Route demo updates over governed Tailscale path

2026-05-05 23:36:37 +00:00 · 2026-04-11 13:35:37 +01:00 · 2026-04-11 13:35:37 +01:00 · 3a992a4fae
commit 3a992a4fae
parent 1a0acd310a
6 changed files with 53 additions and 14 deletions
--- a/docs/release-control/v6/internal/subsystems/deployment-installability.md
+++ b/docs/release-control/v6/internal/subsystems/deployment-installability.md
@ -191,6 +191,11 @@ shell actually updated. That proof
 must use a deterministic HTML parser for the actual module entry script rather
 than brittle escaped shell regex or a first-match asset scrape that can fail
 differently over SSH or select the wrong preloaded chunk.
+Those same governed demo deploy/update workflows also own the runner-to-host
+network path. They must establish the canonical Tailscale connectivity step
+before SSH setup so stable or preview targets may stay on governed private
+hostnames or Tailscale IPs, rather than silently depending on public SSH
+reachability from GitHub-hosted runners.
 Those same governed release workflows also own the operator-facing wording for
 that promotion metadata. Human-visible workflow inputs, summaries, and error
 messages must describe the path as a prerelease or preview flow rather than