From 2cd3b88cfac03b6b972d084cfc492f48d1969217 Mon Sep 17 00:00:00 2001 From: Harshit Singh Bhandari Date: Mon, 29 Jun 2026 15:44:30 +0530 Subject: [PATCH] fix(ci): Windows publish shell + fresh-install smoke check (#2267) (#2269) * fix(ci): pin publish step to bash so the retry loop runs on Windows The 3x retry wrapper added in #2266 is bash syntax, but the release matrix Publish step inherited the runner default shell, which is PowerShell on windows-latest. That made every Windows publish fail with a ParserError. Pin shell: bash on all four publish steps. Co-Authored-By: Claude Opus 4.8 * fix(ci): point fresh-install smoke check at an empty release repo (#2267) The container check asserts `ao start` fails cleanly on a fresh box with no published asset. Now that AgentWrapper publishes a linux-x64 AppImage, an unpinned smoke binary downloads it and exits 0, tripping the assertion. Build the smoke binary against a release repo with no assets so the fetch path deterministically 404s and start exits non-zero with a clear error, preserving the test's intent without depending on what the real repo publishes. Co-Authored-By: Claude Opus 4.8 --------- Co-authored-by: Claude Opus 4.8 --- .github/workflows/frontend-nightly.yml | 2 ++ .github/workflows/frontend-release.yml | 2 ++ test/cli/Dockerfile | 8 +++++++- test/cli/install-check.sh | 13 +++++++------ 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/.github/workflows/frontend-nightly.yml b/.github/workflows/frontend-nightly.yml index b56de27d1..c441b0bd7 100644 --- a/.github/workflows/frontend-nightly.yml +++ b/.github/workflows/frontend-nightly.yml @@ -85,6 +85,7 @@ jobs: apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }} apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }} - name: Publish + shell: bash run: | # Retry transient macOS sign/notary flakes (Apple notary -1009, # osx-sign keychain races) so the build self-heals instead of failing. @@ -144,6 +145,7 @@ jobs: apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }} apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }} - name: Publish + shell: bash run: | # Retry transient macOS sign/notary flakes (Apple notary -1009, # osx-sign keychain races) so the build self-heals instead of failing. diff --git a/.github/workflows/frontend-release.yml b/.github/workflows/frontend-release.yml index ccec8e3cb..e588a7f0d 100644 --- a/.github/workflows/frontend-release.yml +++ b/.github/workflows/frontend-release.yml @@ -76,6 +76,7 @@ jobs: apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }} apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }} - name: Publish + shell: bash run: | # Retry transient macOS sign/notary flakes (Apple notary -1009, # osx-sign keychain races) so the build self-heals instead of failing. @@ -200,6 +201,7 @@ jobs: apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }} apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }} - name: Publish + shell: bash run: | # Retry transient macOS sign/notary flakes (Apple notary -1009, # osx-sign keychain races) so the build self-heals instead of failing. diff --git a/test/cli/Dockerfile b/test/cli/Dockerfile index ce947d148..43cb951b9 100644 --- a/test/cli/Dockerfile +++ b/test/cli/Dockerfile @@ -18,7 +18,13 @@ RUN cd backend && go mod download COPY backend ./backend # Pure-Go SQLite (modernc) builds fine with CGO disabled -> a static binary. -RUN cd backend && CGO_ENABLED=0 go build -trimpath -o /out/ao ./cmd/ao +# Build against a release repo with NO published assets so `ao start` reaches the +# fetch path and fails cleanly (404) on a fresh box. The real AgentWrapper repo +# now publishes a linux-x64 AppImage, so an unpinned binary would download it and +# exit 0, defeating the fresh-install assertion below. See install-check.sh. +RUN cd backend && CGO_ENABLED=0 go build -trimpath \ + -ldflags "-X github.com/aoagents/agent-orchestrator/backend/internal/cli.releaseRepo=AgentWrapper/ao-fresh-install-fixture" \ + -o /out/ao ./cmd/ao # ---- stage 2: a clean machine with NO Go toolchain, just like an end user ---- FROM debian:bookworm-slim AS run diff --git a/test/cli/install-check.sh b/test/cli/install-check.sh index 3af4756c3..96c2e60a1 100755 --- a/test/cli/install-check.sh +++ b/test/cli/install-check.sh @@ -22,12 +22,13 @@ echo "ao binary : $(command -v "$AO_BIN")" # `ao start` is now the desktop-app launcher: it resolves an installed app or # fetches the release, then opens it (it no longer runs a daemon). On a fresh -# container there is no installed app, so start reaches the fetch path. With no -# published asset for this platform it must exit non-zero with a clear `ao -# start:` error (an unreachable/404 download on amd64, or an unsupported-arch -# error on arm64), never a panic or a silent success. The full launcher -# behaviour is covered by the Go e2e suite; this only proves the fresh-box path -# is sane on whatever arch the runner uses. +# container there is no installed app, so start reaches the fetch path. The smoke +# binary is built against a release repo with no published assets (see +# Dockerfile), so the fetch deterministically 404s and start must exit non-zero +# with a clear `ao start:` error (an unreachable/404 download on amd64, or an +# unsupported-arch error on arm64), never a panic or a silent success. The full +# launcher behaviour is covered by the Go e2e suite; this only proves the +# fresh-box path is sane on whatever arch the runner uses. if err="$("$AO_BIN" start 2>&1)"; then fail "start unexpectedly succeeded on a fresh machine with no installed app" fi