ci: harden post-release distribution sync

Author: hqhq1025

.github/workflows/release.yml

@@ -483,17 +483,17 @@ jobs:
     needs: [publish]
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && !contains(github.ref_name, '-')
-    continue-on-error: true
     permissions:
       contents: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           # Check out the default branch (not the tag) so the commit lands
           # on main. We pass the version explicitly to the script.
           ref: main
           fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_BOT_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Derive version from tag
         id: ver
@@ -519,7 +519,26 @@ jobs:
           git commit -m "$msg"
           # Rebase in case main advanced while the release job ran.
           git pull --rebase origin main
-          git push origin HEAD:main
+          if git push origin HEAD:main; then
+            echo "::notice::pushed packaging manifest sync directly to main"
+            exit 0
+          fi
+
+          branch="release/${GITHUB_REF_NAME}-manifests"
+          git push --force origin HEAD:"$branch"
+          existing_pr="$(gh pr list --head "$branch" --json number --jq '.[0].number // empty')"
+          if [ -z "$existing_pr" ]; then
+            gh pr create \
+              --base main \
+              --head "$branch" \
+              --title "chore(release): sync manifests to ${GITHUB_REF_NAME}" \
+              --body "Auto-generated by .github/workflows/release.yml after publishing ${GITHUB_REF_NAME}. Pulls SHA256SUMS.txt from the release and rewrites cask / scoop / winget / flatpak manifests to match."
+          fi
+          pr_number="$(gh pr list --head "$branch" --json number --jq '.[0].number')"
+          gh pr merge "$pr_number" --auto --squash
+          echo "::notice::opened packaging manifest PR #${pr_number} and enabled auto-merge"
+        env:
+          GH_TOKEN: ${{ secrets.RELEASE_BOT_TOKEN || secrets.GITHUB_TOKEN }}
 
   # ------------------------------------------------------------------
   # Scoop bucket bump — publishes the generated manifest to the actual
@@ -595,7 +614,6 @@ jobs:
     needs: [publish]
     runs-on: macos-latest
     if: github.event_name == 'push' && !contains(github.ref_name, '-')
-    continue-on-error: true
     steps:
       - name: Guard on secret
         id: guard
@@ -607,15 +625,41 @@ jobs:
             echo "skip=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Bump cask
+      - name: Checkout source
         if: steps.guard.outputs.skip == 'false'
-        uses: macauley/action-homebrew-bump-cask@445c42390d790569d938f9068d01af39ca030feb # v1
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          path: source
+          ref: ${{ github.ref }}
+
+      - name: Generate cask from release checksums
+        if: steps.guard.outputs.skip == 'false'
+        working-directory: source
+        run: ./packaging/update-shas.sh "${GITHUB_REF_NAME#v}"
+
+      - name: Checkout Homebrew tap
+        if: steps.guard.outputs.skip == 'false'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          repository: OpenCoworkAI/homebrew-tap
+          path: homebrew-tap
           token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
-          tap: OpenCoworkAI/homebrew-tap
-          cask: open-codesign
-          tag: ${{ github.ref_name }}
-          force: false
+
+      - name: Commit + push cask
+        if: steps.guard.outputs.skip == 'false'
+        run: |
+          mkdir -p homebrew-tap/Casks
+          cp source/packaging/homebrew/Casks/open-codesign.rb homebrew-tap/Casks/open-codesign.rb
+          cd homebrew-tap
+          if git diff --quiet Casks/open-codesign.rb; then
+            echo "::notice::Homebrew tap already up to date — no commit"
+            exit 0
+          fi
+          git config user.name  "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add Casks/open-codesign.rb
+          git commit -m "open-codesign ${GITHUB_REF_NAME#v}"
+          git push
 
   # ------------------------------------------------------------------
   # Winget manifest PR — submits to microsoft/winget-pkgs.
@@ -630,7 +674,6 @@ jobs:
     needs: [publish]
     runs-on: windows-latest
     if: github.event_name == 'push' && !contains(github.ref_name, '-')
-    continue-on-error: true
     steps:
       - name: Guard on secret
         id: guard
@@ -643,8 +686,22 @@ jobs:
             echo "skip=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Release winget package
+      - name: Check existing winget package
         if: steps.guard.outputs.skip == 'false'
+        id: winget-package
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = 'SilentlyContinue'
+          Invoke-RestMethod -Uri 'https://api.github.com/repos/microsoft/winget-pkgs/contents/manifests/o/OpenCoworkAI/OpenCoDesign' -Method Get | Out-Null
+          if ($?) {
+            "exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+          } else {
+            "exists=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+            Write-Output "::notice::OpenCoworkAI.OpenCoDesign is not in microsoft/winget-pkgs yet; skipping automated winget update until the initial manifest is accepted."
+          }
+
+      - name: Release winget package
+        if: steps.guard.outputs.skip == 'false' && steps.winget-package.outputs.exists == 'true'
         uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2
         with:
           identifier: OpenCoworkAI.OpenCoDesign