Self-test install.sh smoke gate on every workflow edit against v5.1.30

Commit 7c0f65425 wired install-sh-smoke.yml into create-release.yml but the workflow has never actually executed — the pre-install structural checks were validated locally against rc.5, but the privileged systemd container portion is unproven on GitHub's cgroup-v2 runners. The first real release through the pipeline would be its trial run, and a bug at the container layer would block the release. Add a push-event self-test that re-runs the full gate against v5.1.30 (a known-good release with the same server-installer banner, the same --version arg handler, and the same ed25519 signing key as v6 RCs) whenever this workflow file changes on pulse/v6-release or main. This both validates the gate continuously and registers the workflow with GitHub's actions/workflows API so it becomes dispatchable via gh CLI and the REST endpoint — workflows on non-default branches with only workflow_call + workflow_dispatch never appear in the API until they have been triggered by a non-dispatch event. Replace direct `${{ inputs.* }}` references with a single resolve step that falls back to v5.1.30 / 5.1.30 / github.repository when no inputs are supplied (push trigger). Drop the now-redundant Resolve release repository step. Behavior under workflow_call from create-release.yml is unchanged: the create-release-supplied tag/version/repository win.
2026-05-20 01:01:20 +00:00 · 2026-05-12 11:50:19 +01:00 · 2026-05-12 11:50:19 +01:00 · 5908187445
commit 5908187445
parent 7c0f654253
1 changed files with 36 additions and 10 deletions
--- a/.github/workflows/install-sh-smoke.yml
+++ b/.github/workflows/install-sh-smoke.yml
@ -59,12 +59,27 @@ on:
        required: false
        type: string
        default: ''
+  # Self-test on workflow edits: every change to this file re-runs the gate
+  # against the canonical known-good release (v5.1.30) on the working branch.
+  # This both validates the workflow before the next release depends on it
+  # (commit b69c8c800 wired it into create-release.yml without ever having
+  # exercised the container portion in CI) and serves as ongoing protection
+  # against regressions in the gate logic itself. The push trigger also
+  # registers the workflow for API / CLI dispatch — workflows on non-default
+  # branches with only workflow_call + workflow_dispatch never appear in the
+  # actions/workflows API until they are triggered by a non-dispatch event.
+  push:
+    branches:
+      - pulse/v6-release
+      - main
+    paths:
+      - '.github/workflows/install-sh-smoke.yml'

 permissions:
  contents: read

 concurrency:
-  group: install-sh-smoke-${{ inputs.tag }}
+  group: install-sh-smoke-${{ inputs.tag || 'self-test' }}
  cancel-in-progress: false

 jobs:
@ -75,20 +90,31 @@ jobs:
      - name: Checkout repository (for README key extraction)
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

-      - name: Resolve release repository
-        id: repo
+      - name: Resolve smoke inputs
+        id: inputs
        env:
+          INPUT_TAG: ${{ inputs.tag }}
+          INPUT_VERSION: ${{ inputs.version }}
          INPUT_REPO: ${{ inputs.repository }}
          DEFAULT_REPO: ${{ github.repository }}
        run: |
+          # Push-triggered self-test runs without workflow inputs; fall back to
+          # the canonical known-good release. v5.1.30 has the same server-
+          # installer banner, the same --version arg handler, and is signed
+          # with the same ed25519 key as v6 RCs, so it exercises the same
+          # code paths a real release would.
+          tag="${INPUT_TAG:-v5.1.30}"
+          version="${INPUT_VERSION:-5.1.30}"
          repo="${INPUT_REPO:-$DEFAULT_REPO}"
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
          echo "repo=$repo" >> "$GITHUB_OUTPUT"
-          echo "Using release repository: $repo"
+          echo "Resolved: tag=$tag version=$version repo=$repo"

      - name: Download published install.sh + sshsig + linux-amd64 tarball
        env:
-          TAG: ${{ inputs.tag }}
-          REPO: ${{ steps.repo.outputs.repo }}
+          TAG: ${{ steps.inputs.outputs.tag }}
+          REPO: ${{ steps.inputs.outputs.repo }}
        run: |
          set -euo pipefail
          mkdir -p smoke-workspace
@ -110,7 +136,7 @@ jobs:

      - name: Verify install.sh signature with README's pinned key
        env:
-          TAG: ${{ inputs.tag }}
+          TAG: ${{ steps.inputs.outputs.tag }}
        run: |
          set -euo pipefail
          readme_key=$(grep -oE 'ssh-ed25519 [A-Za-z0-9+/=]+ pulse-installer' README.md | head -1)
@ -157,8 +183,8 @@ jobs:

      - name: Run install.sh end-to-end in a privileged systemd container
        env:
-          TAG: ${{ inputs.tag }}
-          VERSION: ${{ inputs.version }}
+          TAG: ${{ steps.inputs.outputs.tag }}
+          VERSION: ${{ steps.inputs.outputs.version }}
        run: |
          set -euo pipefail
          tarball="pulse-${TAG}-linux-amd64.tar.gz"
@ -253,4 +279,4 @@ jobs:

      - name: Smoke result
        run: |
-          echo "::notice::install.sh smoke passed for tag ${{ inputs.tag }}"
+          echo "::notice::install.sh smoke passed for tag ${{ steps.inputs.outputs.tag }}"