You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
snap-package.yml is only called from the release workflows and combines snap build/pack with Snap Store upload. As a result, PRs that change snap packaging, snapcraft input layout, or workflow copy paths do not validate the snap pack path before merge.
Split PR-safe snap validation from release publishing:
Add a PR-safe workflow or job that builds/packs the snap without Snap Store credentials, deployment environments, or snapcraft upload.
Reuse the same binary artifact layout and snap/prebuilt/ assembly path as the release workflow where practical.
Consider factoring shared snap input assembly into a script or reusable action so PR and release validation exercise the same logic.
Start with amd64-only PR validation to control runtime and runner cost. Keep the full amd64/arm64 matrix for release workflows.
Keep release workflows responsible for publishing to latest/edge and latest/stable using SNAPCRAFT_STORE_CREDENTIALS.
A cheap static packaging asset check may also be useful. For example, validate that workflow copy sources exist and that the files required by snapcraft.yaml are produced by the snap assembly step.
Alternatives Considered
Keep validating only in release workflows. This misses packaging regressions until after merge.
Add snap-package.yml directly to pull_request. This is not appropriate as-is because the workflow currently requires release credentials/environments and always uploads to the Snap Store.
Add only static checks. This catches stale paths, but does not prove snapcraft pack still works.
Agent Investigation
snap-package.yml currently has only on: workflow_call.
It is called from release-dev.yml and release-tag.yml.
It requires publish-credentials, mapped to SNAPCRAFT_STORE_CREDENTIALS.
It always runs snapcraft upload --release ....
It depends on release workflow artifacts named cli-linux-*, gateway-binary-linux-*, and supervisor-binary-linux-*.
Run 27299497855 showed fix(ci): pin snap artifact downloads to valid action #1855 fixed action resolution, then the snap job failed later during Prepare snap build directory due to the stale deploy/snap/bin/openshell-gateway-wrapper path.
Problem Statement
snap-package.ymlis only called from the release workflows and combines snap build/pack with Snap Store upload. As a result, PRs that change snap packaging, snapcraft input layout, or workflow copy paths do not validate the snap pack path before merge.Recent release failures showed this gap:
actions/download-artifactpin, but the failure was only caught on themainrelease workflow.snap/prebuilt/.Proposed Design
Split PR-safe snap validation from release publishing:
snapcraft upload.snap/prebuilt/assembly path as the release workflow where practical.latest/edgeandlatest/stableusingSNAPCRAFT_STORE_CREDENTIALS.A cheap static packaging asset check may also be useful. For example, validate that workflow copy sources exist and that the files required by
snapcraft.yamlare produced by the snap assembly step.Alternatives Considered
snap-package.ymldirectly topull_request. This is not appropriate as-is because the workflow currently requires release credentials/environments and always uploads to the Snap Store.snapcraft packstill works.Agent Investigation
snap-package.ymlcurrently has onlyon: workflow_call.release-dev.ymlandrelease-tag.yml.publish-credentials, mapped toSNAPCRAFT_STORE_CREDENTIALS.snapcraft upload --release ....cli-linux-*,gateway-binary-linux-*, andsupervisor-binary-linux-*.27299497855showed fix(ci): pin snap artifact downloads to valid action #1855 fixed action resolution, then the snap job failed later duringPrepare snap build directorydue to the staledeploy/snap/bin/openshell-gateway-wrapperpath.