Fix WORKS Drive image upload recovery

test/production_image_workflows_policy_test.sh

@@ -44,6 +44,8 @@ grep -Fq "steps.version.outputs.image_tag" "$publish_workflow" \
   || fail "publish workflow must use the computed image tag for built image archives."
 grep -Fq "Upload built images to WORKS Drive archive" "$publish_workflow" \
   || fail "publish workflow must archive locally built images to WORKS Drive."
+grep -Fq "Verify built Docker images before WORKS upload" "$publish_workflow" \
+  || fail "publish workflow must verify all built Docker images before WORKS upload."
 grep -Fq "scripts/docker-image/upload_works_drive.sh" "$publish_workflow" \
   || fail "publish workflow must use the shared WORKS Drive image archive script."
 grep -Fq "docker/build-push-action@v5" "$publish_workflow" \
@@ -54,6 +56,12 @@ for image in backend userfront adminfront devfront orgfront; do
   grep -Fq "baron_sso/${image}:" "$publish_workflow" \
     || fail "publish workflow must build ${image} image."
 done
+grep -Fq 'docker image inspect "${image_ref}"' "$publish_workflow" \
+  || fail "publish workflow must inspect each built Docker image before upload."
+grep -Fq 'WORKS image upload ${image_index}/${image_total}: ${image_ref}' "$publish_workflow" \
+  || fail "publish workflow must log each WORKS image upload with index and image ref."
+grep -Fq 'uploaded_images' "$publish_workflow" \
+  || fail "publish workflow must track successfully uploaded image refs for failure diagnostics."
 grep -Fq "WORKS_DRIVE_ACCESS_TOKEN_INPUT: \${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}" "$publish_workflow" \
   || fail "publish workflow must support direct WORKS Drive access token auth."
 grep -Fq "WORKS_DRIVE_OAUTH_CLIENT_SECRET: \${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}" "$publish_workflow" \

test/works_drive_docker_image_upload_policy_test.sh

@@ -264,9 +264,81 @@ for image in backend userfront; do
   "$script" >"$tmp_dir/root-${image}.out"
 done
 
+root_artifact_dir="$root_archive_dir/baron-sso/v1.2606.ab12"
+[[ -f "$root_artifact_dir/backend.v1.2606.ab12.tar.zst" ]] \
+  || fail "script must keep the backend image archive after follow-up image uploads."
+[[ -f "$root_artifact_dir/userfront.v1.2606.ab12.tar.zst" ]] \
+  || fail "script must keep the userfront image archive after follow-up image uploads."
+jq -e \
+  '.images.backend.archive.file_name == "backend.v1.2606.ab12.tar.zst"
+   and .images.userfront.archive.file_name == "userfront.v1.2606.ab12.tar.zst"' \
+  "$root_artifact_dir/manifest.v1.2606.ab12.json" >/dev/null \
+  || fail "manifest must accumulate all uploaded images for the same tag."
+
 root_create_count="$(cat "${root_curl_log}.root-create-count")"
 [[ "$root_create_count" == "1" ]] || fail "script must reuse the cached root archive folder id across image uploads in the same run."
 grep -Fq "sharedrives/root-drive/files/root-tag-id" "$root_curl_log" \
   || fail "script must upload follow-up images into the cached tag folder."
 
+conflict_curl_log="$tmp_dir/conflict-curl.log"
+conflict_fake_curl="$tmp_dir/conflict-fake-curl.sh"
+cat >"$conflict_fake_curl" <<'EOF'
+#!/usr/bin/env bash
+set -euo pipefail
+printf '%s\n' "$*" >>"${FAKE_CURL_LOG}"
+last_arg="${!#}"
+
+case "$last_arg" in
+  https://www.worksapis.com/v1.0/sharedrives/conflict-drive/files)
+    list_count_file="${FAKE_CURL_LOG}.root-list-count"
+    list_count=0
+    [[ -f "$list_count_file" ]] && list_count="$(cat "$list_count_file")"
+    list_count=$((list_count + 1))
+    printf '%s' "$list_count" >"$list_count_file"
+    if [[ "$list_count" -eq 1 ]]; then
+      printf '{"files":[]}\n200'
+    else
+      printf '{"files":[{"fileId":"conflict-baron-sso-id","fileName":"baron-sso","fileType":"FILE"}]}\n200'
+    fi
+    ;;
+  https://www.worksapis.com/v1.0/sharedrives/conflict-drive/files/createfolder)
+    printf '{"code":"RESOURCE_ALREADY_EXIST","description":"Resource already exists."}\n409'
+    ;;
+  https://www.worksapis.com/v1.0/sharedrives/conflict-drive/files/conflict-baron-sso-id/children)
+    printf '{"files":[]}\n200'
+    ;;
+  https://www.worksapis.com/v1.0/sharedrives/conflict-drive/files/conflict-baron-sso-id/createfolder)
+    printf '{"fileId":"conflict-tag-id","fileName":"v1.2606.ab12","fileType":"FOLDER"}\n200'
+    ;;
+  https://www.worksapis.com/v1.0/sharedrives/conflict-drive/files/conflict-tag-id)
+    printf '{"uploadUrl":"https://upload.example.test/conflict-docker-image"}\n200'
+    ;;
+  https://upload.example.test/conflict-docker-image)
+    printf '{"fileId":"uploaded-conflict-file-id"}\n200'
+    ;;
+  *)
+    echo "unexpected conflict curl URL: $last_arg" >&2
+    exit 2
+    ;;
+esac
+EOF
+chmod +x "$conflict_fake_curl"
+
+FAKE_DOCKER_LOG="$docker_log" \
+FAKE_CURL_LOG="$conflict_curl_log" \
+PATH="$fake_bin:$PATH" \
+WORKS_DRIVE_ACCESS_TOKEN="test-access-token" \
+WORKS_DRIVE_TARGET="sharedrive" \
+WORKS_DRIVE_SHARED_DRIVE_ID="conflict-drive" \
+WORKS_DRIVE_PARENT_FILE_ID="" \
+WORKS_DRIVE_CURL_BIN="$conflict_fake_curl" \
+WORKS_DOCKER_IMAGE_ARCHIVE_DIR="$tmp_dir/conflict-archive" \
+DOCKER_IMAGE_REF="baron_sso/backend:v1.2606.ab12" \
+"$script" >"$tmp_dir/conflict.out" 2>&1
+
+grep -Fq "WORKS folder already exists, resolving existing folder id: baron-sso" "$tmp_dir/conflict.out" \
+  || fail "script must recover an existing folder id after WORKS createfolder returns 409."
+grep -Fq "sharedrives/conflict-drive/files/conflict-tag-id" "$conflict_curl_log" \
+  || fail "script must upload into the resolved folder after a create conflict."
+
 echo "OK: WORKS Drive Docker image archive upload flow commits, packages, and uploads image artifacts"