ci(e2e): implement comprehensive cross-platform E2E testing infrastructure

Adds end-to-end testing for all released artifacts across multiple platforms:

Platform Coverage:
- Linux AMD64/ARM64 binaries
- Fedora AMD64/ARM64 RPM packages
- Ubuntu AMD64/ARM64 DEB packages
- macOS AMD64 (macos-15-intel) and ARM64 (macos-latest) binaries
- Windows AMD64 (windows-latest) and ARM64 (windows-11-arm) binaries

Key Fixes:
- Skip Unix permission checks on Windows (ACL-based permissions)
- Fix credential helper path formatting for Windows batch wrapper
- Update RPM/DEB download patterns with wildcards for release numbers

Infrastructure:
- E2E workflow with prerelease gate pattern
- Package-specific test jobs with container isolation
- nfpm.yaml for .deb/.rpm packaging
- Updated Makefile with packaging targets

Closes #39

Author: Waldek Herka

.github/workflows/e2e.yml

@@ -1,60 +1,79 @@
 name: Release
 
 on:
-  release:
-    types: [prereleased]
+  push:
+    tags:
+      - 'v*'
 
 permissions:
   contents: write
 
 jobs:
-  release:
+  # ─────────────────────────────────────────────────────────
+  # Build and upload artifacts as PRERELEASE.
+  # The release is NOT marked latest until E2E tests pass.
+  # ─────────────────────────────────────────────────────────
+  release-prerelease:
+    name: Build & Prerelease
     runs-on: ubuntu-latest
+    outputs:
+      release_tag: ${{ github.ref_name }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Verify release exists as prerelease
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ github.ref_name }}"
+          echo "Verifying release $TAG exists as prerelease..."
+
+          # Check if release exists and get prerelease status
+          RELEASE_INFO=$(gh release view "$TAG" --json isPrerelease 2>/dev/null) || {
+            echo "Error: Release $TAG does not exist. Create it as prerelease first."
+            exit 1
+          }
+
+          IS_PRERELEASE=$(echo "$RELEASE_INFO" | jq -r '.isPrerelease')
+
+          if [ "$IS_PRERELEASE" != "true" ]; then
+            echo "Error: Release $TAG exists but is NOT a prerelease. Cannot upload to immutable release."
+            exit 1
+          fi
+
+          echo "✓ Release $TAG is a prerelease - proceeding with upload"
+
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version: '1.21'
           cache: true
 
-      - name: Install tools (if needed)
-        run: |
-          # Check if envsubst is available, install only if missing
-          if ! command -v envsubst &> /dev/null; then
-            echo "envsubst not found, installing gettext-base..."
-            sudo apt-get update && sudo apt-get install -y gettext-base
-          else
-            echo "envsubst is already available"
-          fi
-
-      - name: Run tests
+      - name: Run unit tests
         run: go test ./...
 
       - name: Build release binaries and packages
         run: |
-          # Set version from tag (strip 'v' prefix for package version)
+          # Extract version from tag (strip 'v' prefix for package version)
           VERSION="${GITHUB_REF_NAME#v}"
           export VERSION
           export RPM_RELEASE=1
-          echo "Building version: $VERSION"
-          echo "RPM release: $RPM_RELEASE"
 
+          echo "Building version: $VERSION"
           make release packages
 
-          # List all built artifacts
-          echo ""
+      - name: List all built artifacts
+        run: |
           echo "=== Built artifacts ==="
           ls -lh dist/
 
-          # Display package metadata
+          echo ""
           echo "=== DEB Package Info ==="
           for deb in dist/*.deb; do
             echo "--- $deb ---"
-            dpkg-deb -I "$deb" | grep -E "(Package|Version|Architecture|Maintainer)"
+            dpkg-deb -I "$deb" 2>/dev/null | grep -E "(Package|Version|Architecture|Maintainer)" || echo "dpkg-deb not available"
           done
 
           echo ""
@@ -64,18 +83,28 @@ jobs:
             rpm -qip "$rpm" 2>/dev/null | grep -E "(Name|Version|Release|Architecture|Group)" || \
               echo "rpm command not available for detailed info"
           done
-      - name: Upload artifacts and set release as latest
+
+      - name: Upload artifacts to prerelease
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          VERSION="${{ github.event.release.tag_name }}"
-
-          # Note: the relase is assumed as created as prerelease
-          # The following section is aimmed at pushing the artifacts to the release
-          # and promoting it to latest
+          VERSION="${{ github.ref_name }}"
 
-          echo "Uploading artifacts to release $VERSION..."
-          gh release upload "$VERSION" dist/* --clobber
+          echo "Uploading artifacts to prerelease $VERSION..."
+          gh release upload "$VERSION" dist/*
 
-          echo "Setting release as latest..."
-          gh release edit "$VERSION" --prerelease=false --latest
+  # ─────────────────────────────────────────────────────────
+  # E2E gate: runs against the prerelease artifacts.
+  # Promotes to latest only if all platform tests pass.
+  # ─────────────────────────────────────────────────────────
+  e2e-gate:
+    name: E2E Gate
+    needs: release-prerelease
+    uses: ./.github/workflows/e2e.yml
+    with:
+      release_tag: ${{ needs.release-prerelease.outputs.release_tag }}
+      test_org_1: "gh-app-auth-test-1"
+      test_org_2: "gh-app-auth-test-2"
+    secrets:
+      E2E_APP_ID: ${{ secrets.E2E_APP_ID }}
+      E2E_PRIVATE_KEY_B64: ${{ secrets.E2E_PRIVATE_KEY_B64 }}

.github/workflows/release.yml

@@ -49,6 +49,7 @@ vscode/
 
 # Environment files
 .env
+.env.*
 .envrc
 
 # Local configuration files (not GitHub templates)

.gitignore

@@ -1,6 +1,6 @@
 # gh-app-auth Makefile
 
-.PHONY: help build test lint clean install dev-setup security-scan release deps vet gocyclo staticcheck ineffassign misspell test-coverage-check markdownlint yamllint actionlint cli-smoke-test package-deb package-rpm packages
+.PHONY: help build test lint clean install dev-setup security-scan release deps vet gocyclo staticcheck ineffassign misspell test-coverage-check markdownlint yamllint actionlint cli-smoke-test package-deb package-rpm packages test-e2e test-e2e-local
 
 # Default target
 help:
@@ -28,13 +28,15 @@ help:
 	@echo "  uninstall          Uninstall extension from GitHub CLI"
 	@echo "  dev-setup          Set up development environment (config only)"
 	@echo "  validate-tools     Validate core tools are installed"
-	@echo "  validate-lint-tools Validate linting tools can run"
+	@echo "  validate-lint-tools Validate linting tools are installed"
 	@echo "  security-scan      Run security scans (gosec, govulncheck)"
 	@echo "  deps               Download and verify dependencies"
 	@echo "  dev                Quick development cycle (fmt + lint + test + build)"
 	@echo "  ci                 CI pipeline simulation (mirrors GitHub CI)"
 	@echo "  quality            Full quality check (all linters + tests + security)"
 	@echo "  release            Build release binaries for all platforms"
+	@echo "  test-e2e           Run E2E tests (requires test infra + secrets)"
+	@echo "  test-e2e-local     Run E2E tests with locally built binary"
 	@echo ""
 	@echo "Packaging targets:"
 	@echo "  package-deb          Build DEB package for amd64"
@@ -47,9 +49,10 @@ help:
 	@echo "  validate-packages    Verify binary/package architectures match targets"
 	@echo ""
 	@echo "Presentation targets:"
+	@echo "  presentation-setup Install presentation tools (mermaid-cli, mermaid-filter)"
 	@echo "  presentation       Build both HTML and PDF presentations"
 	@echo "  presentation-html  Build interactive HTML presentation"
-	@echo "  presentation-pdf   Build PDF presentation"
+	@echo "  presentation-pdf   Build PDF presentation (requires presentation-setup)"
 	@echo "  presentation-serve Serve presentation locally on :8000"
 	@echo "  presentation-clean Clean presentation build artifacts"
 
@@ -62,16 +65,17 @@ COMMIT := $(shell git rev-parse --short HEAD)
 BUILD_TIME := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 LDFLAGS := -ldflags "-X main.Version=$(VERSION) -X main.Commit=$(COMMIT) -X main.BuildTime=$(BUILD_TIME)"
 
-# Go tool commands
-GOLANGCI_LINT := go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
-GOIMPORTS := go run golang.org/x/tools/cmd/goimports@latest
-STATICCHECK := go run honnef.co/go/tools/cmd/staticcheck@latest
-GOCYCLO := go run github.com/fzipp/gocyclo/cmd/gocyclo@latest
-INEFFASSIGN := go run github.com/gordonklaus/ineffassign@latest
-MISSPELL := go run github.com/client9/misspell/cmd/misspell@latest
-GOSEC := go run github.com/securego/gosec/v2/cmd/gosec@latest
-GOVULNCHECK := go run golang.org/x/vuln/cmd/govulncheck@latest
-ACTIONLINT := go run github.com/rhysd/actionlint/cmd/actionlint@latest
+# Tool paths
+GOPATH := $(shell go env GOPATH)
+GOLANGCI_LINT := $(GOPATH)/bin/golangci-lint
+GOIMPORTS := $(GOPATH)/bin/goimports
+STATICCHECK := $(GOPATH)/bin/staticcheck
+GOCYCLO := $(GOPATH)/bin/gocyclo
+INEFFASSIGN := $(GOPATH)/bin/ineffassign
+MISSPELL := $(GOPATH)/bin/misspell
+GOSEC := $(GOPATH)/bin/gosec
+GOVULNCHECK := $(GOPATH)/bin/govulncheck
+NFPM_CMD := $(GOPATH)/bin/nfpm
 
 # Build the extension
 build:
@@ -112,7 +116,7 @@ test-coverage-check:
 		echo "✅ Coverage $$COVERAGE% meets threshold $(COVERAGE_THRESHOLD)%"; \
 	fi
 
-# Lint code with golangci-lint
+# Lint code with golangci-lint (comprehensive)
 lint:
 	@echo "Running golangci-lint..."
 	$(GOLANGCI_LINT) run
@@ -154,10 +158,11 @@ yamllint:
 	@command -v yamllint >/dev/null 2>&1 || { echo "⚠️  yamllint not found, skipping (install: pip install yamllint)"; exit 0; }
 	yamllint -d relaxed . || echo "⚠️  YAML lint issues found"
 
-# Run actionlint on GitHub workflow files
+# Run actionlint on GitHub workflow files (requires actionlint binary)
 actionlint:
 	@echo "Running actionlint..."
-	@$(ACTIONLINT) || echo "⚠️  Action lint issues found"
+	@command -v actionlint >/dev/null 2>&1 || { echo "⚠️  actionlint not found, skipping (install: go install github.com/rhysd/actionlint/cmd/actionlint@latest)"; exit 0; }
+	actionlint || echo "⚠️  Action lint issues found"
 
 # CLI smoke test - verify binary works
 cli-smoke-test: build
@@ -173,8 +178,8 @@ lint-all: vet staticcheck gocyclo ineffassign misspell markdownlint yamllint act
 # Format code
 fmt:
 	@echo "Formatting code..."
-	$(GOIMPORTS) -w .
 	gofmt -s -w .
+	$(GOIMPORTS) -w .
 
 # Clean build artifacts
 clean:
@@ -193,25 +198,45 @@ uninstall:
 	@echo "Uninstalling extension from GitHub CLI..."
 	gh extension remove app-auth || true
 
-# Set up development environment (configuration only, no tool installation)
+# Set up development environment
 dev-setup:
 	@echo "Setting up development environment..."
 	go mod download
+	@echo "Installing linting tools..."
+	go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
+	go install golang.org/x/tools/cmd/goimports@latest
+	go install github.com/securego/gosec/v2/cmd/gosec@latest
+	go install honnef.co/go/tools/cmd/staticcheck@latest
+	go install github.com/fzipp/gocyclo/cmd/gocyclo@latest
+	go install github.com/gordonklaus/ineffassign@latest
+	go install github.com/client9/misspell/cmd/misspell@latest
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+	go install github.com/goreleaser/nfpm/v2/cmd/nfpm@latest
 	@echo "Setting up git commit template..."
 	git config commit.template .gitmessage
 	@echo "Development environment ready!"
 	@echo ""
 	@echo "💡 Tip: Use 'git commit' (without -m) to use the conventional commit template"
 	@echo "📖 See CONTRIBUTING.md for conventional commit guidelines"
 
+# Set up presentation tools (installs mermaid-cli and mermaid-filter globally)
+presentation-setup:
+	@echo "Setting up presentation tools..."
+	@command -v npm >/dev/null 2>&1 || { echo "npm is required. Install Node.js first"; exit 1; }
+	@echo "Installing Mermaid CLI..."
+	npm install -g @mermaid-js/mermaid-cli
+	@echo "Installing mermaid-filter for pandoc..."
+	npm install -g mermaid-filter
+	@echo "✅ Presentation tools installed globally"
+
 # Run security scans
 security-scan:
 	@echo "Running security scans..."
 	$(GOSEC) -fmt sarif -out gosec.sarif ./... || true
 	@echo "Running vulnerability check..."
 	$(GOVULNCHECK) ./... || true
 
-# Download and verify dependencies
+# Download and verify dependencies  
 deps:
 	@echo "Downloading dependencies..."
 	go mod download
@@ -265,18 +290,18 @@ validate-tools:
 	@command -v git >/dev/null 2>&1 || { echo "❌ Git is required but not installed"; exit 1; }
 	@echo "✅ Core tools are installed."
 
-# Validate that linting tools can be executed
+# Validate that linting tools are installed
 validate-lint-tools:
-	@echo "Validating linting tools can be executed..."
-	@$(GOLANGCI_LINT) version >/dev/null 2>&1 || { echo "❌ golangci-lint failed"; exit 1; }
-	@$(GOIMPORTS) -l . >/dev/null 2>&1 || { echo "❌ goimports failed"; exit 1; }
-	@$(STATICCHECK) --help >/dev/null 2>&1 || { echo "❌ staticcheck failed"; exit 1; }
-	@$(GOCYCLO) . >/dev/null 2>&1 || { echo "❌ gocyclo failed"; exit 1; }
-	@$(INEFFASSIGN) . >/dev/null 2>&1 || { echo "❌ ineffassign failed"; exit 1; }
-	@$(MISSPELL) --help >/dev/null 2>&1 || { echo "❌ misspell failed"; exit 1; }
-	@$(GOSEC) --help >/dev/null 2>&1 || { echo "❌ gosec failed"; exit 1; }
-	@$(GOVULNCHECK) --help >/dev/null 2>&1 || { echo "❌ govulncheck failed"; exit 1; }
-	@echo "✅ All linting tools work"
+	@echo "Validating linting tools are installed..."
+	@test -f $(GOLANGCI_LINT) || { echo "❌ golangci-lint not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(GOIMPORTS) || { echo "❌ goimports not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(STATICCHECK) || { echo "❌ staticcheck not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(GOCYCLO) || { echo "❌ gocyclo not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(INEFFASSIGN) || { echo "❌ ineffassign not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(MISSPELL) || { echo "❌ misspell not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(GOSEC) || { echo "❌ gosec not installed. Run 'make dev-setup'"; exit 1; }
+	@test -f $(GOVULNCHECK) || { echo "❌ govulncheck not installed. Run 'make dev-setup'"; exit 1; }
+	@echo "✅ All linting tools are installed"
 
 # Quick development cycle
 dev: fmt lint test build
@@ -333,6 +358,28 @@ ci: deps validate-tools validate-lint-tools
 quality: validate-lint-tools fmt lint-all test-coverage-check security-scan
 	@echo "Quality check complete!"
 
+# Run E2E tests using a pre-built or user-supplied binary.
+# Requires test infrastructure (see docs/E2E_INFRASTRUCTURE.md) and secrets:
+#   export E2E_APP_ID=<app-id>
+#   export E2E_PRIVATE_KEY_B64=$(base64 -w 0 </path/to/key.pem>)
+#   export E2E_GITHUB_TOKEN=<github-token-with-repo-scope>
+# Optional: export E2E_BINARY_PATH=<path/to/binary>  (builds from source if unset)
+.PHONY: test-e2e
+test-e2e:
+	@echo "Running E2E tests (requires test infrastructure)..."
+	go test -v -tags=e2e -timeout=15m ./test/e2e/...
+
+# Run E2E tests using a locally built binary (no prerelease needed).
+# Builds the binary from source automatically.
+.PHONY: test-e2e-local
+test-e2e-local:
+	@echo "Building binary for E2E tests..."
+	go build -o /tmp/gh-app-auth-e2e-local .
+	@echo "Running E2E tests with local binary..."
+	E2E_BINARY_PATH=/tmp/gh-app-auth-e2e-local \
+		go test -v -tags=e2e -timeout=15m ./test/e2e/...
+	rm -f /tmp/gh-app-auth-e2e-local
+
 # Packaging targets
 .PHONY: package-deb package-deb-arm64 package-deb-arm package-rpm package-rpm-arm64 package-rpm-arm packages packages-local validate-packages
 
@@ -477,7 +524,7 @@ else
 endif
 
 # Presentation targets
-.PHONY: presentation presentation-html presentation-pdf presentation-serve presentation-clean
+.PHONY: presentation presentation-setup presentation-html presentation-pdf presentation-serve presentation-clean
 
 # Build presentation HTML
 presentation-html:
@@ -509,10 +556,9 @@ presentation-pdf:
 	@echo "Building presentation PDF..."
 	@command -v pandoc >/dev/null 2>&1 || { echo "Pandoc is required. Install: apt install pandoc"; exit 1; }
 	@command -v xelatex >/dev/null 2>&1 || { echo "XeLaTeX is required. Install: apt install texlive-xetex"; exit 1; }
-	@echo "Ensuring mermaid-filter is available..."
-	@command -v mermaid-filter >/dev/null 2>&1 || { echo "Installing mermaid-filter..." && npm install -g mermaid-filter; }
-	@mkdir -p dist/presentation
-	export PATH="$$(npm config get prefix)/bin:$$PATH"; \
+	@command -v mmdc >/dev/null 2>&1 || { echo "Mermaid CLI is required. Run: make presentation-setup"; exit 1; }
+	@npm list -g mermaid-filter >/dev/null 2>&1 || { echo "mermaid-filter is required. Run: make presentation-setup"; exit 1; }
+	mkdir -p dist/presentation
 	pandoc docs/presentation.md \
 		-o dist/presentation/presentation.pdf \
 		--pdf-engine=xelatex \