ci: validate-then-tag gate chain with fleet on published artifact

.github/workflows/e2e.yaml

@@ -1,20 +1,35 @@
 # Integration test workflow (act + gitea testcontainers).
 # Triggers:
-#   push:tags        every release tag (existing)
-#   workflow_dispatch  manual run against any ref (existing)
-#   merge_group      runs as a merge-queue gate before merging to main
+#   push: branches main  standalone run on trunk - populates the status badge.
+#   pull_request         gate every PR before merge.
+#   merge_group          runs as a merge-queue gate before merging to main.
+#   workflow_dispatch    manual run against any ref (existing).
 #
-# This workflow uses act + gitea testcontainers and is too slow + flaky to run
-# per PR. Run locally (`go test -v ./e2e/...`) before pushing instead.
+# This is a ~27min testcontainers run. The paths filter keeps it off docs-only
+# changes (mirrors orchestrate.yaml), and the concurrency group cancels a
+# superseded run on the same ref so a fast follow-up push does not stack two
+# 27min runs. Run locally (`go test -v ./e2e/...`) before pushing too.
 #
 # NOTE: the `name:` below is referenced by fleet-e2e.yaml's workflow_run trigger
 # ("Integration (act + gitea)"). Keep the two in sync if this is ever renamed.
 name: Integration (act + gitea)
 
 on:
   push:
-    tags:
-      - 'v*'
+    branches: [main]
+    paths:
+      - 'cmd/**'
+      - 'e2e/**'
+      - 'go.mod'
+      - 'go.sum'
+      - 'internal/**'
+  pull_request:
+    paths:
+      - 'cmd/**'
+      - 'e2e/**'
+      - 'go.mod'
+      - 'go.sum'
+      - 'internal/**'
   merge_group:
   workflow_dispatch:
     inputs:
@@ -31,6 +46,13 @@ on:
         required: false
         default: '1'
 
+# A superseded run on the same ref is cancelled rather than left to burn a full
+# ~27min testcontainers slot. Keyed on github.ref so each branch/PR/tag is its
+# own lane; merge_group runs key on their own ref and never collide with main.
+concurrency:
+  group: integration-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 

.github/workflows/fleet-e2e.yaml

@@ -7,19 +7,25 @@
 # token, own main, own manifest). It is the release-candidate fleet gate.
 #
 # Triggers:
-#   workflow_run  of "Integration (act + gitea)" on completion - makes the E2E
-#                 dependency NATIVE: Fleet only fans out once Integration is
-#                 green for an rc tag. No runner held open polling for it.
+#   workflow_run  of "Release" on completion - the fleet validates the PUBLISHED
+#                 artifact. Release runs GoReleaser on every rc tag push, so a
+#                 successful Release run means the binary the suites install is
+#                 actually on the releases page. Fleet only fans out once that
+#                 publish succeeded for an rc tag. No runner held open polling.
 #   workflow_dispatch  manual override (bypasses the rc-tag gate intentionally),
 #                 with an optional cascade_version input.
 #
+# We key off "Release" rather than the `release:` event because promote-driven
+# API releases do not reliably emit `release: published` (see release.yaml #86);
+# the rc-tag push that drives GoReleaser is the dependable signal.
+#
 # IMPORTANT: the workflow_run trigger references the source workflow by its
-# `name:` ("Integration (act + gitea)"). Keep that name in sync with e2e.yaml.
+# `name:` ("Release"). Keep that name in sync with release.yaml.
 name: Fleet E2E (live GitHub)
 
 on:
   workflow_run:
-    workflows: ["Integration (act + gitea)"]
+    workflows: ["Release"]
     types: [completed]
   workflow_dispatch:
     inputs:
@@ -52,8 +58,8 @@ jobs:
     name: Resolve version under test
     runs-on: ubuntu-latest
     # Top-level guard: only fan out for a manual dispatch, or a green
-    # Integration run that was a push of an rc tag. This filters out
-    # merge_group / non-rc completions.
+    # Release run that was a push of an rc tag. This filters out
+    # non-rc tag publishes and any non-success completions.
     #
     # workflow_run.head_branch carries the short ref name of whatever triggered
     # the source run. For a tag push that is the tag's short name (e.g.

.github/workflows/validate.yaml

@@ -1,12 +1,15 @@
 # Tests & Lint - runs go test -race + coverage and golangci-lint.
 #
 # Triggers:
-#   workflow_call    invoked by orchestrate.yaml on PRs (keep - do not remove).
-#   push: tags       standalone run on every release/rc tag.
-#   workflow_dispatch  manual standalone run against any ref.
+#   push: branches main  standalone run on every push to trunk - this is what
+#                        populates the ?branch=main status badge.
+#   pull_request         gate every PR before merge.
+#   workflow_call        invoked by orchestrate.yaml (keep - do not remove).
+#   workflow_dispatch    manual standalone run against any ref.
 #
-# The standalone triggers give this workflow runs of its own so its status
-# badge renders; a workflow_call-only workflow has no standalone runs to badge.
+# The push/pull_request triggers give this workflow runs of its own so its
+# status badge renders; a workflow_call-only workflow has no standalone runs
+# to badge.
 name: Tests & Lint
 
 on:
@@ -22,8 +25,8 @@ on:
         description: 'Validation result (success/failure)'
         value: ${{ jobs.validate.outputs.result }}
   push:
-    tags:
-      - 'v*'
+    branches: [main]
+  pull_request:
   workflow_dispatch:
 
 permissions: