fix(ci): smoke test accepts http:// on Pages 301 hop#506
Merged
Conversation
Phase 4a-APT's first rerun of update-apt-repo succeeded all the way through strip + push (v2.0.3 metadata is live on gh-pages now), but the smoke test failed at hop 0: Hop 0: 301 https://aaddrick.github.io/.../*.deb -> http://pkg.claude-desktop-debian.dev/.../*.deb Hop 0 mismatch: expected https://pkg..., got http://pkg... Pages emits http:// in the Location header because https_enforced is unsettable on the repo's Pages config: DNS for pkg.<domain> points at Cloudflare (Worker custom_domain), so Pages can never pass domain verification to provision its own cert. Cloudflare serves both schemes for pkg.<domain>, so the http vs https in Pages' redirect is cosmetic — the chain still terminates correctly. Relax hop 0's regex in both smoke tests (update-apt-repo, update-dnf-repo) and the heartbeat workflow to accept https?://. Later hops stay https-only since GitHub's Release-asset redirects are always HTTPS. Failure was the tail-end of run 24836419696's rerun: https://github.com/aaddrick/claude-desktop-debian/actions/runs/24836419696 Refs #493, #503
aaddrick
added a commit
that referenced
this pull request
Apr 23, 2026
v2.0.4 rerun of update-apt-repo made it past hops 0 and 1 (the smoke test scheme fix in #506 worked — Pages' http:// redirect no longer trips the chain walker), but failed on hop 2: Hop 2: 302 .../releases/download/v2.0.4+claude1.3883.0/...deb -> https://release-assets.githubusercontent.com/... ::error::Hop 2 mismatch: expected https://objects\.githubusercontent\.com/, got https://release-assets.githubusercontent.com/... GitHub migrated the Release asset CDN from objects.githubusercontent.com to release-assets.githubusercontent.com (both have been serving in the past; release-assets is the current canonical hostname). Accept either hostname via alternation. Verified against the actual v2.0.4 Release: $ curl -Is https://github.com/aaddrick/claude-desktop-debian/releases/download/v2.0.4+claude1.3883.0/claude-desktop_1.3883.0-2.0.4_amd64.deb \ | grep -i location location: https://release-assets.githubusercontent.com/github-production-release-asset/... Same fix in three sites: - .github/workflows/ci.yml (update-apt-repo smoke test) - .github/workflows/ci.yml (update-dnf-repo smoke test) - .github/workflows/apt-repo-heartbeat.yml (daily heartbeat) docs/worker-apt-plan.md has historical references to objects.githubusercontent.com too; those can be updated in a follow-up docs sweep — the architectural claim (binary bytes flow direct from GitHub CDN, never through Cloudflare) is unchanged. Refs #493, #503
This was referenced Apr 23, 2026
aaddrick
added a commit
that referenced
this pull request
Apr 23, 2026
The plan doc served its purpose through #494 (merge) → #498 (scaffolding) → #502 / #503 / #504 / #506 / #509 / #510 (cutover). v2.0.5+claude1.3883.0 is the first release through the new pipeline, verified end-to-end on five distros. #493 is closed. Removes docs/worker-apt-plan.md and the two architecture-pointer comments in worker/src/worker.js and worker/wrangler.toml that referenced it. Both files now carry a short self-contained summary of what the Worker does and why. Also corrects worker.js's CDN-hostname reference from objects.githubusercontent.com (the old name) to release-assets (current, matches #509's regex fix). Git history retains the full plan doc for anyone who needs the design rationale; nothing is actually lost.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Third and (hopefully) last follow-up to #503 — the first rerun of
update-apt-repofor v2.0.3 made it all the way throughreprepro includedeb+ strip + commit + push (v2.0.3 metadata is live on gh-pages now —Version: 1.3883.0-2.0.3, 0.debs in pool, freshInRelease). The only failure was the tail-end smoke test at hop 0:Root cause
Pages emits
http://in its auto-301Locationbecausehttps_enforced: falseon the repo's Pages config — and that can't be set totrue. DNS forpkg.claude-desktop-debian.devpoints at Cloudflare (custom_domain = trueinwrangler.toml), so Pages can never pass its domain-verification step to provision a cert. Cloudflare/Worker happily answer both schemes forpkg.<domain>, so the scheme in Pages' 301 is cosmetic — the redirect chain still terminates correctly.Verified manually end-to-end, all three requested schemes:
APT side of the cutover is actually working for real users right now.
Fix
Relax hop 0's regex to
https?://in three places:.github/workflows/ci.yml:538(APT smoke test).github/workflows/ci.yml:752(DNF smoke test).github/workflows/apt-repo-heartbeat.yml:92(daily heartbeat)Later hops stay
https://-only — GitHub'sreleases/download/andobjects.githubusercontent.comredirects are always HTTPS.Post-merge plan
Rerun failed jobs on run 24836419696:
update-apt-repois idempotent-ish (reprepro remove+re-add, same byte content) → smoke test now passesupdate-dnf-reporuns (was skipped this time due toneeds: update-apt-repo) → exercises DNF Worker chain broken: RPM signed in-place by update-dnf-repo, Release asset is unsigned (sha256 mismatch) #500'sgh release upload --clobberpath for the first timeRefs #493, #503
Generated with Claude Code
Co-Authored-By: Claude Opus 4.7 [email protected]
90% AI / 10% Human
Claude: diagnosed the scheme mismatch from the actual run log, verified gh-pages state post-push (metadata updated, pool stripped) and that the chain works end-to-end, wrote and tested the regex relaxation
Human: delegated Phase 4a-APT cutover autonomously