fix: refine artifact download patterns and allow failure for specific build versions in CI

Author: scc-tw

.github/workflows/build.yml

@@ -127,10 +127,19 @@ jobs: {
                 },
             },
             {
+                # Without a pattern, download-artifact@v4 pulls everything in
+                # the run — including the `*.dockerbuild` metadata artifacts
+                # that docker/build-push-action@v6 auto-uploads per build
+                # (20 of them at matrix fan-out). Those aren't release
+                # payloads, and one flaky download in that set will fail the
+                # entire step after 5 retries, blocking the release. Filter
+                # to our own tarballs; ncipollo/release-action below only
+                # globs `artifacts/*/*.tar.gz` anyway.
                 "name": "Download release tar files",
                 "uses": "actions/download-artifact@v4",
                 "with": {
                     "path": "artifacts/",
+                    "pattern": "release-*.tar.gz",
                 },
             },
             {   "name": "Set env TAG_NAME",

.gitlab-ci.yml

@@ -130,6 +130,13 @@ upload:
     paths: ["*-result.txt"]
   tags: [shell]
   rules:
+    # Mirror the build job's allow_failure for 3.15 cells. The build stage
+    # tolerates 3.15 failures (pip 26 / locate_file); without the matching
+    # rule here, a failed build cell propagates a missing tarball into this
+    # matrix cell, the curl --upload-file fails, and the whole pipeline
+    # goes red even though build was intentionally allowed to fail.
+    - if: '$CI_COMMIT_TAG == null && $version =~ /^3\.15/'
+      allow_failure: true
     - if: $CI_COMMIT_TAG == null
 
 generate_release_note: