fix: resolve latest before caching assay cli

[Rul1an]

Summary

• resolve the requested Assay CLI version before the cache restore step
• key the binary cache by the resolved release tag instead of the literal latest
• add retrying release-asset downloads with a stable user-agent

Why

The scheduled Published Tag Canary restored a stale assay-latest-x86_64-unknown-linux-gnu cache containing assay 3.9.2, then the v3 sandbox canary exercised the modern sandbox contract and failed. Resolving latest before cache lookup makes the cache immutable per actual release tag. The macOS jobs also failed while downloading the release archive, so the installer now retries release-asset and checksum downloads.

Verification

• git diff --check
• actionlint .github/workflows/published-tag-canary.yml
• Ruby YAML parse for action.yml and .github/workflows/published-tag-canary.yml

Follow-up

Merging this updates main. The public floating v2/v3 tags still need an explicit, separate go before they are moved to include this fix.

Summary by CodeRabbit

• New Features
  • Added a scheduled “Published Tag Canary” workflow for weekly Linux/macOS checks, with optional manual version override.
• Bug Fixes
  • Improved Assay CLI installation reliability by resolving the requested version earlier, using consistent resolved versioning for caching, and adding stronger download/checksum failure handling with retries.
• Documentation
  • Updated CI contract guidance to explain advisory canary behavior, expected coverage differences between the modern and legacy lanes, and graceful degradation when no evidence bundles are produced.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7ecb77c7-490a-4df2-98fc-de5671eee6e9

📥 Commits

Reviewing files that changed from the base of the PR and between bdea9e0 and 58e2aaf.

📒 Files selected for processing (1)

• action.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• action.yml

---

📝 Walkthrough

Walkthrough

action.yml gains a new Resolve Assay CLI version step that calls the GitHub API to convert latest into a concrete tag, then keys the binary cache and install step off that resolved value; the curl download block is reworked with a shared retry-enabled CURL_ARGS array and explicit failure cleanup. A new scheduled canary workflow (published-tag-canary.yml) tests the published @v3 and @v2 action tags weekly across Linux and macOS. CI-CONTRACT.md documents the canary contract.

Changes

CLI install hardening and published-tag canary

Layer / File(s)	Summary
CLI version resolution and download hardening action.yml	Adds a dedicated Resolve Assay CLI version step that maps inputs.version=latest to a concrete GitHub release tag via the API (with retries) and emits a resolve-version output. Binary cache restore key and install step are updated to consume this resolved value. The curl download block is rewritten with a shared CURL_ARGS array (retry flags, custom User-Agent) and adds explicit failure checks and cleanup for both archive and checksum downloads.
Published-tag canary workflow and CI contract .github/workflows/published-tag-canary.yml, CI-CONTRACT.md	Adds a new workflow triggered weekly (and via manual dispatch with an optional assay_cli_version input) running two independent jobs. The v3 job checks out, optionally hardens the runner, resolves the CLI version, runs assay-action@v3 with upload/comments disabled, asserts sarif-upload=false, and on Linux runs a sandbox bundle mode followed by assay evidence verify and assay evidence lint --format sarif with JSON validation. The v2 job mirrors checkout/harden/resolve, runs assay-action@v2 in review mode with baseline writing disabled, and asserts assay --version. CI-CONTRACT.md is extended to specify the single permitted floating @v3 reference, advisory-only status, and per-lane expected coverage.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A canary hops weekly to test v3 and v2,
Curl retries and cleanup keep downloads true,
The version resolved before caches are keyed,
Advisory lanes run — no rulesets to heed,
SARIF is validated, bundles confirmed sane,
The rabbit checks tags in sun and in rain! 🌤️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: resolve latest before caching assay cli' directly reflects the primary change: resolving the CLI version before the cache restore step to prevent stale cache issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/published-tag-canary

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}