fix(ci): Windows publish shell + fresh-install smoke check (#2267) (#2269)

* fix(ci): pin publish step to bash so the retry loop runs on Windows

The 3x retry wrapper added in #2266 is bash syntax, but the release
matrix Publish step inherited the runner default shell, which is
PowerShell on windows-latest. That made every Windows publish fail with
a ParserError. Pin shell: bash on all four publish steps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(ci): point fresh-install smoke check at an empty release repo (#2267)

The container check asserts `ao start` fails cleanly on a fresh box with
no published asset. Now that AgentWrapper publishes a linux-x64 AppImage,
an unpinned smoke binary downloads it and exits 0, tripping the
assertion. Build the smoke binary against a release repo with no assets
so the fetch path deterministically 404s and start exits non-zero with a
clear error, preserving the test's intent without depending on what the
real repo publishes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Harshit Singh Bhandari 2026-06-29 15:44:30 +05:30 committed by GitHub
parent 92a52f0992
commit 2cd3b88cfa
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 18 additions and 7 deletions

View File

@ -85,6 +85,7 @@ jobs:
apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }}
apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }}
- name: Publish
shell: bash
run: |
# Retry transient macOS sign/notary flakes (Apple notary -1009,
# osx-sign keychain races) so the build self-heals instead of failing.
@ -144,6 +145,7 @@ jobs:
apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }}
apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }}
- name: Publish
shell: bash
run: |
# Retry transient macOS sign/notary flakes (Apple notary -1009,
# osx-sign keychain races) so the build self-heals instead of failing.

View File

@ -76,6 +76,7 @@ jobs:
apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }}
apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }}
- name: Publish
shell: bash
run: |
# Retry transient macOS sign/notary flakes (Apple notary -1009,
# osx-sign keychain races) so the build self-heals instead of failing.
@ -200,6 +201,7 @@ jobs:
apple-api-issuer: ${{ secrets.APPLE_API_ISSUER }}
apple-signing-identity: ${{ secrets.APPLE_SIGNING_IDENTITY }}
- name: Publish
shell: bash
run: |
# Retry transient macOS sign/notary flakes (Apple notary -1009,
# osx-sign keychain races) so the build self-heals instead of failing.

View File

@ -18,7 +18,13 @@ RUN cd backend && go mod download
COPY backend ./backend
# Pure-Go SQLite (modernc) builds fine with CGO disabled -> a static binary.
RUN cd backend && CGO_ENABLED=0 go build -trimpath -o /out/ao ./cmd/ao
# Build against a release repo with NO published assets so `ao start` reaches the
# fetch path and fails cleanly (404) on a fresh box. The real AgentWrapper repo
# now publishes a linux-x64 AppImage, so an unpinned binary would download it and
# exit 0, defeating the fresh-install assertion below. See install-check.sh.
RUN cd backend && CGO_ENABLED=0 go build -trimpath \
-ldflags "-X github.com/aoagents/agent-orchestrator/backend/internal/cli.releaseRepo=AgentWrapper/ao-fresh-install-fixture" \
-o /out/ao ./cmd/ao
# ---- stage 2: a clean machine with NO Go toolchain, just like an end user ----
FROM debian:bookworm-slim AS run

View File

@ -22,12 +22,13 @@ echo "ao binary : $(command -v "$AO_BIN")"
# `ao start` is now the desktop-app launcher: it resolves an installed app or
# fetches the release, then opens it (it no longer runs a daemon). On a fresh
# container there is no installed app, so start reaches the fetch path. With no
# published asset for this platform it must exit non-zero with a clear `ao
# start:` error (an unreachable/404 download on amd64, or an unsupported-arch
# error on arm64), never a panic or a silent success. The full launcher
# behaviour is covered by the Go e2e suite; this only proves the fresh-box path
# is sane on whatever arch the runner uses.
# container there is no installed app, so start reaches the fetch path. The smoke
# binary is built against a release repo with no published assets (see
# Dockerfile), so the fetch deterministically 404s and start must exit non-zero
# with a clear `ao start:` error (an unreachable/404 download on amd64, or an
# unsupported-arch error on arm64), never a panic or a silent success. The full
# launcher behaviour is covered by the Go e2e suite; this only proves the
# fresh-box path is sane on whatever arch the runner uses.
if err="$("$AO_BIN" start 2>&1)"; then
fail "start unexpectedly succeeded on a fresh machine with no installed app"
fi