From f69e68d4a4e32d6d689102749d96e595524c985d Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Sun, 3 May 2026 16:18:56 +0100
Subject: [PATCH] Refresh RC3 packet for stable installer fix

---
 ...acy-cleanup-rc3-commit-audit-2026-05-03.md | 28 ++++++++++---------
 .../subsystems/deployment-installability.md   |  3 ++
 docs/releases/RELEASE_NOTES_v6_RC3_DRAFT.md   |  9 ++++--
 docs/releases/V6_CHANGELOG_RC3_DRAFT.md       | 11 +++++---
 .../V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md     |  5 ++++
 .../render_release_body_test.py               |  5 ++--
 6 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-rc3-commit-audit-2026-05-03.md b/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-rc3-commit-audit-2026-05-03.md
index 2adc07518..a48e817a4 100644
--- a/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-rc3-commit-audit-2026-05-03.md
+++ b/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-rc3-commit-audit-2026-05-03.md
@@ -15,17 +15,18 @@ described the v5.1.29 maintenance ports and current RC issue follow-up. That
 was accurate but under-scoped for the full `rc.2` to `rc.3` delta.
 
 The packet was refreshed again after the later RC3 candidate commits that made
-self-hosted SSO a Community-tier capability and audited SSO provider settings.
+self-hosted SSO a Community-tier capability, audited SSO provider settings,
+and fixed stable installer prerelease selection.
 
 ## Reviewed Range
 
 - From tag: `v6.0.0-rc.2`
 - From commit: `2868b44cf91b59bca85cd886711d78cd3c376fab`
-- To candidate commit: `83f6296c94e91fb53d088d0b53776de518b1389b`
-- Git range: `v6.0.0-rc.2..83f6296c94e91fb53d088d0b53776de518b1389b`
-- Commit count: `601`
+- To candidate commit: `c27814d1901ec59fad510dfb5c57358dfa6525b1`
+- Git range: `v6.0.0-rc.2..c27814d1901ec59fad510dfb5c57358dfa6525b1`
+- Commit count: `603`
 - Date span in the range: `2026-04-16` through `2026-05-03`
-- Changed scope: `1765` files, `113498` insertions, `72686` deletions
+- Changed scope: `1765` files, `113745` insertions, `72725` deletions
 
 ## Review Method
 
@@ -47,11 +48,11 @@ Commands used for the coverage pass:
 
 ## Commit Coverage Summary
 
-The 601 commits were covered by these release-note buckets:
+The 603 commits were covered by these release-note buckets:
 
 - release packaging, release validation, signed assets, installer resolution,
-  update signer continuity, rollback posture, Helm, Docker, and workflow
-  hardening
+  stable-channel prerelease filtering, update signer continuity, rollback
+  posture, Helm, Docker, and workflow hardening
 - security, auth, token handling, setup/bootstrap state, transport validation,
   trusted proxy, websocket origin, workflow permission, webhook, and outbound
   HTTP hardening
@@ -80,17 +81,18 @@ corrective maintenance RC:
 - `docs/releases/V6_CHANGELOG_RC3_DRAFT.md`
   - records the exact commit range and count
   - adds release packaging, security/auth, hosted/mobile, governance, latest
-    storage, skip-auth, SSO entitlement, provider-settings, and
-    artifact-validation coverage
+    storage, skip-auth, SSO entitlement, provider-settings, stable installer
+    selection, and artifact-validation coverage
 - `docs/releases/RELEASE_NOTES_v6_RC3_DRAFT.md`
   - expands the release intent from a narrow corrective RC to a broad
     hardening RC with corrective maintenance at its core
   - adds release packaging, security/auth, hosted/mobile, governance, storage
-    summary, skip-auth, SSO entitlement, provider-settings, and
-    artifact-validation re-test notes
+    summary, skip-auth, SSO entitlement, provider-settings, stable installer
+    selection, and artifact-validation re-test notes
 - `docs/releases/V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md`
   - aligns maintainer-facing support language with the broader audited delta
-  - adds the newest storage, skip-auth, SSO, and release-asset validation notes
+  - adds the newest storage, skip-auth, SSO, stable installer selection, and
+    release-asset validation notes
 - `docs/release-control/v6/internal/subsystems/deployment-installability.md`
   - records that post-draft packet changes must carry exact commit coverage,
     artifact/release-pipeline evidence, and a refreshed draft before
diff --git a/docs/release-control/v6/internal/subsystems/deployment-installability.md b/docs/release-control/v6/internal/subsystems/deployment-installability.md
index ba2361b23..d7611e04e 100644
--- a/docs/release-control/v6/internal/subsystems/deployment-installability.md
+++ b/docs/release-control/v6/internal/subsystems/deployment-installability.md
@@ -180,6 +180,9 @@ server-side update execution surfaces.
    new candidate head, including the exact commit count, candidate commit hash,
    changed-scope summary, and any new release-risk themes introduced by those
    commits.
+   Installer-resolution fixes that affect stable versus prerelease selection
+   are one of those release-risk themes and must be named in the current RC
+   packet before the release workflow is restarted.
    The prerelease feedback intake template and active demo/update metadata must
    also stay on generic or current-RC wording instead of hard-coding stale
    `rc.1` examples once later candidates exist.
diff --git a/docs/releases/RELEASE_NOTES_v6_RC3_DRAFT.md b/docs/releases/RELEASE_NOTES_v6_RC3_DRAFT.md
index d07614f9b..bab4abad5 100644
--- a/docs/releases/RELEASE_NOTES_v6_RC3_DRAFT.md
+++ b/docs/releases/RELEASE_NOTES_v6_RC3_DRAFT.md
@@ -13,6 +13,8 @@ before broader retesting:
 
 - release artifacts, draft metadata, upload retries, signing, validation, and
   installer resolution should match the current release workflow
+- stable installer resolution should stay on the latest stable semver tag even
+  when GitHub's floating latest release points at an RC
 - auth, token, update, hosted callback, transport, and workflow trust
   boundaries should fail closed where the `rc.2` line was too loose
 - v5-to-v6 installs and updates should avoid avoidable installer, disk-space,
@@ -31,10 +33,10 @@ before broader retesting:
 - the support packet should be explicit about the post-`rc.2` update-signer
   transition and the stable rollback target
 
-This packet was audited against all `601` commits in the current candidate
+This packet was audited against all `603` commits in the current candidate
 range, from
 `2868b44cf91b59bca85cd886711d78cd3c376fab` through
-`83f6296c94e91fb53d088d0b53776de518b1389b`.
+`c27814d1901ec59fad510dfb5c57358dfa6525b1`.
 
 ## Support Stance
 
@@ -86,6 +88,9 @@ range, from
 
 - The stable install path remains anchored to v5.1.29 instead of accidentally
   resolving to a v6 RC from the fresh Proxmox LXC script path.
+- The root installer now filters stable-channel release resolution to stable
+  semver tags and downloads the installer from that stable release asset, so
+  the stable path does not follow an RC-shaped GitHub latest-release redirect.
 - The installer now checks available disk space before stopping the current
   service, so a low-space update should fail before interrupting a working
   install.
diff --git a/docs/releases/V6_CHANGELOG_RC3_DRAFT.md b/docs/releases/V6_CHANGELOG_RC3_DRAFT.md
index 327034bd0..cc1230295 100644
--- a/docs/releases/V6_CHANGELOG_RC3_DRAFT.md
+++ b/docs/releases/V6_CHANGELOG_RC3_DRAFT.md
@@ -24,10 +24,10 @@ The changelog was audited against every commit in the exact release range for
 the current candidate head:
 
 - `v6.0.0-rc.2`: `2868b44cf91b59bca85cd886711d78cd3c376fab`
-- candidate commit: `83f6296c94e91fb53d088d0b53776de518b1389b`
-- range: `v6.0.0-rc.2..83f6296c94e91fb53d088d0b53776de518b1389b`
-- commit count: `601`
-- changed scope: `1765` files, `113498` insertions, `72686` deletions
+- candidate commit: `c27814d1901ec59fad510dfb5c57358dfa6525b1`
+- range: `v6.0.0-rc.2..c27814d1901ec59fad510dfb5c57358dfa6525b1`
+- commit count: `603`
+- changed scope: `1765` files, `113745` insertions, `72725` deletions
 
 Those commits are grouped in this changelog rather than listed one by one. The
 range includes release/install/update work, security and trust-boundary
@@ -53,6 +53,9 @@ The release and installer changes in this candidate include:
   not leave a partially populated RC draft
 - clean VCS metadata inside released container images and release builds
 - Proxmox LXC stable installs do not accidentally fall through to a v6 RC
+- stable installer resolution ignores prerelease-shaped tags and downloads the
+  installer from the latest stable release asset instead of trusting GitHub's
+  floating latest-release redirect when an RC is current
 - low-disk updates fail before stopping the current service
 - installer bundle fallback logic works without relying on a missing external
   helper
diff --git a/docs/releases/V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md b/docs/releases/V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md
index e0aa0fd46..87e6a6c58 100644
--- a/docs/releases/V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md
+++ b/docs/releases/V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md
@@ -14,6 +14,9 @@ _Draft only. Use this as the working support brief for the planned
   readiness work into the v6 candidate before broader retesting.
 - Self-hosted SSO is included with Community and higher tiers. Do not describe
   SAML or multi-provider SSO as a Pro-only upgrade path for this RC.
+- Stable-channel installer resolution must stay on the latest stable semver
+  tag even if GitHub's floating latest-release redirect currently points at an
+  RC.
 - Systems pinned to the historical `rc.2` update trust root should use a manual
   reinstall or explicit trust migration for later prerelease or GA builds.
 
@@ -83,6 +86,8 @@ Use this cohort breakdown:
 - release artifact validation, draft metadata preservation, upload retries,
   signing, and clean version metadata are hardened for the RC path
 - stable install paths stay on v5.1.29 unless the user explicitly opts into v6
+- stable installer downloads resolve from the latest stable release asset
+  instead of accepting an RC-shaped latest-release redirect
 - installer disk preflight runs before stopping the current service
 - bootstrap-token display uses the supported command path
 - Docker agents in Proxmox LXC keep host identity after restart/recreation
diff --git a/scripts/release_control/render_release_body_test.py b/scripts/release_control/render_release_body_test.py
index d48760b09..da966d0d3 100644
--- a/scripts/release_control/render_release_body_test.py
+++ b/scripts/release_control/render_release_body_test.py
@@ -120,10 +120,11 @@ Old metadata section.
             repo_root / "docs/releases/V6_RC3_OPERATOR_SUPPORT_PACK_DRAFT.md"
         ).read_text(encoding="utf-8")
 
-        self.assertIn("83f6296c94e91fb53d088d0b53776de518b1389b", release_notes)
-        self.assertIn("commit count: `601`", changelog)
+        self.assertIn("c27814d1901ec59fad510dfb5c57358dfa6525b1", release_notes)
+        self.assertIn("commit count: `603`", changelog)
         self.assertIn("broad hardening RC with a corrective maintenance core", changelog)
         self.assertIn("Community-tier capabilities", release_notes)
+        self.assertIn("stable-channel release resolution", release_notes)
         self.assertIn("Release asset uploads use bounded retries", release_notes)
         self.assertIn(
             "release artifact validation, draft metadata preservation, upload retries",