Skip to content

fix(ci): robuste artefakt- und release-stabilisierung gegen flakes#99

Merged
tomtastisch merged 3 commits intomainfrom
codex/fix/ci-release-flake-hardening
Feb 19, 2026
Merged

fix(ci): robuste artefakt- und release-stabilisierung gegen flakes#99
tomtastisch merged 3 commits intomainfrom
codex/fix/ci-release-flake-hardening

Conversation

@tomtastisch
Copy link
Owner

@tomtastisch tomtastisch commented Feb 19, 2026

Ziel & Scope

Dieses PR haertet die CI/Release-Stabilitaet gegen externe Plattform-Flakes (Artifact-403, API-Transienten) und reduziert False-Negatives bei der NuGet-Postpublish-Konvergenz, ohne Fail-Closed-Prinzip aufzugeben.

Umgesetzte Aufgaben (abhaken)

  • Neuer Retry-Downloader fuer CI-Artefakte implementiert: tools/ci/bin/download_artifacts_with_retry.sh.
  • summary-Job in /.github/workflows/ci.yml von 13 Einzel-download-artifact Schritten auf robusten Retry-Download umgestellt.
  • Least-Privilege erweitert: actions: read in CI-Workflow fuer gh run download.
  • Release-Workflow gegen nicht-kritische Artifact-Upload-Flakes gehaertet (continue-on-error fuer Evidence-Uploads).
  • GitHub-Release-Upsert mit Retry+Backoff+Reason-Codes robust gemacht (tools/ci/release/upsert_github_release.sh).
  • Gate4-NuGet-Verifikation um stabilen V2-Download-Check erweitert (tools/ci/verify_nuget_release.sh).
  • Gate4-Wrapper auf weniger labiles Default-Signal umgestellt (Registration/Flatcontainer optional, V2-Download blocker).

Nachbesserungen aus Review (iterativ)

  • Kommentar und Verhalten im Gate4 auf Betriebsrealitaet (eventual consistency / False-Negatives) dokumentiert.
  • Alle Aenderungen fail-closed bewertet (kein stilles Bypass fuer blocker-relevante Fachpruefungen).
  • Script-Syntax fuer alle betroffenen Shell-Skripte verifiziert.

Security- und Merge-Gates

  • Required Checks werden vor Merge vollstaendig gruen abgewartet.
  • Live-API-Aufruf im Release-Upsert hat jetzt deterministische Retry-/Reason-Logik.
  • security/code-scanning/tools: Pflichtziel fuer Merge bleibt 0 offene Alerts.

Evidence (auditierbar)

  • bash -n tools/ci/bin/download_artifacts_with_retry.sh
  • bash -n tools/ci/release/upsert_github_release.sh
  • bash -n tools/ci/release/gate4_verify_postpublish.sh
  • bash -n tools/ci/verify_nuget_release.sh
  • GITHUB_REPOSITORY=tomtastisch/FileClassifier bash tools/ci/bin/download_artifacts_with_retry.sh 22144970647 "ci-build=<tmp>" "ci-pack=<tmp>"
  • EXPECTED_VERSION=5.2.1 PKG_ID=Tomtastisch.FileClassifier PKG_VER=5.2.1 VERIFY_ONLINE=1 REQUIRE_SEARCH=0 REQUIRE_REGISTRATION=0 REQUIRE_FLATCONTAINER=0 REQUIRE_V2_DOWNLOAD=1 RETRY_COUNT=2 RETRY_SLEEP_SECONDS=1 bash tools/ci/verify_nuget_release.sh
  • Diff-Dateien: /.github/workflows/ci.yml, /.github/workflows/release.yml, /tools/ci/release/upsert_github_release.sh, /tools/ci/release/gate4_verify_postpublish.sh, /tools/ci/verify_nuget_release.sh, /tools/ci/bin/download_artifacts_with_retry.sh

DoD (mindestens 2 pro Punkt)

Punkt DoD A DoD B Status
Artifact-Download-Robustheit in CI summary nutzt Retry-Downloader statt Einzel-Downloads Retry-Skript lokal gegen echte Run-Artefakte erfolgreich ausgefuehrt [x]
Release-API-Robustheit Upsert-Skript enthaelt Retry/Backoff/Reason-Codes (`auth rate-limit network
NuGet-Konvergenz-Stabilitaet verify_nuget_release.sh unterstuetzt REQUIRE_V2_DOWNLOAD V2-Download-Check fuer 5.2.1 erfolgreich nachgewiesen [x]
  • Review-Nachbesserung: require_v2_download in JSON-Summary aufgenommen.
  • Review-Nachbesserung: V2-Download-URL auf lowercase package id umgestellt.

Copilot AI review requested due to automatic review settings February 19, 2026 13:30
@github-actions github-actions bot added area:pipeline area:tooling fix Bugfix impl:config versioning:patch Fix/Refactor/Docs/CI/Tooling; requires PATCH bump labels Feb 19, 2026
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4aa27593b6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances CI/Release pipeline stability by adding retry mechanisms and adjusting verification strategies to handle transient platform failures ("flakes") while maintaining fail-closed behavior.

Changes:

  • Introduces robust artifact download mechanism with exponential backoff retry for CI summary job
  • Implements GitHub Release API retry logic with reason classification (auth/rate-limit/network/5xx)
  • Shifts NuGet post-publish verification from slower registration endpoint to more reliable V2 download endpoint

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tools/ci/bin/download_artifacts_with_retry.sh New retry-enabled artifact downloader with exponential backoff (6 attempts by default)
.github/workflows/ci.yml Refactors summary job from 13 individual download-artifact actions to single retry script; adds actions: read permission
.github/workflows/release.yml Makes evidence artifact uploads non-blocking with continue-on-error: true
tools/ci/release/upsert_github_release.sh Adds retry/backoff with reason classification; fails fast on auth errors
tools/ci/release/gate4_verify_postpublish.sh Changes defaults: registration=0, flatcontainer=0, v2_download=1 to use more stable endpoint
tools/ci/verify_nuget_release.sh Implements V2 download check via /api/v2/package endpoint with retry support
Comments suppressed due to low confidence (1)

.github/workflows/release.yml:40

  • Incomplete artifact upload configuration: The tag-gate artifact upload has continue-on-error: true added on line 40, but the if-no-files-found parameter on line 43 (visible in context, not shown in diff) still uses error. This is inconsistent with the attestation verification artifact upload (lines 223-228) which correctly changes both settings. When making an artifact upload non-blocking with continue-on-error: true, the if-no-files-found should also be changed to warn to ensure the step doesn't fail if no files are found. Otherwise, the combination could still cause the step to fail, which contradicts the intent of making it non-blocking for flake resilience.
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4

@tomtastisch tomtastisch merged commit 0cb15c7 into main Feb 19, 2026
26 checks passed
@tomtastisch tomtastisch deleted the codex/fix/ci-release-flake-hardening branch February 19, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:pipeline area:tooling fix Bugfix impl:config versioning:patch Fix/Refactor/Docs/CI/Tooling; requires PATCH bump

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments