Part of the 1.0 release-readiness push (see release/READINESS.md, section 1).
Context
docs/site/scripts/check-tutorial.sh executes only the monorepo lab tutorial (first-run-with-registry-lab) end to end. The two registryctl tutorials, which are the actual adopter first-run path (publish-spreadsheet-secured-registry-api, verify-claim-registry-api), are covered by a shell-command line-count assertion only (REGISTRYCTL_TUTORIALS, around lines 149-187). A renamed flag, changed error string, or bumped default would pass CI as long as the command count matches. The script's own comment says these are "execution-verified manually".
Scope
- A CI job (or an extension of check-tutorial.sh) that runs both registryctl tutorials' documented commands against real containers on an amd64 runner, asserting on the documented outputs (PASS lines, HTTP status codes, error codes such as
auth.scope_denied).
- Keep the fast line-count assertion as a cheap pre-gate.
- Steps that depend on the hosted lab stay out of scope; these two tutorials are fully local.
Acceptance
Security note
If this work surfaces a suspected vulnerability, report it per SECURITY.md; do not post details on this issue.
Part of the 1.0 release-readiness push (see
release/READINESS.md, section 1).Context
docs/site/scripts/check-tutorial.shexecutes only the monorepo lab tutorial (first-run-with-registry-lab) end to end. The two registryctl tutorials, which are the actual adopter first-run path (publish-spreadsheet-secured-registry-api,verify-claim-registry-api), are covered by a shell-command line-count assertion only (REGISTRYCTL_TUTORIALS, around lines 149-187). A renamed flag, changed error string, or bumped default would pass CI as long as the command count matches. The script's own comment says these are "execution-verified manually".Scope
auth.scope_denied).Acceptance
Security note
If this work surfaces a suspected vulnerability, report it per
SECURITY.md; do not post details on this issue.