ci: retarget installer and checksum automation to integration branch

Author: deepakdgupta1

.github/workflows/checksum-monitor.yml

@@ -5,6 +5,8 @@ on:
     - cron: "0 */2 * * *"   # Every 2 hours (more frequent for faster updates)
   workflow_dispatch:         # Manual trigger for testing
   push:
+    branches:
+      - local-desktop-installation-support
     paths:
       - 'scripts/lib/security.sh'  # Re-run if security.sh changes
   repository_dispatch:
@@ -17,6 +19,8 @@ concurrency:
 jobs:
   auto-update-checksums:
     runs-on: ubuntu-latest
+    env:
+      TARGET_BRANCH: local-desktop-installation-support
     permissions:
       contents: write
       issues: write  # For creating issues on failure
@@ -26,6 +30,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ env.TARGET_BRANCH }}
 
       - name: Log repository dispatch payload
         if: github.event_name == 'repository_dispatch'
@@ -136,13 +141,13 @@ jobs:
             -m "🤖 Generated by checksum-monitor workflow"
 
           # Pull any changes that happened while we were running (rebase our commit on top)
-          git pull --rebase origin main || {
+          git pull --rebase origin "${TARGET_BRANCH}" || {
             echo "Rebase failed - likely a conflict. Will retry on next scheduled run."
             echo "committed=false" >> $GITHUB_OUTPUT
             exit 0
           }
 
-          git push
+          git push origin "HEAD:${TARGET_BRANCH}"
           echo "committed=true" >> $GITHUB_OUTPUT
           echo "✅ Successfully pushed checksum updates"
 
@@ -223,7 +228,7 @@ jobs:
 
           if [[ "${{ steps.verify.outputs.changed }}" == "true" ]]; then
             if [[ "${{ steps.commit.outputs.committed }}" == "true" ]]; then
-              echo "✅ **Checksums automatically updated and committed to main**" >> $GITHUB_STEP_SUMMARY
+              echo "✅ **Checksums automatically updated and committed to ${TARGET_BRANCH}**" >> $GITHUB_STEP_SUMMARY
             else
               echo "⚠️ **Changes detected but commit skipped (race condition or conflict)**" >> $GITHUB_STEP_SUMMARY
             fi

.github/workflows/installer-canary-strict.yml

@@ -29,7 +29,7 @@ jobs:
         id: canary
         continue-on-error: true
         env:
-          ACFS_CHECKSUMS_REF: main
+          ACFS_CHECKSUMS_REF: local-desktop-installation-support
         run: |
           chmod +x ./tests/vm/test_install_ubuntu.sh
 

.github/workflows/installer-canary.yml

@@ -24,7 +24,7 @@ jobs:
 
       - name: Run installer canary
         env:
-          ACFS_CHECKSUMS_REF: main
+          ACFS_CHECKSUMS_REF: local-desktop-installation-support
         run: |
           chmod +x ./tests/vm/test_install_ubuntu.sh
 

.github/workflows/installer-notification-receiver.yml

@@ -28,6 +28,7 @@ concurrency:
 env:
   CHECKSUMS_FILE: checksums.yaml
   AUDIT_LOG_FILE: .github/audit/installer-updates.jsonl
+  TARGET_BRANCH: local-desktop-installation-support
 
 permissions:
   contents: write
@@ -50,6 +51,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
+          ref: ${{ env.TARGET_BRANCH }}
 
       - name: Install yq
         run: |
@@ -164,6 +166,8 @@ jobs:
       current_sha256: ${{ steps.compare.outputs.current }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.TARGET_BRANCH }}
 
       - name: Install yq
         run: |
@@ -301,6 +305,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
+          ref: ${{ env.TARGET_BRANCH }}
 
       - name: Install yq
         run: |
@@ -423,6 +428,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.TARGET_BRANCH }}
 
       - name: Create Pull Request
         env:
@@ -432,10 +439,11 @@ jobs:
           BRANCH_NAME="${{ needs.update-checksums.outputs.branch_name }}"
           SHORT_SHA="${{ needs.verify-checksum.outputs.computed_sha256 }}"
           SHORT_SHA=${SHORT_SHA:0:8}
+          TARGET_BRANCH="${{ env.TARGET_BRANCH }}"
 
           # Create PR
           gh pr create \
-            --base main \
+            --base "$TARGET_BRANCH" \
             --head "$BRANCH_NAME" \
             --title "chore(checksums): Update $TOOL_NAME to $SHORT_SHA" \
             --body "${{ needs.update-checksums.outputs.pr_body }}" \
@@ -459,6 +467,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ env.TARGET_BRANCH }}
 
       - name: Install yq
         run: |
@@ -490,6 +500,7 @@ jobs:
         run: |
           TOOL_NAME="${{ needs.validate-dispatch.outputs.tool_name }}"
           SOURCE_REPO="${{ needs.validate-dispatch.outputs.source_repo }}"
+          TARGET_BRANCH="${{ env.TARGET_BRANCH }}"
 
           cat > /tmp/removal-pr-body.md << 'PREOF'
           ## Tool Removal: $TOOL_NAME
@@ -512,7 +523,7 @@ jobs:
           sed -i "s|\$SOURCE_REPO|$SOURCE_REPO|g" /tmp/removal-pr-body.md
 
           gh pr create \
-            --base main \
+            --base "$TARGET_BRANCH" \
             --head "auto/remove-${TOOL_NAME}" \
             --title "chore(checksums): Remove $TOOL_NAME" \
             --body-file /tmp/removal-pr-body.md \

.github/workflows/manifest-drift.yml

@@ -2,9 +2,9 @@ name: Internal Checksums Drift Check
 
 on:
   push:
-    branches: [main, master]
+    branches: [local-desktop-installation-support]
   pull_request:
-    branches: [main, master]
+    branches: [local-desktop-installation-support]
 
 jobs:
   check-drift: