs helm lint --strict and renders the chart with common configuration combinations on every pull request that touches Helm content (and on pushes to main). This prevents regressions before they land.
- Triggered by PRs/pushes touching
deploy/helm/**, docs, or the workflow itself - Uses Helm v3.15.2
- Renders both the default deployment and an agent-enabled configuration to catch template issues
Publish Helm Chart
File: publish-helm-chart.yml
Packages the Helm chart and pushes it to the GitHub Container Registry (OCI) whenever a GitHub Release is published. Also makes the packaged .tgz available as both an Actions artifact and a release asset. The same behaviour can be triggered locally via ./scripts/package-helm-chart.sh <version> [--push].
- Triggered automatically on
release: published, or manually via workflow dispatch (requireschart_versioninput) - Chart and app versions mirror the Pulse release tag (e.g.,
v4.24.0→4.24.0) - Publishes to
oci://ghcr.io/<owner>/pulse-chart - Requires no additional secrets—uses the built-in
GITHUB_TOKENwithpackages: writepermission