Skip to content

chore(release): promote develop → main (week of 2026-06-29)#284

Merged
saadqbal merged 4 commits into
mainfrom
develop
Jul 1, 2026
Merged

chore(release): promote develop → main (week of 2026-06-29)#284
saadqbal merged 4 commits into
mainfrom
develop

Conversation

@aptracebloc

@aptracebloc aptracebloc commented Jun 26, 2026

Copy link
Copy Markdown

Release promotion: developmain

Opened ahead of the staging release week of Mon 2026-06-29 to start Bugbot review early and surface issues before the cutover. Head is develop, so any PRs that merge in before the release will update this PR's head and re-trigger Bugbot automatically.

Delta (2 commit(s) ahead of main)

Initial snapshot — will change as more lands on develop.

Files changed

 .github/workflows/installer-tests.yaml    |  14 +-
 .github/workflows/release-helm-chart.yaml | 125 ++++++++++++
 README.md                                 |   2 +-
 docs/SECURITY.md                          |  52 +++++
 docs/SUPPLY_CHAIN.md                      | 173 +++++++++++++++++
 scripts/gen-manifest.sh                   | 107 ++++++++++
 scripts/install-k8s.sh                    |  34 +++-
 scripts/install.sh                        | 311 +++++++++++++++++++++++++++++-
 scripts/lib/common.sh                     |  10 +-
 scripts/lib/install-cli.sh                |   5 +-
 scripts/lib/install-client-helm.sh        |  22 ++-
 scripts/lib/provision.sh                  | 120 ++++++++++++
 scripts/manifest.sha256                   |  15 ++
 scripts/tests/install-bootstrap.bats      | 205 ++++++++++++++++++++
 scripts/tests/install-client-helm.bats    |  22 +++
 scripts/tests/provision.bats              | 135 +++++++++++++
 16 files changed, 1322 insertions(+), 30 deletions(-)

Note

High Risk
Changes the most privileged install path (credential mint, Helm, verified downloads) and release signing; mistakes could block installs or weaken supply-chain guarantees until the first signed release is validated.

Overview
Hardens the curl | bash bootstrap so sub-scripts are fetched only from immutable vX.Y.Z tags, checked against manifest.sha256, and the manifest is verified with cosign keyless before any privileged work runs; installs fail closed without cosign or a valid signature unless TRACEBLOC_ALLOW_UNVERIFIED=1. Adds gen-manifest.sh, committed manifest.sha256, ref/path guards, cosign bootstrap, and bats coverage in install-bootstrap.bats.

Release and CI: a sign-installer-manifest job on chart release generates and signs the manifest, stamps install.sh for the tag (safe substitution), self-tests, and attaches installer + manifest assets; installer-tests runs gen-manifest.sh --check and shellchecks gen-manifest.sh. Docs: docs/SUPPLY_CHAIN.md, README, and docs/SECURITY.md (G8).

Install flow (#838): new provision.sh runs Step 3 — CLI install, browser login, client createbefore Helm so minted credentials and namespace feed the chart; dual-mode (env/values) unchanged. install-k8s.sh adds guarded sourcing, INT/TERM traps, and cleanup of transient credential files; Helm step renumbering plus jq-free helm list for the one-client guard and in-place upgrade when the same client lives in another namespace.

Reviewed by Cursor Bugbot for commit b403f4e. Bugbot is set up for automated code reviews on this repo. Configure here.

LukasWodka and others added 2 commits June 24, 2026 17:42
… (#838) (#279)

* feat(installer): reorder — sign in + provision the client before Helm (#838)

RFC-0001 §6.4 / #838: move CLI install + `tracebloc login` + `tracebloc client
create` to run BEFORE the Helm install, so the minted credential + derived namespace
feed the chart. A new Step 3 (provision_client) sits between create_cluster and
install_client_helm.

- scripts/lib/provision.sh (new): provision_client + _provisioning_preset.
  - Browser-auth path: install the CLI (now FATAL — it mints the credential, vs the
    old non-fatal post-Helm Step 5), `tracebloc login` (device flow), `client create
    --credential-file` -> source the 0600 file -> export TRACEBLOC_CLIENT_ID/PASSWORD/
    TB_NAMESPACE into install_client_helm's existing non-interactive env contract. The
    credential is never printed; the transient file is removed after sourcing AND on
    any error/signal (install_cleanup backstop via _PROVISION_CRED_FILE) so a failed
    mint never leaves a secret-bearing file behind.
  - Adopt (re-run): no fresh credential — hand only TB_NAMESPACE and let
    install_client_helm reconcile the existing release from values.yaml.
  - DUAL-MODE preserved: TRACEBLOC_VALUES_FILE / pre-supplied TRACEBLOC_CLIENT_ID+
    PASSWORD skip sign-in (still installs the CLI, non-fatal). Unattended installs use
    this path (device-flow login is interactive; an enroll-token login is a follow-up).
- install-k8s.sh: source provision.sh (guarded for stale bootstraps); call
  provision_client before install_client_helm; drop the trailing non-fatal CLI install
  (now done in Step 3). install.sh: fetch provision.sh.
- common.sh: renumber the print_roadmap steps to match (3 sign-in/provision, 4 install,
  5 connect); install_cleanup removes the transient credential file on any exit.
- Renumbered the step headers (provision=3, install=4, connect=5); dropped the step
  heading from install_tracebloc_cli (the caller owns it now).

Tests: scripts/tests/provision.bats (8) — dual-mode skip (creds + values), mint hands
all three env vars, adopt hands only namespace, fatal on missing CLI / failed login /
no credential file, and a failed create leaves no credential file behind. install-cli +
install-client-helm + common (install_cleanup) suites still green (the 2 pre-existing
local-env failures — validate_config + _extract_yaml '' — fail on develop too,
unrelated). shellcheck clean on provision.sh.

Depends on cli `client create --credential-file` (cli#104, merged) + a CLI release that
ships login+create; install-cli.sh fetches releases/latest.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(installer): harden #838 credential handling + step-numbering consistency

Folds PR #279 review hardening into the provision-before-Helm reorder:

- provision.sh: run `client create` under `umask 077` so the credential file
  lands 0600 even if a future CLI build regresses on its explicit chmod
  (defense in depth; cli#104 already sets 0600).
- provision.sh: clear TRACEBLOC_CLIENT_ID/PASSWORD/TB_NAMESPACE/ADOPTED before
  sourcing the credential file. The mint case does not write ADOPTED, so a
  stale ADOPTED=1 in the environment would otherwise misroute a fresh mint into
  the adopt branch and drop the just-minted credential. Regression test added.
- install-k8s.sh: trap SIGINT/SIGTERM -> exit so the EXIT-trap credential shred
  always runs on Ctrl-C; the brief mint->source window no longer risks leaving
  the 0600 secret on disk.
- install-k8s.sh: fix leftover "Step 1/4"/"Step 2/4" headers to /5 (the step()
  calls already pass 5; the #838 renumber missed these two).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(installer): resolve PR #279 review — CLI-capability fallback + in-place namespace reconcile

Addresses the two review comments on the provision-before-Helm reorder:

- provision.sh (release-sequencing gate): probe the installed CLI for `login`
  + `client create` (cli#104) before taking the browser-auth path. The CLI is
  pulled from the latest RELEASE, which can lag this installer; if it's too old,
  fall back to the proven manual-credential path (install_client_helm prompts)
  instead of hard-failing on an unknown `tracebloc login`. Makes the reorder safe
  regardless of CLI-release timing — the browser flow auto-engages once the
  release lands. Regression test added.

- install-client-helm.sh (duplicate-release on re-run): when the SAME client is
  already installed under a different namespace (e.g. an old installer's fixed
  `tracebloc` ns vs. the #838 minted slug), upgrade that release in place instead
  of forking a second one under the new namespace — a silent fork would
  double-book host capacity and orphan the original. Reuses the guard's
  existing_ns. Regression test added.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Asad Iqbal <asad.dsoft@gmail.com>
…ly-chain

feat(installer): immutable-tag pin + signed sub-script manifest for the curl|bash bootstrap (RFC-0001 R8)
@aptracebloc aptracebloc requested a review from saadqbal as a code owner June 26, 2026 11:52
Comment thread scripts/install-k8s.sh
* fix: install the CLI on the stale-bootstrap path in install-k8s.sh

Bugbot (promotion PR #284): CLI installation now runs only inside
provision_client, but the orchestrator only calls it when provision.sh was
fetched. A stale bootstrap that fetched install-cli.sh but not provision.sh
completes without ever installing the CLI (unlike the old post-Helm Step 5).
Add an elif fallback that calls install_tracebloc_cli (non-fatal) when
provision_client is absent.

- Stale bootstrap skips CLI install (scripts/install-k8s.sh:121)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore: regenerate scripts/manifest.sha256 for install-k8s.sh change

The supply-chain manifest pins the digest of every script the bootstrap
fetches; editing install-k8s.sh changed its hash.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: shujaat hasan <shujaathasan@shujaats-MacBook-Pro.local>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 311a950. Configure here.

Comment thread scripts/lib/install-client-helm.sh
saadqbal
saadqbal previously approved these changes Jul 1, 2026

@saadqbal saadqbal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the promotion:

  • The E2E auth-proxy (squid) red was a flake, not a regression from this promotion — e2e-proxy.sh is byte-identical on main/v1.8.0/develop, it's green on main and on #285, and §4 produced no CONNECT tunnel (a squid connect race). It cleared green on the re-run here.
  • Folded in #285 so #279's stale-bootstrap CLI-install gap (the Bugbot finding) ships fixed rather than as a follow-up.

Green apart from the advisory FR gate. Good to promote 👍

…#284) (#286)

Second Bugbot finding on the develop→main promotion (#284). The
one-client-per-machine guard in install_client_helm enumerated
client-chart releases with `helm list -A -o json | jq`, falling back —
when jq is absent — to reading values for only the minted TB_NAMESPACE.
Post-#838 TB_NAMESPACE is the client slug, not the historical fixed
`tracebloc` namespace, so on a jq-less host the fallback missed an
existing `tracebloc` release and forked a SECOND helm release under the
slug — double-booking the host, the exact fork the guard exists to
prevent. jq is not a guaranteed prerequisite (preflight never checks or
installs it; it is used nowhere else in the installer).

Replace the jq path + single-namespace fallback with one jq-free
enumeration across ALL namespaces: `helm list -A` + awk on the
NAME/NAMESPACE columns, matching client-<ver> in the CHART column — the
same jq-free parse _chart_version already uses. Removes the jq
dependency and the fallback divergence that caused the bug.

- install-client-helm.sh: jq-free `helm list -A | awk` enumeration.
- manifest.sha256: regenerated for the changed script (the R8 bootstrap
  verifies each fetched sub-script against it).
- install-client-helm.bats: the 3 guard tests now mock tabular `helm
  list` output (was JSON for the jq path); new regression test proves
  the different-namespace reconcile works with jq reported absent
  (fails on the old fallback, passes here).

shellcheck clean; gen-manifest.sh --check passes; bats green (the one
pre-existing _extract_yaml '' failure is a local macOS bash 3.2 quirk,
green in CI, unrelated).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

@saadqbal saadqbal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approving after the develop re-sync (my earlier approval was dismissed by the head change). Both Bugbot findings are now fixed and merged — #285 (stale-bootstrap CLI) and #286 (jq-free one-client guard) — and Bugbot's re-review on this head is clean. auth-proxy green, all CI green. FR cards advanced to Ready for prod. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants