From cf5e1c95048c277e2b5076e5259efc7fd5eae354 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Sat, 14 Mar 2026 17:21:09 -0700
Subject: [PATCH 1/4] ci(e2e): run e2e tests on every push to main

---
 .github/workflows/e2e.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index d03f75b9..1217f583 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -1,6 +1,8 @@
 name: E2E
 
 on:
+  push:
+    branches: [main]
   pull_request:
     types: [opened, synchronize, reopened, labeled]
 
@@ -10,7 +12,7 @@ permissions:
 
 jobs:
   build-gateway:
-    if: contains(github.event.pull_request.labels.*.name, 'e2e')
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'e2e')
     uses: ./.github/workflows/docker-build.yml
     with:
       component: gateway
@@ -18,7 +20,7 @@ jobs:
       runner: build-arm64
 
   build-cluster:
-    if: contains(github.event.pull_request.labels.*.name, 'e2e')
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'e2e')
     uses: ./.github/workflows/docker-build.yml
     with:
       component: cluster

From 58b916cbe4071c43a03b6924cf8a6bfd01d86024 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Sat, 14 Mar 2026 17:30:43 -0700
Subject: [PATCH 2/4] ci(release): add diff link to tagged release notes

---
 .github/workflows/release-tag.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index 6396b17c..2f262428 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -31,6 +31,7 @@ jobs:
       cargo_version: ${{ steps.v.outputs.cargo }}
       # Semver without 'v' prefix (e.g. 0.6.0), used for image tags and release body
       semver: ${{ steps.v.outputs.semver }}
+      previous_tag: ${{ steps.prev.outputs.tag }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -50,6 +51,15 @@ jobs:
           echo "cargo=$(uv run python tasks/scripts/release.py get-version --cargo)" >> "$GITHUB_OUTPUT"
           echo "semver=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
 
+      - name: Find previous release tag
+        id: prev
+        run: |
+          set -euo pipefail
+          # List tags matching v*.*.* sorted by version descending, skip the current tag
+          PREV=$(git tag --list 'v*.*.*' --sort=-version:refname | grep -v "^${GITHUB_REF_NAME}$" | head -n1 || true)
+          echo "tag=${PREV}" >> "$GITHUB_OUTPUT"
+          echo "Previous release tag: ${PREV:-"(none, first release)"}"
+
   build-gateway:
     needs: [compute-versions]
     uses: ./.github/workflows/docker-build.yml
@@ -413,6 +423,8 @@ jobs:
           body: |
             ## OpenShell ${{ github.ref_name }}
 
+            ${{ needs.compute-versions.outputs.previous_tag != '' && format('**Full changelog**: [{0}...{1}](https://github.com/{2}/compare/{0}...{1})', needs.compute-versions.outputs.previous_tag, github.ref_name, github.repository) || '' }}
+
             ### Quick install
 
             Requires the [GitHub CLI (`gh`)](https://cli.github.com) to be installed and authenticated.

From c4da27cd00041b112e4cd8551e4f1d78d15ae871 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Sat, 14 Mar 2026 17:34:51 -0700
Subject: [PATCH 3/4] ci(canary): use install.sh for CLI setup and add gh to CI
 image

---
 .github/workflows/release-canary.yml | 32 ++--------------------------
 deploy/docker/Dockerfile.ci          | 10 +++++++++
 2 files changed, 12 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
index 61f8486e..76b0d317 100644
--- a/.github/workflows/release-canary.yml
+++ b/.github/workflows/release-canary.yml
@@ -72,38 +72,10 @@ jobs:
           fi
 
       - name: Install CLI from GitHub Release
-        run: |
-          set -euo pipefail
-          TAG="${{ steps.release.outputs.tag }}"
-          ASSET_NAME="openshell-${{ matrix.target }}.tar.gz"
-          API="https://api.github.com/repos/${{ github.repository }}"
-
-          echo "Downloading ${ASSET_NAME} from release ${TAG}..."
-
-          # Look up the asset download URL via the releases API
-          ASSET_URL=$(curl -fsSL \
-            -H "Authorization: token ${GH_TOKEN}" \
-            "${API}/releases/tags/${TAG}" \
-            | jq -r --arg name "${ASSET_NAME}" \
-              '.assets[] | select(.name == $name) | .url')
-
-          if [ -z "$ASSET_URL" ] || [ "$ASSET_URL" = "null" ]; then
-            echo "::error::Asset ${ASSET_NAME} not found in release ${TAG}"
-            exit 1
-          fi
-
-          # Download the asset binary
-          curl -fsSL \
-            -H "Authorization: token ${GH_TOKEN}" \
-            -H "Accept: application/octet-stream" \
-            -o "/tmp/${ASSET_NAME}" \
-            "${ASSET_URL}"
-
-          tar -xzf "/tmp/${ASSET_NAME}" -C /tmp
-          install -m 755 /tmp/openshell /usr/local/bin/openshell
-          rm -f "/tmp/${ASSET_NAME}" /tmp/openshell
+        run: ./install.sh
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OPENSHELL_VERSION: ${{ steps.release.outputs.tag }}
 
       - name: Verify CLI installation
         run: openshell --version
diff --git a/deploy/docker/Dockerfile.ci b/deploy/docker/Dockerfile.ci
index d07890db..55ff8032 100644
--- a/deploy/docker/Dockerfile.ci
+++ b/deploy/docker/Dockerfile.ci
@@ -49,6 +49,16 @@ RUN case "$TARGETARCH" in \
       -o /usr/local/lib/docker/cli-plugins/docker-buildx \
     && chmod +x /usr/local/lib/docker/cli-plugins/docker-buildx
 
+# Install GitHub CLI used by install.sh and CI jobs
+ARG GH_VERSION=2.74.1
+RUN case "$TARGETARCH" in \
+      amd64) gh_arch=amd64 ;; \
+      arm64) gh_arch=arm64 ;; \
+      *) echo "Unsupported TARGETARCH: $TARGETARCH"; exit 1 ;; \
+    esac \
+    && curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${gh_arch}.tar.gz" \
+    | tar xz --strip-components=2 -C /usr/local/bin "gh_${GH_VERSION}_linux_${gh_arch}/bin/gh"
+
 # Install AWS CLI v2 used for ECR publishing
 RUN case "$TARGETARCH" in \
       amd64) aws_arch=x86_64 ;; \

From 2450ce841d8b3220d71472f5472d46c652669163 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Sat, 14 Mar 2026 18:27:25 -0700
Subject: [PATCH 4/4] ci(release): filter pre-release tags from previous
 release lookup

---
 .github/workflows/release-tag.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index 2f262428..e7746a26 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -55,8 +55,12 @@ jobs:
         id: prev
         run: |
           set -euo pipefail
-          # List tags matching v*.*.* sorted by version descending, skip the current tag
-          PREV=$(git tag --list 'v*.*.*' --sort=-version:refname | grep -v "^${GITHUB_REF_NAME}$" | head -n1 || true)
+          # List tags matching v*.*.* sorted by version descending, keep only
+          # stable releases (no pre-release suffixes like -rc1), skip the current tag
+          PREV=$(git tag --list 'v*.*.*' --sort=-version:refname \
+            | grep -P '^v\d+\.\d+\.\d+$' \
+            | grep -v "^${GITHUB_REF_NAME}$" \
+            | head -n1 || true)
           echo "tag=${PREV}" >> "$GITHUB_OUTPUT"
           echo "Previous release tag: ${PREV:-"(none, first release)"}"