fix(release): fix retry-sign-release artifact patterns + add missing jobs (MCP-2905)#718
Merged
Merged
Conversation
…g jobs (MCP-2905)
- Fix stale artifact glob patterns that matched nothing:
archive-* → versioned-personal-* and latest-personal-*
(missing) → linux-packages-* (was never downloaded → no .deb/.rpm)
installers-* OK but now also copies .deb/.rpm in Reorganize step
- Add missing jobs: update-homebrew, publish-linux-repos (with gh run download
for linux-packages-* from original run_id)
- Add derived artifacts that primary release.yml produces:
SBOM (SPDX JSON via anchore/sbom-action)
CHANGELOG.md (git-cliff)
checksums.txt (sha256sum)
checksums.txt.cosign.bundle (cosign keyless)
- Add SLSA provenance job (generator_generic_slsa3 with upload-tag-name)
- Add asset parity assertion: fail loudly if release-files/ has <22 files
before checksums/cosign steps run
- Add id-token: write permission for cosign + SLSA
- Update release body to include full Linux download table (matches release.yml)
- Update docs/release-runbook.md SPOF 2 recovery: prefer gh run rerun --failed
(Option A) over the retry workflow; document Option B with corrected behavior
Fixes the v0.41.2 incident where the retry shipped only 6 assets (2 DMGs +
2 EXEs + 2 .pending markers) vs the expected 27.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Deploying mcpproxy-docs with
|
| Latest commit: |
463053f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://15f5354b.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://fix-mcp-2905-retry-sign-rele.mcpproxy-docs.pages.dev |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27803374701 --repo smart-mcp-proxy/mcpproxy-go
|
![mcpproxy-gatekeeper[bot]](https://avatars.githubusercontent.com/u/216428285?s=60&v=4){kind=small}
There was a problem hiding this comment.
APPROVE — Claude Code review: retry-sign artifact patterns now match release.yml uploads; SignPath config identical; asset-count assertion >=22 catches the v0.41.2 6-asset failure; actionlint clean. Non-blocking: prerelease guard dropped (fast-follow filed). MCP-2905.
# Conflicts: # docs/release-runbook.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
.github/workflows/retry-sign-release.ymlsilently produced an incomplete GitHub Release (6 assets instead of 27). Hit live during v0.41.2.Root causes:
--pattern 'archive-*'matched nothing — real artifact names areversioned-personal-*andlatest-personal-*linux-packages-*never downloaded → no.deb/.rpmin releaseupdate-homebreworpublish-linux-reposjobs → Homebrew/apt/rpm stayed on old versionChanges
retry-sign-release.ymlrelease.yml's build job actually uploads:archive-*→versioned-personal-*andlatest-personal-*linux-packages-*download (was never included).deb/.rpmtorelease-files/)release.ymlexactly):anchore/sbom-actionSPDX JSON)orhun/git-cliff-action)checksums.txt(sha256sum)checksums.txt.cosign.bundle(cosign keyless,id-token: writeadded)release-files/has <22 files before checksums stepupdate-homebrewjob (copied fromrelease.yml, usesinputs.taginstead ofgithub.ref_name)publish-linux-reposjob (usesgh run download --pattern linux-packages-*from original run_id, then flattens intorelease-artifacts/forpublish.sh)provenancejob (SLSAgenerator_generic_slsa3withupload-tag-name: ${{ inputs.tag }})docs/release-runbook.mdgh run rerun --failedon original run) vs Option B (retry workflow, now documented as complete)Testing
This is a CI workflow fix — direct execution testing requires a real SignPath timeout scenario. The artifact pattern change is verified by reading the names from
release.yml'sUpload versioned archive artifact/Upload latest archive artifact/Upload macOS installers artifact/Build Linux .deb and .rpm packagessteps.The
update-homebrewandpublish-linux-reposjobs are character-for-character copies of the primary workflow's jobs with${{ github.ref_name }}→${{ inputs.tag }}substitutions verified by grep.Acceptance criteria (from MCP-2905)
Closes MCP-2905