fix(delta-upgrade): filter non-versioned nightly tags from GHCR patch generation (#753)

## Summary

A stale `nightly-test` tag in GHCR (created Feb 26 for testing, never
cleaned up) broke **every** nightly delta upgrade. This PR fixes the
root cause, adds guardrails, and cleans up the damage.

### Root cause

`generate-patches` runs **before** `publish-nightly`, so the current
version's nightly tag doesn't exist yet. The tag loop (`grep '^nightly-'
| sort -V`) fell through to `nightly-test` (which sorts last) as the
"previous version." Its empty binaries (44 bytes `.gz`) produced ~23 MB
patches that exceeded the client's 60% size budget on every upgrade
attempt.

### What was done

**Immediate cleanup (manual):**
- Deleted the `nightly-test` tag from GHCR (version ID 706511735)
- Deleted all 82 corrupted `patch-*` tags that were generated against
the empty `nightly-test` binaries (201 good patches preserved)

**Preventive CI fix:**
- Changed `grep '^nightly-'` → `grep '^nightly-[0-9]'` in all 3
locations (generate-patches, publish-nightly, cleanup-nightlies) to
reject non-versioned tags
- Added a "Validate patch sizes" CI step that rejects patches exceeding
50% of binary size, removes them from the upload, and auto-files a
GitHub issue

**Diagnostic improvement:**
- Refactored `validateChainStep` to return a discriminated union
(`ChainStepResult`) with typed failure reasons (`version-mismatch`,
`missing-layer`, `size-exceeded`) instead of bare `null`
- Debug log now shows the specific failure reason instead of a
misleading generic `budget=X` message

### Files changed

| File | Change |
|------|--------|
| `.github/workflows/ci.yml` | `grep '^nightly-[0-9]'` filter + patch
size validation step |
| `.github/workflows/cleanup-nightlies.yml` | `grep '^nightly-[0-9]'`
filter |
| `src/lib/delta-upgrade.ts` | `validateChainStep` returns typed
failures, `formatStepFailure` helper |
| `test/lib/delta-upgrade.test.ts` | 4 unit tests for
`validateChainStep` |

Author: BYK

.github/workflows/ci.yml

@@ -328,7 +328,7 @@ jobs:
           echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
 
           # Find previous nightly tag
-          TAGS=$(oras repo tags "${REPO}" 2>/dev/null | grep '^nightly-' | sort -V || echo "")
+          TAGS=$(oras repo tags "${REPO}" 2>/dev/null | grep '^nightly-[0-9]' | sort -V || echo "")
           PREV_TAG=""
           for tag in $TAGS; do
             # Current tag may not exist yet (publish-nightly hasn't run),
@@ -408,6 +408,56 @@ jobs:
 
           echo "Generated ${GENERATED} patches"
 
+      - name: Validate patch sizes
+        if: env.HAS_PREV == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          # Client rejects chains exceeding 60% of gzipped binary size
+          # (SIZE_THRESHOLD_RATIO in src/lib/delta-upgrade.ts). Use 50% here
+          # so single-step patches are caught with margin to spare.
+          MAX_RATIO: 50
+        run: |
+          shopt -s nullglob
+          OVERSIZED=""
+
+          for patch_file in patches/*.patch; do
+            name=$(basename "$patch_file" .patch)
+            gz_binary="new-binaries/${name}.gz"
+            [ -f "$gz_binary" ] || continue
+
+            patch_size=$(stat --printf='%s' "$patch_file")
+            gz_size=$(stat --printf='%s' "$gz_binary")
+            ratio=$(awk "BEGIN { printf \"%.0f\", ($patch_size / $gz_size) * 100 }")
+
+            if [ "$ratio" -gt "$MAX_RATIO" ]; then
+              echo "::error::Patch ${name}.patch is ${ratio}% of gzipped binary (limit: ${MAX_RATIO}%)"
+              OVERSIZED="$(printf '%s\n- `%s.patch`: %s%% of gzipped binary (%s / %s bytes)' "$OVERSIZED" "$name" "$ratio" "$patch_size" "$gz_size")"
+              rm "$patch_file"
+            fi
+          done
+
+          if [ -n "$OVERSIZED" ]; then
+            TITLE="Delta patch generation produced oversized patches"
+            BODY="$(cat <<ISSUE_EOF
+          The \`generate-patches\` job produced patches exceeding ${MAX_RATIO}% of gzipped binary size:
+          ${OVERSIZED}
+
+          These patches were **excluded** from the artifact upload. This usually means the old binary download failed (empty/wrong file).
+
+          **Branch:** \`${GITHUB_REF_NAME}\`
+          **Commit:** ${GITHUB_SHA}
+          **Run:** ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}
+          ISSUE_EOF
+          )"
+
+            EXISTING=$(gh issue list --repo "$GITHUB_REPOSITORY" --state open --search "$TITLE" --json number --jq '.[0].number // empty')
+            if [ -n "$EXISTING" ]; then
+              gh issue comment "$EXISTING" --repo "$GITHUB_REPOSITORY" --body "$BODY"
+            else
+              gh issue create --repo "$GITHUB_REPOSITORY" --title "$TITLE" --body "$BODY" --label bug
+            fi
+          fi
+
       - name: Upload patch artifacts
         if: env.HAS_PREV == 'true'
         uses: actions/upload-artifact@v7
@@ -531,7 +581,7 @@ jobs:
           fi
 
           # Find from-version by listing GHCR nightly tags
-          TAGS=$(oras repo tags "${REPO}" 2>/dev/null | grep '^nightly-' | sort -V || echo "")
+          TAGS=$(oras repo tags "${REPO}" 2>/dev/null | grep '^nightly-[0-9]' | sort -V || echo "")
           PREV_TAG=""
           for tag in $TAGS; do
             if [ "$tag" = "nightly-${VERSION}" ]; then break; fi

.github/workflows/cleanup-nightlies.yml

@@ -34,7 +34,7 @@ jobs:
           REPO="ghcr.io/getsentry/cli"
 
           # List all nightly-* tags sorted by version, oldest first
-          NIGHTLY_TAGS=$(oras repo tags "${REPO}" 2>/dev/null | grep '^nightly-' | sort -V || echo "")
+          NIGHTLY_TAGS=$(oras repo tags "${REPO}" 2>/dev/null | grep '^nightly-[0-9]' | sort -V || echo "")
           if [ -z "$NIGHTLY_TAGS" ]; then
             NIGHTLY_COUNT=0
           else