From fb1725d94f86d3619db52f6c84c3872e3929f558 Mon Sep 17 00:00:00 2001 From: Paul-Louis NECH Date: Mon, 20 Apr 2026 11:34:17 +0200 Subject: [PATCH] ci: guard releases against missing binary assets Two recent release tags (v0.33.0-rc.54.algolia.1 and v0.34.2-algolia.1) shipped with zero binary assets, making the GitHub /releases/latest response resolve to a tag that install.sh cannot download (404). The CD workflow also never fired for these because it only triggered on develop and master, but our default branch is main. - cd.yml: add main to the push-trigger branch list so release-please and build-release run automatically on this fork. - release.yml: after Upload Release Assets, verify every required binary and checksums.txt actually landed on the tag, and smoke-test the Linux musl tarball end-to-end by downloading it and running rtk --version. Either check failing now fails the workflow, surfacing the regression at release time instead of in user terminals. --- .github/workflows/cd.yml | 6 ++--- .github/workflows/release.yml | 44 +++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 393f9e500..1aa77a7b6 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -3,7 +3,7 @@ name: CD on: workflow_dispatch: push: - branches: [develop, master] + branches: [main, develop, master] concurrency: group: cd-${{ github.ref }} @@ -21,7 +21,7 @@ jobs: pre-release: if: >- github.ref == 'refs/heads/develop' - || (github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/master') + || (github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/master' && github.ref != 'refs/heads/main') runs-on: ubuntu-latest outputs: tag: ${{ steps.tag.outputs.tag }} @@ -98,7 +98,7 @@ jobs: # ═══════════════════════════════════════════════ release-please: - if: github.ref == 'refs/heads/master' && github.event_name == 'push' + if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master') && github.event_name == 'push' runs-on: ubuntu-latest outputs: release_created: ${{ steps.release.outputs.release_created }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bfec8cd8a..0848f58db 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -202,6 +202,50 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Verify release assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG: ${{ steps.version.outputs.version }} + run: | + set -e + required=( + rtk-x86_64-apple-darwin.tar.gz + rtk-aarch64-apple-darwin.tar.gz + rtk-x86_64-unknown-linux-musl.tar.gz + rtk-aarch64-unknown-linux-gnu.tar.gz + rtk-x86_64-pc-windows-msvc.zip + checksums.txt + ) + assets=$(gh release view "$TAG" --repo "${{ github.repository }}" --json assets --jq '.assets[].name') + echo "Uploaded assets:" + echo "$assets" + missing=0 + for name in "${required[@]}"; do + if ! echo "$assets" | grep -qx "$name"; then + echo "::error::Missing required asset: $name" + missing=1 + fi + done + if [ "$missing" -ne 0 ]; then + echo "::error::Release $TAG is missing required assets — install.sh would 404" + exit 1 + fi + + - name: Smoke test release download + env: + TAG: ${{ steps.version.outputs.version }} + run: | + set -e + # Verify the freshly uploaded Linux binary is actually reachable and runs. + # We pin the tag (not /releases/latest) because prereleases and not-yet-promoted + # tags are invisible to that endpoint. + url="https://github.com/${{ github.repository }}/releases/download/${TAG}/rtk-x86_64-unknown-linux-musl.tar.gz" + echo "Downloading: $url" + tmp=$(mktemp -d) + curl -fsSL "$url" -o "$tmp/rtk.tar.gz" + tar -xzf "$tmp/rtk.tar.gz" -C "$tmp" + "$tmp/rtk" --version + notify-discord: name: Notify Discord needs: [release]