From 00cf463f907ce1c709dbb40e6bb8747b24d723fd Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 14:59:10 -0700
Subject: [PATCH 1/8] fix(ci): update release canary install path

Signed-off-by: Drew Newberry <anewberry@nvidia.com>
---
 .github/workflows/release-canary.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
index 9e0108b7..c822a696 100644
--- a/.github/workflows/release-canary.yml
+++ b/.github/workflows/release-canary.yml
@@ -83,13 +83,20 @@ jobs:
           fi
 
       - name: Install CLI from GitHub Release
-        run: ./install.sh
+        run: |
+          set -euo pipefail
+          ./install.sh
+          echo "$OPENSHELL_INSTALL_DIR" >> "$GITHUB_PATH"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           OPENSHELL_VERSION: ${{ steps.release.outputs.tag }}
+          OPENSHELL_INSTALL_DIR: ${{ runner.temp }}/openshell-bin
 
       - name: Verify CLI installation
-        run: openshell --version
+        run: |
+          set -euo pipefail
+          command -v openshell
+          openshell --version
 
       - name: Resolve gateway host
         run: |

From 45caa0808ea56bcb9c6d2eed00f96b8e2940077d Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 15:53:10 -0700
Subject: [PATCH 2/8] fix(ci): use published install script in release
 workflows

- Release canary: install via curl from published install.sh instead of
  local checkout, pinning OPENSHELL_VERSION inline
- Release canary: add install-default job to verify the default (latest)
  install path works without OPENSHELL_VERSION set
- Release tag: replace gh CLI install snippet in release body with
  one-liner install.sh command pinned to the release tag
---
 .github/workflows/release-canary.yml | 43 +++++++++++++++++++++++-----
 .github/workflows/release-tag.yml    | 29 +------------------
 2 files changed, 37 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
index c822a696..c66281f1 100644
--- a/.github/workflows/release-canary.yml
+++ b/.github/workflows/release-canary.yml
@@ -20,6 +20,39 @@ defaults:
     shell: bash
 
 jobs:
+  # ---------------------------------------------------------------------------
+  # Verify the default install path (no OPENSHELL_VERSION) resolves to latest
+  # ---------------------------------------------------------------------------
+  install-default:
+    name: Install default (${{ matrix.arch }})
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: build-amd64
+          - arch: arm64
+            runner: build-arm64
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 10
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Install CLI (default / latest)
+        run: |
+          set -euo pipefail
+          curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
+
+      - name: Verify CLI installation
+        run: |
+          set -euo pipefail
+          command -v openshell
+          openshell --version
+
   canary:
     name: Canary ${{ matrix.mode }} (${{ matrix.arch }})
     if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
@@ -82,15 +115,11 @@ jobs:
             fi
           fi
 
-      - name: Install CLI from GitHub Release
+      - name: Install CLI from published install script
         run: |
           set -euo pipefail
-          ./install.sh
-          echo "$OPENSHELL_INSTALL_DIR" >> "$GITHUB_PATH"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          OPENSHELL_VERSION: ${{ steps.release.outputs.tag }}
-          OPENSHELL_INSTALL_DIR: ${{ runner.temp }}/openshell-bin
+          curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=${{ steps.release.outputs.tag }} OPENSHELL_INSTALL_DIR=${{ runner.temp }}/openshell-bin sh
+          echo "${{ runner.temp }}/openshell-bin" >> "$GITHUB_PATH"
 
       - name: Verify CLI installation
         run: |
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index e36de607..c0bd5deb 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -364,37 +364,10 @@ jobs:
 
             ### Quick install
 
-            Requires the [GitHub CLI (`gh`)](https://cli.github.com) to be installed and authenticated.
-
-            ```bash
-            sh -c 'ARCH=$(uname -m); OS=$(uname -s); \
-                case "${OS}-${ARCH}" in \
-                  Linux-x86_64)  ASSET="openshell-x86_64-unknown-linux-musl.tar.gz" ;; \
-                  Linux-aarch64) ASSET="openshell-aarch64-unknown-linux-musl.tar.gz" ;; \
-                  Darwin-arm64)  ASSET="openshell-aarch64-apple-darwin.tar.gz" ;; \
-                  *) echo "Unsupported platform: ${OS}-${ARCH}" >&2; exit 1 ;; \
-                esac; \
-                gh release download ${{ env.RELEASE_TAG }} --repo NVIDIA/OpenShell --pattern "${ASSET}" -O - \
-                  | tar xz \
-                  && sudo install -m 755 openshell /usr/local/bin/openshell'
-            ```
-
-            ### Docker images
-
             ```bash
-            docker pull ghcr.io/nvidia/openshell/gateway:${{ needs.compute-versions.outputs.semver }}
-            docker pull ghcr.io/nvidia/openshell/cluster:${{ needs.compute-versions.outputs.semver }}
+            curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=${{ env.RELEASE_TAG }} sh
             ```
 
-            ### Assets
-
-            | File | Platform |
-            |------|----------|
-            | `openshell-x86_64-unknown-linux-musl.tar.gz` | Linux x86_64 |
-            | `openshell-aarch64-unknown-linux-musl.tar.gz` | Linux aarch64 / ARM64 |
-            | `openshell-aarch64-apple-darwin.tar.gz` | macOS Apple Silicon |
-            | `openshell-*.whl` | Python wheels |
-            | `openshell-checksums-sha256.txt` | SHA256 checksums for all archives |
           files: |
             release/openshell-x86_64-unknown-linux-musl.tar.gz
             release/openshell-aarch64-unknown-linux-musl.tar.gz

From b97236d54d490ed6b448eaba8489815bd4105ebd Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 16:00:06 -0700
Subject: [PATCH 3/8] fix(ci): only run default install check after tag
 releases

---
 .github/workflows/release-canary.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
index c66281f1..1ffbdb3c 100644
--- a/.github/workflows/release-canary.yml
+++ b/.github/workflows/release-canary.yml
@@ -25,7 +25,9 @@ jobs:
   # ---------------------------------------------------------------------------
   install-default:
     name: Install default (${{ matrix.arch }})
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    if: >-
+      github.event.workflow_run.conclusion == 'success'
+      && github.event.workflow_run.name == 'Release Tag'
     strategy:
       fail-fast: false
       matrix:

From ec51cc0345820e54d820136b5d9de7f17625b0c6 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 16:00:32 -0700
Subject: [PATCH 4/8] fix(ci): install to /usr/local/bin to simplify PATH setup

---
 .github/workflows/release-canary.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
index 1ffbdb3c..f9a705fd 100644
--- a/.github/workflows/release-canary.yml
+++ b/.github/workflows/release-canary.yml
@@ -120,8 +120,7 @@ jobs:
       - name: Install CLI from published install script
         run: |
           set -euo pipefail
-          curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=${{ steps.release.outputs.tag }} OPENSHELL_INSTALL_DIR=${{ runner.temp }}/openshell-bin sh
-          echo "${{ runner.temp }}/openshell-bin" >> "$GITHUB_PATH"
+          curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=${{ steps.release.outputs.tag }} OPENSHELL_INSTALL_DIR=/usr/local/bin sh
 
       - name: Verify CLI installation
         run: |

From b02477320b2619bec74ebdad58169c28a661dbf5 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 16:17:57 -0700
Subject: [PATCH 5/8] update release time

---
 .github/workflows/release-auto-tag.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-auto-tag.yml b/.github/workflows/release-auto-tag.yml
index 36b355ce..c0722853 100644
--- a/.github/workflows/release-auto-tag.yml
+++ b/.github/workflows/release-auto-tag.yml
@@ -6,7 +6,7 @@ name: Release Auto-Tag
 on:
   workflow_dispatch: {}
   schedule:
-    - cron: "0 3 * * *" # 7 PM PT (03:00 UTC during PDT)
+    - cron: "0 2 * * *" # 7 PM PDT
 
 permissions:
   contents: write

From 81715ec658c74dd91f3061d30fa387ee78b8d581 Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 16:45:26 -0700
Subject: [PATCH 6/8] fix(ci): verify installed CLI version matches expected
 release tag

---
 .github/workflows/release-canary.yml | 29 ++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
index f9a705fd..c4627b7e 100644
--- a/.github/workflows/release-canary.yml
+++ b/.github/workflows/release-canary.yml
@@ -53,7 +53,19 @@ jobs:
         run: |
           set -euo pipefail
           command -v openshell
-          openshell --version
+          ACTUAL="$(openshell --version)"
+          echo "Installed: $ACTUAL"
+          # This job only runs after Release Tag, so the triggering tag
+          # should match the latest release the default installer resolves to.
+          TAG="${{ github.event.workflow_run.head_branch }}"
+          if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            EXPECTED="${TAG#v}"
+            if [[ "$ACTUAL" != *"$EXPECTED"* ]]; then
+              echo "::error::Version mismatch: expected '$EXPECTED' in '$ACTUAL'"
+              exit 1
+            fi
+            echo "Version check passed: found $EXPECTED in output"
+          fi
 
   canary:
     name: Canary ${{ matrix.mode }} (${{ matrix.arch }})
@@ -126,7 +138,20 @@ jobs:
         run: |
           set -euo pipefail
           command -v openshell
-          openshell --version
+          ACTUAL="$(openshell --version)"
+          echo "Installed: $ACTUAL"
+          TAG="${{ steps.release.outputs.tag }}"
+          # For tagged releases (v1.2.3), verify the semver appears in the version string
+          if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            EXPECTED="${TAG#v}"
+            if [[ "$ACTUAL" != *"$EXPECTED"* ]]; then
+              echo "::error::Version mismatch: expected '$EXPECTED' in '$ACTUAL'"
+              exit 1
+            fi
+            echo "Version check passed: found $EXPECTED in output"
+          else
+            echo "Non-release tag ($TAG), skipping version check"
+          fi
 
       - name: Resolve gateway host
         run: |

From b34ac38015ebc50b45d4f04d7634793d9eaae78d Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 16:49:56 -0700
Subject: [PATCH 7/8] upate version example

---
 install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install.sh b/install.sh
index aefb4a0d..36a3d5eb 100755
--- a/install.sh
+++ b/install.sh
@@ -61,7 +61,7 @@ EXAMPLES:
     curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
 
     # Install a specific version
-    OPENSHELL_VERSION=v0.0.4 curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
+    OPENSHELL_VERSION=v0.0.9 curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
 
     # Install to /usr/local/bin
     OPENSHELL_INSTALL_DIR=/usr/local/bin curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh

From 563894d55e1f312814c45e051d36b67588271f8e Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Tue, 17 Mar 2026 17:05:00 -0700
Subject: [PATCH 8/8] fix examples

---
 install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install.sh b/install.sh
index 36a3d5eb..cf29ba74 100755
--- a/install.sh
+++ b/install.sh
@@ -61,10 +61,10 @@ EXAMPLES:
     curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
 
     # Install a specific version
-    OPENSHELL_VERSION=v0.0.9 curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
+    curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_VERSION=v0.0.9  sh
 
     # Install to /usr/local/bin
-    OPENSHELL_INSTALL_DIR=/usr/local/bin curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | sh
+    curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install.sh | OPENSHELL_INSTALL_DIR=/usr/local/bin sh
 EOF
 }