From b273ca3af5dda8bb440ade60b71d5076b4266846 Mon Sep 17 00:00:00 2001 From: Jeffrey Aven Date: Fri, 26 Jun 2026 18:57:51 +1000 Subject: [PATCH 1/4] Fix R2 sync region: force AWS_REGION=auto for Cloudflare endpoint The configure-aws-credentials step exports AWS_REGION=us-west-1 into the job env for the S3 artifact publish. The AWS CLI prefers AWS_REGION over AWS_DEFAULT_REGION, so the R2 sync inherited us-west-1 and R2 rejected it (InvalidRegionName; R2 only accepts auto/wnam/enam/...). Override AWS_REGION=auto in the step env and pass --region auto explicitly (CLI flag wins regardless of env precedence) on both the dev and prod sync steps. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 09c62c28..2706cccf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -184,16 +184,17 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} AWS_SESSION_TOKEN: "" AWS_DEFAULT_REGION: auto + AWS_REGION: auto R2_BUCKET: stackql-provider-registry-dev run: | # version-pinned .tgz are immutable -> --size-only keeps R2 ops low and skips re-uploads aws s3 sync "${REG_WEBSITE_DIR}/${REG_PROVIDER_PATH}" "s3://${R2_BUCKET}/${REG_PROVIDER_PATH}" \ --endpoint-url "https://${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com" \ - --size-only --delete --no-progress + --region auto --size-only --delete --no-progress # providers.yaml can change without changing size -> always overwrite it aws s3 cp "${REG_WEBSITE_DIR}/${REG_PROVIDER_PATH}/providers.yaml" "s3://${R2_BUCKET}/${REG_PROVIDER_PATH}/providers.yaml" \ --endpoint-url "https://${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com" \ - --no-progress + --region auto --no-progress - name: "[DEPLOY-CF] sync docs to R2 (prod)" if: env.REG_TARGET_BRANCH == 'main' && env.REG_EVENT == 'push' @@ -202,6 +203,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }} AWS_SESSION_TOKEN: "" AWS_DEFAULT_REGION: auto + AWS_REGION: auto R2_BUCKET: stackql-provider-registry run: | aws s3 sync "${REG_WEBSITE_DIR}/${REG_PROVIDER_PATH}" "s3://${R2_BUCKET}/${REG_PROVIDER_PATH}" \ From 402fb270eb9fc8671da8d6afbe84657de7aec4e0 Mon Sep 17 00:00:00 2001 From: Jeffrey Aven Date: Fri, 26 Jun 2026 19:09:21 +1000 Subject: [PATCH 2/4] CI: gate heavy analysis workflows on PR only, not on branch push AOT Provider Analysis (aot.yml) and Integration Testing and Analysis (regression.yml) are merge gates. They ran on both pull_request and push to main/dev, so every merge re-ran the same expensive suite that already passed on the PR. Drop the branch entries from their push triggers, keeping pull_request (the gate) and the tag triggers (aot*/robot*/regression*/integration* on-demand runs). No push/main-only publish exists in either workflow - their publish steps are gated on IS_TAG/ref_type == 'tag', which is unaffected. main.yml is unchanged: it must run on push to deploy, and its heavy steps are already gated on NUM_PROVIDERS > 0. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/aot.yml | 11 +++++------ .github/workflows/regression.yml | 13 ++++++------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/.github/workflows/aot.yml b/.github/workflows/aot.yml index 967c882f..0330ed04 100644 --- a/.github/workflows/aot.yml +++ b/.github/workflows/aot.yml @@ -6,9 +6,8 @@ on: - main - dev push: - branches: - - main - - dev + # branch pushes (merges) are not re-tested here; the pull_request run above is + # the merge gate. Tag pushes still trigger explicit on-demand analysis. tags: - aot* @@ -42,7 +41,7 @@ jobs: REG_DENO_DEPLOY_API_PROD: stackql-registry steps: - - uses: actions/checkout@v4.1.1 + - uses: actions/checkout@v7 name: "[SETUP] checkout repo" with: fetch-depth: 0 @@ -56,7 +55,7 @@ jobs: id: go - name: Download core - uses: actions/checkout@v4.1.1 + uses: actions/checkout@v7 with: repository: ${{ env.STACKQL_CORE_REPOSITORY }} ref: ${{ env.STACKQL_CORE_REF }} @@ -64,7 +63,7 @@ jobs: path: stackql-core - name: Download any-sdk - uses: actions/checkout@v4.1.1 + uses: actions/checkout@v7 with: repository: ${{ env.STACKQL_ANY_SDK_REPOSITORY }} ref: ${{ env.STACKQL_ANY_SDK_REF }} diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 5ed2dc10..1089895b 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -6,9 +6,8 @@ on: - main - dev push: - branches: - - main - - dev + # branch pushes (merges) are not re-tested here; the pull_request run above is + # the merge gate. Tag pushes still trigger explicit on-demand analysis. tags: - robot* - regression* @@ -32,7 +31,7 @@ jobs: steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4.1.1 + uses: actions/checkout@v7 with: repository: ${{ env.STACKQL_CORE_REPOSITORY }} ref: ${{ env.STACKQL_CORE_REF }} @@ -86,7 +85,7 @@ jobs: REG_DENO_DEPLOY_API_PROD: stackql-registry steps: - - uses: actions/checkout@v4.1.1 + - uses: actions/checkout@v7 name: "[SETUP] checkout repo" with: fetch-depth: 0 @@ -100,7 +99,7 @@ jobs: id: go - name: Download core - uses: actions/checkout@v4.1.1 + uses: actions/checkout@v7 with: repository: ${{ env.STACKQL_CORE_REPOSITORY }} ref: ${{ env.STACKQL_CORE_REF }} @@ -108,7 +107,7 @@ jobs: path: stackql-core - name: Download any-sdk - uses: actions/checkout@v4.1.1 + uses: actions/checkout@v7 with: repository: ${{ env.STACKQL_ANY_SDK_REPOSITORY }} ref: ${{ env.STACKQL_ANY_SDK_REF }} From 696fed4f3c44dc539de682edcb707a980ad7d682 Mon Sep 17 00:00:00 2001 From: Jeffrey Aven Date: Fri, 26 Jun 2026 19:13:54 +1000 Subject: [PATCH 3/4] ci updates --- .github/workflows/aot.yml | 6 +++--- .github/workflows/main.yml | 4 ++-- .github/workflows/regression.yml | 16 ++++++++-------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/aot.yml b/.github/workflows/aot.yml index 0330ed04..6519c867 100644 --- a/.github/workflows/aot.yml +++ b/.github/workflows/aot.yml @@ -47,7 +47,7 @@ jobs: fetch-depth: 0 - name: Set up Go 1.x - uses: actions/setup-go@v5.0.0 + uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -71,7 +71,7 @@ jobs: path: stackql-any-sdk - name: Setup Python - uses: actions/setup-python@v5.0.0 + uses: actions/setup-python@v6 with: python-version: '3.12' @@ -142,7 +142,7 @@ jobs: fi - name: Upload AOT analysis logs - uses: actions/upload-artifact@v4.3.1 + uses: actions/upload-artifact@v7 if: always() with: name: aot_analysis_logs_${{ github.event.repository.name }}_${{ github.run_id }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2706cccf..3d9488f4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -30,7 +30,7 @@ jobs: REG_DENO_DEPLOY_API_PROD: stackql-registry steps: - - uses: actions/checkout@v4.1.1 + - uses: actions/checkout@v7 name: "[SETUP] checkout repo" with: fetch-depth: 0 @@ -67,7 +67,7 @@ jobs: - name: '[PACKAGE] set up golang' if: env.NUM_PROVIDERS > 0 - uses: actions/setup-go@v5.0.0 + uses: actions/setup-go@v6 with: go-version: ^1.19 check-latest: true diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 1089895b..97ff9df0 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -39,7 +39,7 @@ jobs: path: stackql-core-pkg - name: Setup Python - uses: actions/setup-python@v5.0.0 + uses: actions/setup-python@v6 with: cache: pip python-version: '3.12' @@ -60,7 +60,7 @@ jobs: cicd/util/01-build-robot-lib.sh - name: Upload python package artifact - uses: actions/upload-artifact@v4.3.1 + uses: actions/upload-artifact@v7 with: name: python-package-dist-folder path: stackql-core-pkg/test/dist @@ -91,7 +91,7 @@ jobs: fetch-depth: 0 - name: Set up Go 1.x - uses: actions/setup-go@v5.0.0 + uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} check-latest: true @@ -115,7 +115,7 @@ jobs: path: stackql-any-sdk - name: Setup Python - uses: actions/setup-python@v5.0.0 + uses: actions/setup-python@v6 with: python-version: '3.12' @@ -275,7 +275,7 @@ jobs: python3 scripts/cicd/python/robot-parse.py --robot-output-file stackql-core/test/robot/reports/output.xml > stackql-core/test/robot/reports/proxied_parsed_output.json - name: Upload core traffic lights - uses: actions/upload-artifact@v4.3.1 + uses: actions/upload-artifact@v7 if: success() with: name: proxied-core-traffic-lights @@ -314,7 +314,7 @@ jobs: python3 scripts/cicd/python/robot-parse.py --robot-output-file test/robot/reports/mocked/output.xml > test/robot/reports/mocked/parsed_output.json - name: Upload local registry mocked traffic lights - uses: actions/upload-artifact@v4.3.1 + uses: actions/upload-artifact@v7 if: success() with: name: local-registry-mocked-traffic-lights @@ -351,7 +351,7 @@ jobs: python3 scripts/cicd/python/robot-parse.py --robot-output-file test/robot/reports/readonly/output.xml > test/robot/reports/readonly/parsed_output.json - name: Upload readonly traffic lights - uses: actions/upload-artifact@v4.3.1 + uses: actions/upload-artifact@v7 if: success() with: name: local-registry-readonly-traffic-lights @@ -380,7 +380,7 @@ jobs: python3 scripts/cicd/python/robot-parse.py --robot-output-file test/robot/reports/readwrite/output.xml > test/robot/reports/readwrite/parsed_output.json - name: Upload readonly traffic lights - uses: actions/upload-artifact@v4.3.1 + uses: actions/upload-artifact@v7 if: success() with: name: local-registry-readwrite-traffic-lights From ad96630f2030dbf7d82b9235951be0f7a85f4d4a Mon Sep 17 00:00:00 2001 From: Jeffrey Aven Date: Fri, 26 Jun 2026 19:19:52 +1000 Subject: [PATCH 4/4] CI: bump GO_VERSION to stable for core builds (needs go >= 1.25.3) stackql-core is built from main and its go.mod now requires go >= 1.25.3, but the workflows requested ~1.22. The newer setup-go (bumped to silence Node 20 warnings) sets GOTOOLCHAIN=local, so it would not auto-download a newer toolchain and the "Build stackql from core source" step failed with "go.mod requires go >= 1.25.3 (running go 1.22.12)". Use GO_VERSION: stable in aot.yml and regression.yml. go.mod requirements only ever name released Go versions, so the latest stable always satisfies them (including future core bumps) and works with GOTOOLCHAIN=local. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/aot.yml | 2 +- .github/workflows/regression.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/aot.yml b/.github/workflows/aot.yml index 6519c867..17dddb47 100644 --- a/.github/workflows/aot.yml +++ b/.github/workflows/aot.yml @@ -13,7 +13,7 @@ on: env: IS_TAG: ${{ github.ref_type == 'tag' }} - GO_VERSION: '~1.22' + GO_VERSION: 'stable' # stackql-core (built from main) tracks recent Go; stable always satisfies its go.mod STACKQL_CORE_REPOSITORY: ${{ vars.STACKQL_CORE_REPOSITORY != '' && vars.STACKQL_CORE_REPOSITORY || 'stackql/stackql' }} STACKQL_CORE_REF: ${{ vars.STACKQL_CORE_REF != '' && vars.STACKQL_CORE_REF || 'main' }} STACKQL_ANY_SDK_REPOSITORY: ${{ vars.STACKQL_ANY_SDK_REPOSITORY != '' && vars.STACKQL_ANY_SDK_REPOSITORY || 'stackql/any-sdk' }} diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 97ff9df0..da1282eb 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -15,7 +15,7 @@ on: env: IS_TAG: ${{ github.ref_type == 'tag' }} - GO_VERSION: '~1.22' + GO_VERSION: 'stable' # stackql-core (built from main) tracks recent Go; stable always satisfies its go.mod STACKQL_CORE_REPOSITORY: ${{ vars.STACKQL_CORE_REPOSITORY != '' && vars.STACKQL_CORE_REPOSITORY || 'stackql/stackql' }} STACKQL_CORE_REF: ${{ vars.STACKQL_CORE_REF != '' && vars.STACKQL_CORE_REF || 'main' }} STACKQL_ANY_SDK_REPOSITORY: ${{ vars.STACKQL_ANY_SDK_REPOSITORY != '' && vars.STACKQL_ANY_SDK_REPOSITORY || 'stackql/any-sdk' }}