Merge branch 'main' into restore/pre-0.9.3-backlog

Author: JasonVranek

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: true
 
@@ -32,10 +32,13 @@ jobs:
       - name: Install protoc
         run: sudo provisioning/protoc.sh
 
-      - name: Setup just
-        uses: extractions/setup-just@v3
-        with:
-          just-version: 1.40.0
+      - name: Install just
+        run: cargo install just --version 1.40.0 --locked
+        env:
+          CARGO_TARGET_DIR: /tmp/cargo-install-just
+
+      - name: Add cargo bin to PATH
+        run: echo "$HOME/.cargo/bin" >> $GITHUB_PATH
 
       - name: Check compilation
         run: cargo check

.github/workflows/docs.yml

@@ -12,7 +12,7 @@ jobs:
     name: Build Docusaurus
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/release-gate.yml

@@ -1,96 +1,74 @@
 name: Release Gate
-
 on:
   pull_request:
     types: [closed]
     branches: [main]
+    paths: [".releases/**"]
+
+concurrency:
+  group: release-gate
+  cancel-in-progress: false
 
 jobs:
-  release-gate:
-    name: Tag and update release branches
+  create-release-tag:
+    name: Create tag and dispatch release
     runs-on: ubuntu-latest
-    # Only run when a release/ branch is merged (not just closed)
-    if: |
-      github.event.pull_request.merged == true &&
-      startsWith(github.event.pull_request.head.ref, 'release/v')
-
+    timeout-minutes: 5
+    if: github.event.pull_request.merged == true
     permissions:
       contents: write
-
+      actions: write
     steps:
-      - uses: actions/create-github-app-token@v1
+      - name: Fail if App credentials are not configured
+        run: |
+          if [ -z "${{ secrets.APP_ID }}" ] || [ -z "${{ secrets.APP_PRIVATE_KEY }}" ]; then
+            echo "❌ APP_ID and APP_PRIVATE_KEY must be configured."
+            echo "For fork testing, install a personal GitHub App on the fork,"
+            echo "create a private key, and add both as repository secrets."
+            exit 1
+          fi
+
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: actions/create-github-app-token@v3
         id: app-token
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v6
         with:
-          # Full history required for version comparison against existing tags
-          # and for the fast-forward push to stable/beta.
-          fetch-depth: 0
-          token: ${{ steps.app-token.outputs.token }}
-
-      - name: Extract and validate version
-        id: version
-        env:
-          BRANCH_REF: ${{ github.event.pull_request.head.ref }}
-        run: |
-          BRANCH="$BRANCH_REF"
-          NEW_VERSION="${BRANCH#release/}"
-          echo "new=${NEW_VERSION}" >> $GITHUB_OUTPUT
+          python-version: "3.x"
 
-          # Determine if this is an RC
-          if echo "$NEW_VERSION" | grep -qE '\-rc[0-9]+$'; then
-            echo "is_rc=true" >> $GITHUB_OUTPUT
-          else
-            echo "is_rc=false" >> $GITHUB_OUTPUT
-          fi
+      - name: Install Python deps
+        run: pip install pyyaml
 
-      - name: Validate version is strictly increasing
+      - name: Create tag from release request
+        id: gate
         env:
-          NEW_VERSION: ${{ steps.version.outputs.new }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REPO: ${{ github.repository }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          MERGE_SHA: ${{ github.event.pull_request.merge_commit_sha }}
         run: |
-          # Get the latest tag; if none exist yet, skip the comparison
-          LATEST_TAG=$(git tag --list 'v*' --sort=-version:refname | head -n1)
-          if [ -z "$LATEST_TAG" ]; then
-            echo "No existing tags found — skipping version comparison"
-            exit 0
+          python .github/workflows/release/release.py gate | tee /tmp/gate-output.txt
+          TAG=$(grep '^tag=' /tmp/gate-output.txt | tail -1 | cut -d= -f2-)
+          COMMIT=$(grep '^commit=' /tmp/gate-output.txt | tail -1 | cut -d= -f2-)
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "commit=$COMMIT" >> $GITHUB_OUTPUT
+
+          if [ -z "$TAG" ] || [ -z "$COMMIT" ]; then
+            echo "❌ gate did not emit tag= / commit= outputs"
+            exit 1
           fi
+          echo "Gate outputs: $TAG @ $COMMIT"
 
-          LATEST_VERSION="${LATEST_TAG#v}"
-
-          python3 - <<EOF
-          import sys
-          from packaging.version import Version
-
-          def normalize(v):
-              # Convert vX.Y.Z-rcQ → X.Y.ZrcQ (PEP 440)
-              return v.replace("-rc", "rc")
-
-          new    = Version(normalize("$NEW_VERSION"))
-          latest = Version(normalize("$LATEST_VERSION"))
-
-          print(f"Latest tag : {latest}")
-          print(f"New version: {new}")
-
-          if new <= latest:
-              print(f"\n❌ {new} is not strictly greater than current {latest}")
-              sys.exit(1)
-
-          print(f"\n✅ Version order is valid")
-          EOF
-
-      - name: Configure git
-        run: |
-          git config user.name  "commit-boost-release-bot[bot]"
-          git config user.email "commit-boost-release-bot[bot]@users.noreply.github.com"
-
-      - name: Create and push tag
+      - name: Dispatch release workflow
         env:
-          VERSION: ${{ steps.version.outputs.new }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          git tag "$VERSION" HEAD
-          git push origin "$VERSION"
-          # Branch fast-forwarding happens in release.yml after all artifacts
-          # are successfully built. stable/beta are never touched if the build fails.
+          gh workflow run release.yml \
+            --ref main \
+            -f tag=${{ steps.gate.outputs.tag }}