ci: make non-essential fork workflows manual-only

Author: deepakdgupta1

.github/workflows/checksum-system-tests.yml

@@ -2,14 +2,14 @@ name: Checksum System E2E Tests
 
 on:
   push:
-    branches: [main]
+    branches: [local-desktop-installation-support]
     paths:
       - '.github/workflows/checksum-*.yml'
       - 'scripts/lib/security.sh'
       - 'checksums.yaml'
       - 'scripts/lib/test_security.sh'
   pull_request:
-    branches: [main]
+    branches: [local-desktop-installation-support]
     paths:
       - '.github/workflows/checksum-*.yml'
       - 'scripts/lib/security.sh'

.github/workflows/playwright.yml

@@ -1,20 +1,7 @@
 name: Playwright Tests
 
 on:
-  push:
-    branches: [main]
-    paths:
-      - 'apps/web/**'
-      - 'packages/manifest/**'
-      - 'acfs.manifest.yaml'
-      - '.github/workflows/playwright.yml'
-  pull_request:
-    branches: [main]
-    paths:
-      - 'apps/web/**'
-      - 'packages/manifest/**'
-      - 'acfs.manifest.yaml'
-      - '.github/workflows/playwright.yml'
+  workflow_dispatch:
 
 jobs:
   verify-generated:

.github/workflows/production-smoke.yml

@@ -1,24 +1,13 @@
 name: Production Smoke Tests
 
 on:
-  # Run after website changes are pushed (Vercel auto-deploys on main)
-  push:
-    branches: [main]
-    paths:
-      - 'apps/web/**'
-
-  # Run daily to catch issues early
-  schedule:
-    - cron: '0 6 * * *'  # 6 AM UTC daily
-
-  # Allow manual triggering
   workflow_dispatch:
 
 jobs:
   wait-for-deploy:
-    name: Wait for Vercel Deploy
+    name: Wait for Vercel Deploy (Compatibility)
     runs-on: ubuntu-latest
-    # Only wait on push events (schedule/dispatch test current production)
+    # Retained for compatibility if push triggers are restored later.
     if: github.event_name == 'push'
     steps:
       - name: Wait for Vercel deployment
@@ -29,7 +18,7 @@ jobs:
     name: Production Smoke Tests
     runs-on: ubuntu-latest
     needs: [wait-for-deploy]
-    # Run even if wait job was skipped (schedule/dispatch)
+    # Run even when the compatibility wait job is skipped.
     if: ${{ !cancelled() && (needs.wait-for-deploy.result == 'success' || needs.wait-for-deploy.result == 'skipped') }}
     timeout-minutes: 15
 

.github/workflows/toon-integration-tests.yml

@@ -1,19 +1,7 @@
 name: TOON Integration Tests
 
 on:
-  push:
-    branches: [main]
-    paths:
-      - 'scripts/test_*.sh'
-      - 'scripts/verify_*.sh'
-      - '.github/workflows/toon-integration-tests.yml'
-  pull_request:
-    paths:
-      - 'scripts/test_*.sh'
-      - 'scripts/verify_*.sh'
   workflow_dispatch:
-  schedule:
-    - cron: "0 6 * * 1" # Weekly on Monday 6 AM UTC
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/website.yml

@@ -1,20 +1,7 @@
 name: Website CI
 
 on:
-  push:
-    branches: [main]
-    paths:
-      - 'apps/web/**'
-      - 'packages/manifest/**'
-      - 'acfs.manifest.yaml'
-      - '.github/workflows/website.yml'
-  pull_request:
-    branches: [main]
-    paths:
-      - 'apps/web/**'
-      - 'packages/manifest/**'
-      - 'acfs.manifest.yaml'
-      - '.github/workflows/website.yml'
+  workflow_dispatch:
 
 jobs:
   verify-generated:

docs/MAINTAINER_GUIDE.md

@@ -198,11 +198,172 @@ bash tests/vm/bootstrap_offline_checks.sh
 
 ### CI Checks
 
-PR checks include:
-- ShellCheck lint
-- Manifest drift detection
-- Selection/contract tests
-- Full Docker integration matrix
+As of **2026-02-18**, ACFS has **13 GitHub Actions workflows** under `.github/workflows/`.
+
+#### Branch and Release Model
+
+| Surface | Branch/Ref | Workflows |
+|------|------|------|
+| Upstream mirror branch | `main` | `upstream-sync.yml` updates this branch to track upstream |
+| Local integration branch | `local-desktop-installation-support` | `installer.yml` runs installer CI on pushes/PRs |
+| Manual-only quality workflows | `workflow_dispatch` | `website.yml`, `playwright.yml`, `production-smoke.yml`, `toon-integration-tests.yml` |
+| Security/checksum automation | `local-desktop-installation-support` + schedules/dispatch | `checksum-monitor.yml`, `manifest-drift.yml`, `installer-notification-receiver.yml` |
+| Release refs | `v*` tags | `release-checksums.yml` |
+
+#### Workflow Inventory
+
+| Workflow | File | Trigger summary | Main purpose |
+|------|------|------|------|
+| Installer CI | `.github/workflows/installer.yml` | Push/PR to `local-desktop-installation-support` on installer/script/manifest/workflow/test changes | Full installer validation (lint, drift, checksum verify, matrix install, E2E) |
+| Installer Canary (Docker) | `.github/workflows/installer-canary.yml` | Daily schedule + manual dispatch | Fast scheduled canary install run in Docker |
+| Installer Canary (Strict) | `.github/workflows/installer-canary-strict.yml` | Nightly schedule + manual dispatch | Strict canary with checksum mismatch detection and issue creation |
+| Installer Notification Receiver | `.github/workflows/installer-notification-receiver.yml` | `repository_dispatch` (`installer-updated`, `installer-removed`, `installer-added`) + manual dispatch | Receives installer update events, validates, scans, updates `checksums.yaml`, opens PRs targeting integration branch |
+| Auto-Update Upstream Checksums | `.github/workflows/checksum-monitor.yml` | Every 2 hours + manual + push on `local-desktop-installation-support` to `scripts/lib/security.sh` + `repository_dispatch` (`upstream-changed`) | Auto-detect checksum drift, auto-commit `checksums.yaml` to integration branch, raise review issues for external tools |
+| Checksum System E2E Tests | `.github/workflows/checksum-system-tests.yml` | Push/PR on `local-desktop-installation-support` for checksum workflow/security changes | Tests checksum workflows and `security.sh` behavior end-to-end |
+| Release Gate - Checksums | `.github/workflows/release-checksums.yml` | Tag push `v*` + manual dispatch | Blocks releases when checksum verification fails |
+| Internal Checksums Drift Check | `.github/workflows/manifest-drift.yml` | Push/PR on `local-desktop-installation-support` | Ensures internal script checksums and manifest drift state are clean |
+| Sync Flywheel Upstream | `.github/workflows/upstream-sync.yml` | Daily schedule + manual dispatch | Mirrors fork `main` to upstream and merges into integration branch |
+| Website CI | `.github/workflows/website.yml` | Manual dispatch only | Website lint/typecheck/build and Playwright matrix |
+| Playwright Tests | `.github/workflows/playwright.yml` | Manual dispatch only | Chromium-focused Playwright workflow |
+| Production Smoke Tests | `.github/workflows/production-smoke.yml` | Manual dispatch only | Runs smoke tests against deployed production URL |
+| TOON Integration Tests | `.github/workflows/toon-integration-tests.yml` | Manual dispatch only | Validates `tru` behavior, script lint, optional full integration |
+
+#### Detailed Context by Workflow
+
+##### 1) Installer CI (`installer.yml`)
+- **Trigger scope:** Push/PR only on `local-desktop-installation-support`, with path filters for installer/manifests/scripts/workflows/tests.
+- **Jobs:**
+  - `yaml-lint`: validates workflow YAML syntax for all workflow files.
+  - `shellcheck`: lint all tracked `.sh` files + custom lint scripts + unit-style shell tests + macOS bootstrap mock test.
+  - `manifest-drift`: runs manifest diff generation checks and validates generated script syntax + shellcheck.
+  - `checksum-verification`: verifies upstream checksums with `scripts/lib/security.sh --verify --json`.
+  - `pinned-ref-smoke`: containerized Ubuntu 24.04 install using `ACFS_CHECKSUMS_REF=local-desktop-installation-support`.
+  - `selection-tests`: runs selection/contract/security/install-helper/RU tests.
+  - `test-installer`: matrix (`24.04 vibe`, `25.10 vibe`, `24.04 safe`) full installer + `acfs doctor` + tool presence checks.
+  - `e2e-curlbash-bootstrap`: runs `tests/e2e/test_curlbash_bootstrap.sh`.
+  - `e2e-resume-after-failure`: runs `tests/e2e/test_resume_after_failure.sh`.
+- **Notable behavior:** CI intentionally skips preflight and Ubuntu upgrades inside GitHub Actions containers.
+
+##### 2) Installer Canary (Docker) (`installer-canary.yml`)
+- **Trigger scope:** daily `07:30 UTC` and manual.
+- **Inputs:** `ubuntu` (`24.04`, `25.04`, `all`), `mode` (`vibe`, `safe`).
+- **Execution:** runs `tests/vm/test_install_ubuntu.sh`; sets `ACFS_CHECKSUMS_REF=local-desktop-installation-support`.
+
+##### 3) Installer Canary (Strict) (`installer-canary-strict.yml`)
+- **Trigger scope:** nightly `04:15 UTC` and manual.
+- **Execution mode:** always strict (`--strict`), captures `canary.log`, keeps going to parse failures.
+- **Failure handling:**
+  - Detects checksum-specific failures via log grep.
+  - Uploads log artifact.
+  - Opens or comments on issue `Installer checksum mismatch detected (strict canary)` with actionable steps.
+  - Fails job at end if canary exit code non-zero.
+
+##### 4) Installer Notification Receiver (`installer-notification-receiver.yml`)
+- **Dispatch contract:**
+  - Event types: `installer-updated`, `installer-removed`, `installer-added`.
+  - Expected payload fields for dispatch path: `tool`, `new_sha256`, `old_sha256`, `repo`, `commit`, and `url` (for added installers).
+  - Manual dispatch supports `tool_name` and `dry_run` input (note: `dry_run` is defined but not enforced in later jobs).
+- **Validation stage (`validate-dispatch`):**
+  - Validates tool name format.
+  - Validates tool presence in `checksums.yaml` for non-add events.
+  - Restricts installer URLs to trusted domains.
+  - Writes audit JSONL line to `.github/audit/installer-updates.jsonl`.
+- **Checksum stage (`verify-checksum`):**
+  - Downloads installer with timeout and size cap.
+  - Computes SHA256 and compares with current `checksums.yaml`.
+- **Security stage (`security-scan`):**
+  - Advisory grep-based scan for risky patterns (curl|bash, wget|shell, eval, chmod 777, rm -rf vars, etc.).
+  - Produces warnings but always sets `passed=true`.
+- **Update and PR stages:**
+  - `update-checksums` creates branch `auto/update-<tool>-checksum-<shortsha>`, updates YAML, commits, pushes.
+  - `create-pr` opens PR to `local-desktop-installation-support` with review checklist and labels.
+  - `handle-removal` creates branch/PR removing installer checksum entries for removal events.
+
+##### 5) Auto-Update Upstream Checksums (`checksum-monitor.yml`)
+- **Trigger scope:** every 2 hours, manual dispatch, push on `local-desktop-installation-support` for `scripts/lib/security.sh`, and `repository_dispatch` type `upstream-changed`.
+- **Concurrency:** serialized group `checksum-monitor` (queues, does not cancel in-flight).
+- **Core flow:**
+  - Runs `security.sh --verify --json`.
+  - Splits changes into trusted (`Dicklesworthstone`) vs external.
+  - Regenerates `checksums.yaml` when mismatches exist.
+  - Commits and pushes update to `local-desktop-installation-support`, with rebase attempt to handle concurrent changes.
+- **Issue automation:** if external installers changed and commit succeeded, opens or appends to a security review issue.
+- **Summary:** writes metrics and status to `GITHUB_STEP_SUMMARY`.
+
+##### 6) Checksum System E2E Tests (`checksum-system-tests.yml`)
+- **Trigger scope:** Push/PR on `local-desktop-installation-support` for checksum-related files and checksum workflows.
+- **Jobs:**
+  - `yaml-lint`: validates workflow YAML syntax.
+  - `security-unit-tests`: runs `scripts/lib/test_security.sh`.
+  - `checksum-verification-e2e`: validates `--verify --json` shape/count logic and `--update-checksums` output shape.
+  - `checksum-monitor-dry-run`: reproduces monitor logic and validates step outputs parse correctly.
+  - `checksum-freshness`: advisory (`continue-on-error`) check that committed checksums match upstream now.
+- **Artifacts:** uploads E2E and dry-run outputs for debugging.
+
+##### 7) Release Gate - Checksums (`release-checksums.yml`)
+- **Trigger scope:** tag pushes `v*` and manual dispatch.
+- **Behavior:** runs `security.sh --verify --json`, summarizes mismatch/error counts, and hard-fails release/tag workflow if exit code non-zero.
+
+##### 8) Internal Checksums Drift Check (`manifest-drift.yml`)
+- **Trigger scope:** Push/PR on branch `[local-desktop-installation-support]`.
+- **Behavior:** runs `scripts/check-manifest-drift.sh --json`, summarizes checked/drifted counts and manifest hash parity, fails if drift detected.
+
+##### 9) Sync Flywheel Upstream (`upstream-sync.yml`)
+- **Trigger scope:** daily `00:00 UTC` and manual dispatch.
+- **Permissions:** write access for contents, PRs, issues.
+- **Flow:**
+  - Fetches upstream.
+  - Hard-resets fork `main` to `upstream/main`.
+  - Force-pushes `main`.
+  - Merges `main` into integration branch `local-desktop-installation-support` via temp branch `upstream-sync`.
+  - If clean merge: pushes directly to integration branch.
+  - If conflict: commits conflict markers, pushes sync branch, creates/updates conflict PR, applies labels.
+  - Optional conflict analysis via `scripts/analyze-conflicts.ts` when `OPENAI_API_KEY` is set.
+
+##### 10) Website CI (`website.yml`)
+- **Trigger scope:** manual dispatch only.
+- **Job graph:** `verify-generated` -> `lint-and-typecheck` -> `build` -> `e2e-tests`.
+- **Behavior:**
+  - Verifies generated manifest outputs are in sync.
+  - Runs ESLint + TypeScript checks.
+  - Builds Next.js app.
+  - Runs Playwright matrix across desktop/mobile projects (`chromium`, `firefox`, `webkit`, `Mobile Chrome`, `Mobile Safari`).
+  - Uploads Playwright artifacts on all outcomes.
+
+##### 11) Playwright Tests (`playwright.yml`)
+- **Trigger scope:** manual dispatch only.
+- **Job graph:** `verify-generated` -> `test`.
+- **Behavior:** installs dependencies and Playwright Chromium only; runs Chromium project tests; uploads report artifacts.
+
+##### 12) Production Smoke Tests (`production-smoke.yml`)
+- **Trigger scope:** manual dispatch only.
+- **Job graph:** `wait-for-deploy` (push-only compatibility step; skipped in manual mode) -> `smoke-tests`.
+- **Behavior:** runs Playwright against live production URL `https://agent-flywheel.com`; uploads artifacts only on failure.
+
+##### 13) TOON Integration Tests (`toon-integration-tests.yml`)
+- **Trigger scope:** manual dispatch only.
+- **Concurrency:** one run per ref, cancel in-progress on new events.
+- **Jobs:**
+  - `toon-core`: installs Rust + `tru`, validates encode/decode, format env var, key folding, tabular arrays.
+  - `lint-scripts`: shellcheck on `scripts/test_*.sh`, `verify_*.sh`, `check_*.sh`.
+  - `full-integration`: manual-only note-driven job for heavier local-style integration coverage.
+
+#### Shared Operational Context
+
+| Concern | Current behavior |
+|------|------|
+| Token/secrets usage | `UPSTREAM_SYNC_TOKEN` and optional `OPENAI_API_KEY` in `upstream-sync.yml`; default `GITHUB_TOKEN` used broadly for checkout, push, PR, issue operations |
+| Repo-writing workflows | `upstream-sync.yml`, `checksum-monitor.yml`, `installer-notification-receiver.yml` |
+| Artifact-heavy workflows | `installer.yml`, `website.yml`, `playwright.yml`, `production-smoke.yml`, `checksum-system-tests.yml`, `installer-canary-strict.yml` |
+| Dispatch-based automation | `installer-notification-receiver.yml` and `checksum-monitor.yml` |
+| Schedule-based automation | `upstream-sync.yml`, `checksum-monitor.yml`, `installer-canary.yml`, `installer-canary-strict.yml` |
+
+#### Current Caveats to Track
+
+1. `installer-notification-receiver.yml` includes a `dry_run` input that is currently not used to gate commit/PR creation.
+2. `installer-notification-receiver.yml` runs `npm test` conditionally in one step, which diverges from repo-wide Bun-first conventions.
+3. `website.yml`, `playwright.yml`, `production-smoke.yml`, and `toon-integration-tests.yml` are manual-only in this fork strategy; run them on demand.
+4. `upstream-sync.yml` intentionally uses destructive Git operations (`reset --hard`, force push) as part of fork mirroring; treat this workflow as high-impact infrastructure.
 
 ## Common Tasks