From 00fba38cfb8d77b02dd6c3d85199bbd814d1b991 Mon Sep 17 00:00:00 2001
From: Leonardo Araujo <leonardo.aa88@gmail.com>
Date: Mon, 1 Jun 2026 04:16:33 -0300
Subject: [PATCH] ci(workflows): validate AGENTCTL_INSTALL allowlist

Fail fast when AGENTCTL_INSTALL is not go-build or release, and use
explicit == release for the tarball install step instead of != go-build.

Document the two allowed values in GITHUB_ACTIONS.md.

Fixes #97

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/agentctl-pr-review-publish.yml | 10 +++++++++-
 .github/workflows/agentctl-pr-review.yml         | 10 +++++++++-
 docs/GITHUB_ACTIONS.md                           |  6 +++---
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/agentctl-pr-review-publish.yml b/.github/workflows/agentctl-pr-review-publish.yml
index c249018..34216de 100644
--- a/.github/workflows/agentctl-pr-review-publish.yml
+++ b/.github/workflows/agentctl-pr-review-publish.yml
@@ -48,6 +48,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Validate AGENTCTL_INSTALL
+        run: |
+          set -euo pipefail
+          case "${AGENTCTL_INSTALL:-go-build}" in
+            go-build|release) ;;
+            *) echo "AGENTCTL_INSTALL must be 'go-build' or 'release', got '${AGENTCTL_INSTALL}'" >&2; exit 1 ;;
+          esac
+
       - name: Cache SQLite state (optional)
         if: env.AGENTIC_CACHE_STATE == 'true'
         uses: actions/cache@v4
@@ -71,7 +79,7 @@ jobs:
           agentctl version
 
       - name: Install agentctl (release tarball)
-        if: env.AGENTCTL_INSTALL != 'go-build'
+        if: env.AGENTCTL_INSTALL == 'release'
         run: |
           set -euo pipefail
           version="${AGENTCTL_VERSION}"
diff --git a/.github/workflows/agentctl-pr-review.yml b/.github/workflows/agentctl-pr-review.yml
index 8520e8e..2ec8357 100644
--- a/.github/workflows/agentctl-pr-review.yml
+++ b/.github/workflows/agentctl-pr-review.yml
@@ -65,6 +65,14 @@ jobs:
           set -euo pipefail
           echo "gh_pr_comment=${AGENTIC_GH_PR_COMMENT:-false}" >> "$GITHUB_OUTPUT"
 
+      - name: Validate AGENTCTL_INSTALL
+        run: |
+          set -euo pipefail
+          case "${AGENTCTL_INSTALL:-go-build}" in
+            go-build|release) ;;
+            *) echo "AGENTCTL_INSTALL must be 'go-build' or 'release', got '${AGENTCTL_INSTALL}'" >&2; exit 1 ;;
+          esac
+
       - name: Cache SQLite state (optional)
         if: env.AGENTIC_CACHE_STATE == 'true'
         uses: actions/cache@v4
@@ -88,7 +96,7 @@ jobs:
           agentctl version
 
       - name: Install agentctl (release tarball)
-        if: env.AGENTCTL_INSTALL != 'go-build'
+        if: env.AGENTCTL_INSTALL == 'release'
         run: |
           set -euo pipefail
           version="${AGENTCTL_VERSION}"
diff --git a/docs/GITHUB_ACTIONS.md b/docs/GITHUB_ACTIONS.md
index 9f37a84..c7fe77f 100644
--- a/docs/GITHUB_ACTIONS.md
+++ b/docs/GITHUB_ACTIONS.md
@@ -97,12 +97,12 @@ comment. **`upsert: true`** is an alias for **`replace`**.
 
 ## Installing `agentctl` in Actions
 
-The template supports two modes via **`AGENTCTL_INSTALL`**:
+The template supports exactly two values for **`AGENTCTL_INSTALL`**. Any other value fails the workflow early with a clear error.
 
 | Value | When to use |
 |-------|-------------|
 | **`go-build`** (default in this monorepo) | The workflow checks out this repository and runs **`go build ./cmd/agentctl`**. Use this while developing here so CI always matches the native tools on the branch (no waiting on a release asset). |
-| **`release`** | Set **`AGENTCTL_INSTALL`** to **`release`** (any value other than **`go-build`**) in a **downstream** repo that only copies the YAML project, not the Go source. Then set **`AGENTCTL_VERSION`** (e.g. **`v0.1.9`**) to a tag whose asset **`agentctl-<tag>-linux-amd64.tar.gz`** exists on **Releases**. |
+| **`release`** | Set **`AGENTCTL_INSTALL`** to **`release`** in a **downstream** repo that only copies the YAML project, not the Go source. Then set **`AGENTCTL_VERSION`** (e.g. **`v0.1.9`**) to a tag whose asset **`agentctl-<tag>-linux-amd64.tar.gz`** exists on **Releases**. |
 
 ### arm64 and other non-amd64 runners
 
@@ -138,7 +138,7 @@ The workflow template sets these **workflow-level** env vars (tune after copying
 
 | Variable | Default | Purpose |
 |----------|---------|---------|
-| **`AGENTCTL_INSTALL`** | `go-build` in-repo | **`go-build`** compiles **`./cmd/agentctl`** after checkout. Downstream copies should use **`release`** and **`AGENTCTL_VERSION`**. |
+| **`AGENTCTL_INSTALL`** | `go-build` in-repo | **`go-build`** or **`release`** only (invalid values fail fast). **`go-build`** compiles **`./cmd/agentctl`** after checkout. Downstream copies should use **`release`** and **`AGENTCTL_VERSION`**. |
 | **`AGENTIC_CACHE_STATE`** | `false` | When `true`, restores/saves the SQLite state file between runs (update **`hashFiles()`** globs if **`AGENTIC_PROJECT`** is not **`examples/pr-review-github-actions`**). |
 | **`AGENTIC_GH_PR_COMMENT`** | `false` | When `true`, the **`review`** job exports this flag so the follow-up **`post-pointer`** job can run (**`gh pr comment`** pointer to the Actions run). Job-level **`if:`** cannot read workflow **`env`**, so the template uses a step output instead. |