ci: align fork workflows and fix installer pipeline failures

Author: deepakdgupta1

.github/workflows/installer.yml

@@ -2,7 +2,7 @@ name: Installer CI
 
 on:
   push:
-    branches: [main]
+    branches: [local-desktop-installation-support]
     paths:
       - 'install.sh'
       - 'scripts/**'
@@ -13,7 +13,7 @@ on:
       - '.shellcheckrc'
       - 'tests/**/*.sh'
   pull_request:
-    branches: [main]
+    branches: [local-desktop-installation-support]
     paths:
       - 'install.sh'
       - 'scripts/**'
@@ -187,7 +187,7 @@ jobs:
           path: result.json
 
   pinned-ref-smoke:
-    name: Pinned Ref Smoke (checksums from main)
+    name: Pinned Ref Smoke (checksums from integration branch)
     runs-on: ubuntu-latest
     timeout-minutes: 30
     container:
@@ -209,10 +209,10 @@ jobs:
           echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/90-ci-ubuntu
           chmod 440 /etc/sudoers.d/90-ci-ubuntu
 
-      - name: Run pinned-ref install (checksums from main)
+      - name: Run pinned-ref install (checksums from integration branch)
         run: |
           ACFS_REF="$(cat VERSION)" \
-          ACFS_CHECKSUMS_REF=main \
+          ACFS_CHECKSUMS_REF=local-desktop-installation-support \
           bash install.sh --yes --skip-preflight --skip-ubuntu-upgrade --mode safe --only lang.uv
 
   selection-tests:
@@ -249,7 +249,7 @@ jobs:
         include:
           - ubuntu: '24.04'
             mode: vibe
-          - ubuntu: '25.04'
+          - ubuntu: '25.10'
             mode: vibe
           - ubuntu: '24.04'
             mode: safe

.github/workflows/upstream-sync.yml

@@ -5,6 +5,10 @@ on:
     - cron: '0 0 * * *' # Daily at midnight
   workflow_dispatch:
 
+concurrency:
+  group: upstream-sync
+  cancel-in-progress: false
+
 permissions:
   contents: write
   pull-requests: write
@@ -14,19 +18,26 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        MAIN_BRANCH: main
-        TARGET_BRANCH: local-desktop-installation-support
-        SYNC_BRANCH: upstream-sync
-        UPSTREAM_URL: https://github.com/Dicklesworthstone/agentic_coding_flywheel_setup.git
-        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      PUSH_TOKEN: ${{ secrets.UPSTREAM_SYNC_TOKEN }}
+      MAIN_BRANCH: main
+      TARGET_BRANCH: local-desktop-installation-support
+      SYNC_BRANCH: upstream-sync
+      UPSTREAM_URL: https://github.com/Dicklesworthstone/agentic_coding_flywheel_setup.git
+      OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{ env.MAIN_BRANCH }}
+          token: ${{ secrets.UPSTREAM_SYNC_TOKEN != '' && secrets.UPSTREAM_SYNC_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Warn if mirror token is missing
+        if: env.PUSH_TOKEN == ''
+        run: |
+          echo "::warning::UPSTREAM_SYNC_TOKEN is not configured. Pushes that update .github/workflows may be rejected."
 
       - name: Configure Git
         run: |
@@ -40,29 +51,33 @@ jobs:
 
       - name: Add and Fetch Upstream
         run: |
-          git remote add upstream "$UPSTREAM_URL"
+          if git remote get-url upstream >/dev/null 2>&1; then
+            git remote set-url upstream "$UPSTREAM_URL"
+          else
+            git remote add upstream "$UPSTREAM_URL"
+          fi
           git fetch upstream
 
       # Step 1: Sync fork's main branch with upstream/main (Pure Mirror)
       - name: Sync Main Branch with Upstream
         run: |
           echo "Syncing fork's main branch with upstream/main..."
-          
+
           # Hard reset main to match upstream/main exactly
           git checkout "$MAIN_BRANCH"
           git reset --hard upstream/main
-          
+
           # Force push to update the fork's main branch
           git push -f origin "$MAIN_BRANCH"
-          
+
           echo "✅ Fork's main branch is now a pure mirror of upstream/main"
 
       # Step 2: Merge main into local-desktop-installation-support
       - name: Prepare Integration Branch
         run: |
           # Checkout the integration branch
           git checkout "$TARGET_BRANCH"
-          
+
           # Create/reset sync branch from target for the merge
           git checkout -B "$SYNC_BRANCH" "$TARGET_BRANCH"
 
@@ -98,9 +113,6 @@ jobs:
           # Ensure labels exist to prevent errors during PR creation
           gh label create upstream-sync --repo ${{ github.repository }} --description "Syncs changes from upstream" --color 1d76db || true
           gh label create conflict --repo ${{ github.repository }} --description "Merge conflicts detected" --color b60205 || true
-          
-          # Debug: List labels to verify visibility
-          gh label list --repo ${{ github.repository }}
 
       # Step 3: Handle result based on merge status
       - name: Push Clean Merge Directly
@@ -115,30 +127,30 @@ jobs:
         run: |
           # Check if PR already exists
           existing_pr=$(gh pr list --repo ${{ github.repository }} --head "$SYNC_BRANCH" --base "$TARGET_BRANCH" --json number -q '.[0].number')
-          
+
           if [[ -z "$existing_pr" ]]; then
             echo "Creating new PR for conflict resolution..."
             TITLE="⚠️ Upstream Sync (Conflicts Detected)"
             BODY="This PR syncs changes from upstream. **Conflicts were detected and committed with markers.** Please review and resolve them."
-            LABELS="upstream-sync,conflict"
-            
+
             PR_URL=$(gh pr create \
               --repo ${{ github.repository }} \
               --title "$TITLE" \
               --body "$BODY" \
               --head "$SYNC_BRANCH" \
               --base "$TARGET_BRANCH" \
-              --label "$LABELS")
-            
+              --label "upstream-sync" \
+              --label "conflict")
+
             echo "PR_URL=$PR_URL" >> "$GITHUB_ENV"
           else
-             echo "Updating existing PR #$existing_pr..."
-             echo "PR_URL=https://github.com/${{ github.repository }}/pull/$existing_pr" >> "$GITHUB_ENV"
-             
-             gh pr edit "$existing_pr" --repo ${{ github.repository }} \
-               --title "⚠️ Upstream Sync (Conflicts Detected)" \
-               --add-label "conflict" \
-               --body "Updates from upstream. Conflicts detected."
+            echo "Updating existing PR #$existing_pr..."
+            echo "PR_URL=https://github.com/${{ github.repository }}/pull/$existing_pr" >> "$GITHUB_ENV"
+
+            gh pr edit "$existing_pr" --repo ${{ github.repository }} \
+              --title "⚠️ Upstream Sync (Conflicts Detected)" \
+              --add-label "conflict" \
+              --body "Updates from upstream. Conflicts detected."
           fi
 
       - name: Analyze Conflicts with AI

docs/fork-workflow-strategy.md

@@ -28,7 +28,7 @@ graph TD
     U -->|Action: Daily Sync| I
     F1 -->|PR: Merge| I
     F2 -->|PR: Merge| I
-    
+
     style I fill:#d4edda,stroke:#28a745,stroke-width:2px
     style U fill:#cce5ff,stroke:#004085,stroke-width:2px
 ```
@@ -39,6 +39,13 @@ Your GitHub Action `upstream-sync.yml` runs daily.
 -   It attempts to merge into `local-desktop-installation-support`.
 -   **If Clean**: It pushes automatically. You wake up to a fresh, up-to-date repo.
 -   **If Conflict**: It opens a PR with conflict markers. You must resolve it (see [Upstream Sync Guide](./upstream-sync.md)).
+-   **Token Requirement**: Configure `UPSTREAM_SYNC_TOKEN` so mirror pushes can update `.github/workflows/*` when upstream changes those files.
+
+### 1.5 CI Branch Alignment
+`Installer CI` should run on `local-desktop-installation-support` (and PRs targeting it), because that is the deployment/integration branch.
+
+-   Keep `main` as an upstream mirror branch.
+-   Use CI on `local-desktop-installation-support` to validate what actually lands on your machine.
 ### 2. Developing a New Feature (The "Right Way")
 **NEVER** work directly on `local-desktop-installation-support`. Always use a feature branch.
 #### Step 1: Start Fresh

docs/upstream-sync.md

@@ -12,14 +12,23 @@ A GitHub Action (`.github/workflows/upstream-sync.yml`) automatically syncs chan
 
 ## Workflow Logic
 1.  **Daily Trigger**: Runs at 00:00 UTC.
-2.  **Sync**: Merges `upstream/main` into a branch named `upstream-sync`.
-3.  **Conflict Handling**:
-    - **Clean Merge**: Creates a PR with merged changes.
-    - **Conflict**: Commits files *with conflict markers* to the PR so you can see them in the diff.
-4.  **AI Analysis**: If conflicts exist AND `OPENAI_API_KEY` is set in repository secrets, an AI suggestion is posted as a comment on the PR.
+2.  **Mirror Main**: Hard-resets fork `main` to `upstream/main` and force-pushes.
+3.  **Integrate**: Merges fork `main` into `local-desktop-installation-support` through `upstream-sync`.
+4.  **Conflict Handling**:
+    - **Clean Merge**: Automatically pushes the updates to your target branch (`local-desktop-installation-support`). No PR is created.
+    - **Conflict**: Commits files *with conflict markers* to a new branch and creates a PR so you can resolve them.
+5.  **AI Analysis**: If conflicts exist AND `OPENAI_API_KEY` is set in repository secrets, an AI suggestion is posted as a comment on the PR.
 
-## Configuration: Setting up the API Key
-To enable AI conflict analysis, you must securely add your OpenAI API Key to the repository secrets.
+## Configuration: Required Secrets
+
+### 1) `UPSTREAM_SYNC_TOKEN` (required for reliable mirror pushes)
+Use a token that can push repository contents and workflow files, then store it as:
+- **Name**: `UPSTREAM_SYNC_TOKEN`
+
+Without this secret, pushes that include `.github/workflows/*` changes can be rejected by GitHub.
+
+### 2) `OPENAI_API_KEY` (optional for AI conflict analysis)
+To enable AI conflict analysis, securely add your OpenAI API Key to repository secrets.
 
 1.  **Go to Settings**: Navigate to your GitHub repository page and click on the **Settings** tab.
 2.  **Access Secrets**: In the left sidebar, click on **Secrets and variables**, then select **Actions**.
@@ -66,3 +75,5 @@ To run the sync manually:
 2.  Select **Upstream Sync** from the left sidebar.
 3.  Click **Run workflow**.
 4.  Select the branch and click **Run workflow**.
+
+For consistency with the integration-branch strategy, run it from `main`.

scripts/check-manifest-drift.sh

@@ -224,6 +224,7 @@ log "Manifest SHA256 now matches: $ACTUAL_NOW"
 if [[ -f "$INTERNAL_CHECKSUMS_FILE" ]] && [[ "$INTERNAL_DRIFT_COUNT" -gt 0 ]]; then
     log "Verifying internal script checksums after regeneration..."
     unset ACFS_INTERNAL_CHECKSUMS
+    # shellcheck source=scripts/generated/internal_checksums.sh
     source "$INTERNAL_CHECKSUMS_FILE"
     post_fix_drift=0
     for rel_path in "${!ACFS_INTERNAL_CHECKSUMS[@]}"; do

scripts/generated/internal_checksums.sh

@@ -18,7 +18,7 @@ declare -gA ACFS_INTERNAL_CHECKSUMS=(
   [scripts/lib/session.sh]="f008658acc15c08929013d46af33f62ca4306cafaf5cf3344bd0626e3e41f137"
   [scripts/lib/os_detect.sh]="ebc49bc9742e0e65b27d350eba0b67a9ae270298254ef4e71a97967b476b83d9"
   [scripts/lib/errors.sh]="79a9e37babd77f2bcdf110c7f805c6352983e81fe8c29a6ad61cc8df69d7f0e7"
-  [scripts/lib/user.sh]="767910abfa2d59c6ef1147a91e9571395f481b2dd0135d983e576b64f25da0bc"
+  [scripts/lib/user.sh]="7bcc8691c0174f0ec871234a4d8de3032143768a9caa587b04395e98c22654f1"
   [scripts/lib/tools.sh]="325f8ad08a07fec4c489092a925ac9d6009ab88d3d71cff4ccf5d41acaaf94e9"
   [scripts/lib/export-config.sh]="731732f60e13169554488f154e81225d1a73f3521ce28cae0ebc00e78f69f85f"
   [scripts/acfs-global]="ac2d5dc4f19e4ebfa9b354c7c22f96ec9b82e1975abe89249d07b0610197931b"

tests/vm/bootstrap_offline_checks.sh

@@ -49,6 +49,8 @@ create_archive() {
   cp -R "$REPO_ROOT/scripts/lib" "$stage_dir/acfs-offline/scripts/"
   cp -R "$REPO_ROOT/scripts/generated" "$stage_dir/acfs-offline/scripts/"
   cp "$REPO_ROOT/scripts/preflight.sh" "$stage_dir/acfs-offline/scripts/preflight.sh"
+  cp "$REPO_ROOT/scripts/acfs-global" "$stage_dir/acfs-offline/scripts/acfs-global"
+  cp "$REPO_ROOT/scripts/acfs-update" "$stage_dir/acfs-offline/scripts/acfs-update"
 
   cp -R "$REPO_ROOT/acfs" "$stage_dir/acfs-offline/acfs"
   cp "$REPO_ROOT/checksums.yaml" "$stage_dir/acfs-offline/checksums.yaml"

tests/vm/test_macos_bootstrap.sh

@@ -240,7 +240,7 @@ run_case_one() {
     fi
 
     local event_log
-    event_log="$(ls -1 "$home_dir/.acfs/logs/install/"*.jsonl 2>/dev/null | head -n1 || true)"
+    event_log="$(find "$home_dir/.acfs/logs/install" -maxdepth 1 -type f -name '*.jsonl' 2>/dev/null | sort | head -n1 || true)"
     if [[ -n "$event_log" ]] && grep -q '"event":"install_start"' "$event_log" && grep -q '"event":"install_end"' "$event_log"; then
         pass "writes host observability install_start/install_end events"
     else
@@ -312,7 +312,7 @@ EOF
     bash -s -- --macos --yes < "$REPO_ROOT/install.sh"
 
     local event_log
-    event_log="$(ls -1 "$home_dir/.acfs/logs/install/"*.jsonl 2>/dev/null | head -n1 || true)"
+    event_log="$(find "$home_dir/.acfs/logs/install" -maxdepth 1 -type f -name '*.jsonl' 2>/dev/null | sort | head -n1 || true)"
     if [[ -n "$event_log" ]] && grep -q '"event":"resume"' "$event_log"; then
         pass "emits resume event when prior host bootstrap state is incomplete"
     else