From 2900e41b2db95561471d17bb9f4fdf097b56b8ac Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sun, 28 Jun 2026 03:30:31 +0100 Subject: [PATCH] Refresh RC7 packet after release-gate fixes --- ...legacy-cleanup-v6-rc7-packet-2026-06-27.md | 48 +++++++++++++++---- docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md | 30 +++++++----- docs/releases/V6_CHANGELOG_RC7_DRAFT.md | 20 +++++--- .../V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md | 8 +++- 4 files changed, 77 insertions(+), 29 deletions(-) diff --git a/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md b/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md index 699286264..058cdc302 100644 --- a/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md +++ b/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md @@ -4,11 +4,11 @@ - From tag: `v6.0.0-rc.6` - From commit: `c25e95cb2b071551df95c8add62773905ba0628b` -- To validation-risk commit: `fc10de9b5477613316473267b72b05b6b2b7aaff` -- Git range: `v6.0.0-rc.6..fc10de9b5477613316473267b72b05b6b2b7aaff` -- Commit count: `975` -- Date span in the range: `2026-05-27` through `2026-06-27` -- Changed scope: `1997` files, `239625` insertions, `47030` deletions +- To validation-risk commit: `d796928969b0b557ef5ed2d48e0e6f5e5a197df3` +- Git range: `v6.0.0-rc.6..d796928969b0b557ef5ed2d48e0e6f5e5a197df3` +- Commit count: `979` +- Date span in the range: `2026-05-27` through `2026-06-28` +- Changed scope: `2003` files, `239767` insertions, `47168` deletions The final release workflow dispatch may use a later metadata-only packet refresh commit. That refresh is not counted as a new validation-risk commit @@ -38,8 +38,33 @@ included commits surface deterministic capacity forecasts as finding signals, query capacity forecast history through the metrics target ID, and sanitize Patrol runtime failures in history. -No public issue comment, retitle, closure, release publication, or customer -message was made as part of this packet update. +The final RC7 release attempt exposed three release-gate issues after that +packet refresh: + +1. GitHub CI runners with real `/sys/block` devices could make the hostagent + SMART no-device test observe a real disk instead of the forced no-device + fallback. +2. Alert manager tests could leave asynchronous active-alert/history saves + writing into `t.TempDir()` while Go test cleanup removed the directory. +3. The published `install.sh` end-to-end smoke on a minimal Debian systemd + container failed with `ssh-keygen is required to verify signed Pulse release + assets` because the root installer did not bootstrap `openssh-client` before + signed archive verification. + +The corrective commits harden the hostagent no-device proof, track alert save +workers during shutdown, and make the root installer install `ca-certificates` +and `openssh-client` alongside `curl` and `wget` while treating `jq` as the +only optional install-time helper. The Pulse repository `WORKFLOW_PAT` Actions +secret was also refreshed on 2026-06-28 after the downstream private Pro +publication job failed to dispatch the existing `rcourtman/pulse-enterprise` +`Build Pro Release` workflow with the previous token. + +No public issue comment, retitle, closure, or customer message was made as part +of this packet update. A failed `v6.0.0-rc.7` release workflow had already +published the earlier draft assets before the downstream install smoke and +private Pro handoff failures surfaced; final publication must therefore replace +that failed public release state with assets built from the refreshed branch +head. ## Verification @@ -57,6 +82,9 @@ message was made as part of this packet update. RC7 Docker-default correction - Release packet head refresh: - validation-risk commit - `fc10de9b5477613316473267b72b05b6b2b7aaff` - - `975` commits from `v6.0.0-rc.6` - - `1997` files changed, `239625` insertions, `47030` deletions + `d796928969b0b557ef5ed2d48e0e6f5e5a197df3` + - `979` commits from `v6.0.0-rc.6` + - `2003` files changed, `239767` insertions, `47168` deletions +- Final installability proof: + - `go test ./scripts/installtests -run 'TestRootInstallScript(ArchiveSupportContract|InstallsSignatureVerificationDependencies)|TestInstallShSmokeWorkflowPresent|TestCreateReleasePublishesPrivateProRuntime' -count=1` + - `python3 scripts/release_control/contract_audit.py --check` diff --git a/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md b/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md index cd15c2c6a..6daa0189a 100644 --- a/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md +++ b/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md @@ -38,7 +38,8 @@ prerelease before any stable v6 promotion: - Platform surfaces kept the v5-shaped navigation, but gained substantial table, drawer, filter, and action consistency work. - The release and install pipeline has newer branch-policy, workflow-pin, - installer, update, and proof hardening than the shipped RC6 packet. + installer, update, and proof hardening than the shipped RC6 packet, including + fresh-host dependency bootstrap for signed server-installer verification. ## What changed since `rc.6` @@ -111,6 +112,8 @@ Notable release-readiness changes since RC6 include: - patched Go toolchain wiring for v6 release builds - release dry-run and promotion policy guardrail updates - release asset validation and installer smoke improvements +- root server installer bootstrap of `ca-certificates` and `openssh-client` + before signed release archive verification - audit log, webhook, tenant, token, and bootstrap handling fixes ### Monitoring and correctness fixes @@ -131,18 +134,20 @@ refresh may be the workflow dispatch head; the validation range below is the code-backed release-risk range. - `v6.0.0-rc.6`: `c25e95cb2b071551df95c8add62773905ba0628b` -- validation-risk commit: `fc10de9b5477613316473267b72b05b6b2b7aaff` -- range: `v6.0.0-rc.6..fc10de9b5477613316473267b72b05b6b2b7aaff` -- commit count: `975` -- changed scope: `1997` files, `239625` insertions, `47030` deletions +- validation-risk commit: `d796928969b0b557ef5ed2d48e0e6f5e5a197df3` +- range: `v6.0.0-rc.6..d796928969b0b557ef5ed2d48e0e6f5e5a197df3` +- commit count: `979` +- changed scope: `2003` files, `239767` insertions, `47168` deletions The final validation-risk commits add deterministic capacity-forecast finding signals, correct capacity-history lookup to use the metrics target ID, and -sanitize Patrol runtime failures in history. The earlier RC7 installability -correction also remains in scope: repo-root Docker Compose and -`scripts/install-docker.sh` default to `6.0.0-rc.7`, while the stable promotion -guard stays version-aware so future `6.0.0` promotion still rejects stale -prerelease Docker defaults. +sanitize Patrol runtime failures in history. The release-validation fixes after +that head harden hostagent no-device CI proof, alert shutdown/save lifecycle +proof, and the published server installer smoke: repo-root Docker Compose and +`scripts/install-docker.sh` default to `6.0.0-rc.7`, the stable promotion guard +stays version-aware so future `6.0.0` promotion still rejects stale prerelease +Docker defaults, and fresh Debian/Ubuntu/Proxmox installs bootstrap +`openssh-client` before signature verification. ## Retest plan @@ -160,8 +165,9 @@ prerelease Docker defaults. discoveries. 7. Walk Proxmox, Docker, Kubernetes, TrueNAS, vSphere, Machines, Alerts, Patrol, and Settings in-browser with real or representative data. -8. Re-test release assets, checksums, signatures, installer scripts, Docker - images, Helm smoke, and preview demo routing before publishing broadly. +8. Re-test release assets, checksums, signatures, installer scripts on a fresh + minimal Debian/Ubuntu-style host, Docker images, Helm smoke, and preview + demo routing before publishing broadly. 9. Re-test provider MSP and Cloud control-plane flows only against the governed staging or proof environments. 10. Verify self-hosted commercial posture: no monitored-system cap on current diff --git a/docs/releases/V6_CHANGELOG_RC7_DRAFT.md b/docs/releases/V6_CHANGELOG_RC7_DRAFT.md index 3d6489ef9..7a5ee07cf 100644 --- a/docs/releases/V6_CHANGELOG_RC7_DRAFT.md +++ b/docs/releases/V6_CHANGELOG_RC7_DRAFT.md @@ -10,7 +10,10 @@ governed `v6.0.0-rc.7` prerelease exists._ platform-shaped top-level navigation restored in `rc.6`, but it carries a much larger post-RC6 branch delta across Assistant, Patrol, availability checks, platform-table consistency, provider MSP, commercial continuity, release -tooling, installers, security hardening, and monitoring correctness. +tooling, installers, security hardening, and monitoring correctness. The final +installability fix also keeps signed release verification working on minimal +fresh Debian/Ubuntu/Proxmox hosts by bootstrapping the package that provides +`ssh-keygen`. The branch also contains earlier `v6.0.0` stable-promotion packet work. RC7 supersedes that operationally by keeping the next public v6 artifact on the @@ -23,10 +26,10 @@ validation-risk range. A later packet-only refresh may be the workflow dispatch head; the validation range below is the code-backed release-risk range. - `v6.0.0-rc.6`: `c25e95cb2b071551df95c8add62773905ba0628b` -- validation-risk commit: `fc10de9b5477613316473267b72b05b6b2b7aaff` -- range: `v6.0.0-rc.6..fc10de9b5477613316473267b72b05b6b2b7aaff` -- commit count: `975` -- changed scope: `1997` files, `239625` insertions, `47030` deletions +- validation-risk commit: `d796928969b0b557ef5ed2d48e0e6f5e5a197df3` +- range: `v6.0.0-rc.6..d796928969b0b557ef5ed2d48e0e6f5e5a197df3` +- commit count: `979` +- changed scope: `2003` files, `239767` insertions, `47168` deletions Those commits are grouped here by operator-visible behavior and release risk instead of listed one by one. @@ -111,6 +114,10 @@ instead of listed one by one. - RC7 Docker install defaults now pin the governed `6.0.0-rc.7` image in both the repo-root Compose sample and Docker bootstrap installer fallback, while keeping stable-promotion proof guarded against leftover prerelease defaults. +- The root server installer now installs `ca-certificates` and + `openssh-client` before signed release archive verification, so fresh + supported hosts do not fail only because `ssh-keygen` was absent before Pulse + installation began. - Installer scripts gained additional update resilience, Windows agent install coverage, root install tests, uninstall sensor-proxy support, and bundled agent installer fail-closed behavior. @@ -144,7 +151,8 @@ instead of listed one by one. - Release dry run and draft release workflow on `pulse/v6-release`. - Release assets, checksums, signatures, Docker image, Helm smoke, and preview - demo routing. + demo routing, including the published `install.sh` smoke on a minimal + Debian-style systemd container. - Upgrade from v5 stable and from earlier RCs, especially `rc.2` trust-root continuity. - Patrol and Assistant with real alert/finding/resource context. diff --git a/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md b/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md index 21ea73fff..e13b8f41e 100644 --- a/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md +++ b/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md @@ -51,6 +51,9 @@ lets operators test the current branch head without treating it as stable v6. Alerts, and Settings. - Provider MSP, Cloud, commercial continuity, installer, update, and release proof paths were hardened. +- Fresh supported Debian, Ubuntu, and Proxmox installs bootstrap the + `openssh-client` package before signed release archive verification, so + missing `ssh-keygen` on a minimal host should not block the server installer. - Security and correctness fixes landed across outbound HTTP, webhooks, audit logging, tenant boundaries, metrics, alerts, and unified resources. @@ -161,7 +164,8 @@ posting. public self-hosted plans and no default trial pressure in normal self-hosted surfaces. 13. Re-test install, update, Docker, Helm, preview demo, and release asset - workflows before broader retesting. + workflows before broader retesting, including the published `install.sh` + path on a minimal Debian-style host or container. ## Ask for these details @@ -186,6 +190,8 @@ When a user reports an `rc.7` problem, ask for: Escalate without asking the user to keep experimenting when the report involves: - failed install or failed upgrade with no recovery path +- `ssh-keygen is required to verify signed Pulse release assets` on a fresh + supported Debian, Ubuntu, or Proxmox server install - stable install path unexpectedly landing on a v6 prerelease - duplicate or missing agent identity after a v5-to-v6 upgrade - hosted, checkout, magic-link, SSO, webhook, token, or tenant access granted