Fix release bundle check to detect CLI-only installs

[phinze]

Found this on miren-toys-runner-2 during MIR-965 validation. When the startup script runs the bash installer first (to get the CLI on the box) and then miren runner install, the install sees /var/lib/miren/release/miren and thinks the full release bundle is already there. It's not, containerd and friends are missing, so the runner crash-loops.

The fix swaps the sentinel from the miren binary (which the CLI-only installer also drops) to the containerd binary (which only comes from the full release tarball). While I was in there, runner_install.go and server_install.go had near-identical copies of this check-download-selinux block, so I pulled it into a shared ensureReleaseBundlePresent() helper and promoted the hardcoded path strings to package-level consts.

Closes MIR-1008

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes refactor release-bundle provisioning into a new helper ensureReleaseBundlePresent and introduce package constants releaseDir and releaseBinPath. RunnerInstall and ServerInstall now call ensureReleaseBundlePresent instead of performing inline checks/downloads and SELinux fixes. Systemd unit generation and local client operations were updated to reference releaseBinPath for executable paths rather than previously used hardcoded/local paths.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cli/commands/server_install.go`:
- Around line 226-231: The call to PerformDownloadRelease passes
DownloadReleaseOptions with Force: false which prevents replacing an existing
partial CLI-only release directory, causing full bundle downloads to fail;
change the options at the PerformDownloadRelease call site to set Force: true
(i.e., update the DownloadReleaseOptions used by PerformDownloadRelease in
server_install.go) so the existing releaseDir can be overwritten after detecting
the missing containerd sentinel, allowing the full bundle to be downloaded and
installed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 64662d4f-5649-400f-b60a-ed412110c084

📥 Commits

Reviewing files that changed from the base of the PR and between 9456ad5 and b034b9a.

📒 Files selected for processing (2)

• cli/commands/runner_install.go
• cli/commands/server_install.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cli/commands/server_install.go`:
- Around line 220-237: The SELinux fix is only applied when the release is
downloaded; ensure fixSELinuxContext(releaseBinPath) runs for existing bundles
too by moving or adding the call outside the download-only branch so it executes
regardless of whether PerformDownloadRelease was invoked; update the block that
checks sentinelPath (referencing sentinelPath, PerformDownloadRelease, and
releaseDir) to always call fixSELinuxContext(releaseBinPath) after the existence
check (and after any download path completes) so systemd can exec the binary on
enforcing SELinux hosts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c699e652-856d-4b6b-b93a-dff4bff6746c

📥 Commits

Reviewing files that changed from the base of the PR and between b034b9a and 8e8dd56.

📒 Files selected for processing (1)

• cli/commands/server_install.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Always re-apply the SELinux context for an existing release bundle.

Line 236 only runs fixSELinuxContext after a fresh download. If the full bundle is already present before miren server install runs, the containerd sentinel passes and this path now skips the context fix entirely, so systemd can still fail to exec /var/lib/miren/release/miren on enforcing SELinux hosts.

🔧 Proposed fix

 func ensureReleaseBundlePresent(ctx *Context, branch string) error {
 	sentinelPath := filepath.Join(releaseDir, "containerd")

 	if _, err := os.Stat(sentinelPath); err != nil {
 		if !os.IsNotExist(err) {
 			return fmt.Errorf("failed to inspect %s: %w", sentinelPath, err)
 		}
 		ctx.Info("Release bundle not found at %s, downloading...", releaseDir)

 		if err := PerformDownloadRelease(ctx, DownloadReleaseOptions{
 			Branch: branch,
 			Global: true,
 			Force:  true,
 			Output: releaseDir,
 		}); err != nil {
 			return fmt.Errorf("failed to download release: %w", err)
 		}

 		ctx.Completed("Release downloaded successfully")
-		fixSELinuxContext(ctx, releaseBinPath)
 	}
+	fixSELinuxContext(ctx, releaseBinPath)
 	return nil
 }

Based on learnings: full release artifacts are handled through cli/commands/download_release.go, separate from binary-only installs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cli/commands/server_install.go` around lines 220 - 237, The SELinux fix is
only applied when the release is downloaded; ensure
fixSELinuxContext(releaseBinPath) runs for existing bundles too by moving or
adding the call outside the download-only branch so it executes regardless of
whether PerformDownloadRelease was invoked; update the block that checks
sentinelPath (referencing sentinelPath, PerformDownloadRelease, and releaseDir)
to always call fixSELinuxContext(releaseBinPath) after the existence check (and
after any download path completes) so systemd can exec the binary on enforcing
SELinux hosts.