fix(publish): remove JFrog publishing entirely

Every artefact now publishes to the OSS registry stack: GHCR /
crates.io / PyPI / npm / GitHub Releases / Cloudflare R2. JFrog was
on a deprecation path with v2; this commit completes the removal.

Removed:
- destinations_internal block in defaults.yaml
- jfrog_* fields and derived URLs in OrgConfig
- jfrog config block in org.yaml
- _publish_jfrog handlers in python/rust/typescript publish modules
- _publish_jfrog_binaries + _upload_to_artifactory in publish/binaries
- internal/both branches in container/registry.py
- JFrog Docker login + JFROG_TOKEN env in workflow _release-tail.yml
- "internal staging" channel override in dispatch.py
- All in-source JFrog comments and references

Backward compat preserved:
- publish.target field still accepted in .hyperi-ci.yaml; values
  internal/both/oss all route to the OSS destination map
- HYPERCI_PUBLISH_TARGET env var still accepted; same routing
- Workflow-dispatch input publish-target still accepted

Docs updated:
- README publish-channels section rewritten for OSS-only
- MIGRATION-GUIDE adds v2.1.4 entry; existing v1→v2 section notes JFrog removal
- CI-LESSONS.md prefixed with banner: JFrog notes are historical
- JFROG-MIGRATION.md status updated: removal complete

The only remaining toggle for full OSS visibility is making the
source repos themselves public on GitHub.

Publish: true

Author: catinspace-au

.github/workflows/_release-tail.yml

@@ -17,8 +17,8 @@
 #                                  on will-publish)
 #   (here)    tag-and-publish   ← npx semantic-release real → tag +
 #                                  CHANGELOG; then hyperi-ci run publish
-#                                  → binaries to crates.io / R2 / GH
-#                                  Release / JFrog
+#                                  → artefacts to crates.io / PyPI / npm /
+#                                  GHCR / GitHub Releases / Cloudflare R2
 #
 # Doctrine: tag-on-publish. A git tag exists iff the artefact is in the
 # registry. Aligns with kubernetes/rust/python OSS conventions.
@@ -144,17 +144,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: JFrog Docker login
-        # Required when publish.target resolves to internal or both. The
-        # registry resolver writes the JFrog tag; this step authenticates
-        # the push. No-op if vars.JFROG_DOMAIN is unset.
-        if: steps.check.outputs.enabled != 'false' && (inputs.publish-target == 'internal' || inputs.publish-target == 'both') && vars.JFROG_DOMAIN != ''
-        uses: docker/login-action@v4
-        with:
-          registry: ${{ vars.JFROG_DOMAIN }}
-          username: ${{ secrets.JFROG_USERNAME }}
-          password: ${{ secrets.JFROG_TOKEN }}
-
       - name: Set up Docker Buildx
         if: steps.check.outputs.enabled != 'false'
         uses: docker/setup-buildx-action@v4
@@ -272,11 +261,12 @@ jobs:
         run: uv python install ${{ inputs.python-version }}
 
       - name: Publish
-        # Uploads to all configured destinations: crates.io / PyPI / npm
-        # (oss), JFrog Artifactory (internal), R2 (oss), GitHub Release.
+        # Uploads to all OSS destinations: crates.io / PyPI / npm /
+        # GHCR / GitHub Releases / Cloudflare R2.
         env:
-          JFROG_TOKEN: ${{ secrets.JFROG_TOKEN }}
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
           R2_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}

.github/workflows/go-ci.yml

@@ -22,7 +22,7 @@ on:
       publish-target:
         type: string
         default: "oss"
-        description: "Publish destination: oss (default, FOSS), internal (deprecated, JFrog), or both"
+        description: "Publish destination (legacy field, ignored — every publish goes to OSS registries)"
       go-version-file:
         type: string
         default: "go.mod"

.github/workflows/python-ci.yml

@@ -22,7 +22,7 @@ on:
       publish-target:
         type: string
         default: "oss"
-        description: "Publish destination: oss (default, FOSS), internal (deprecated, JFrog), or both"
+        description: "Publish destination (legacy field, ignored — every publish goes to OSS registries)"
       python-version:
         type: string
         default: "3.12"
@@ -118,14 +118,6 @@ jobs:
       - name: Install native dependencies
         run: ${{ env.HYPERCI_INSTALL }} install-native-deps python
 
-      # DO NOT add UV_EXTRA_INDEX_URL here.
-      # uv does NOT work like pip with mixed public+private indices. By default
-      # uv uses first-match-wins per package name — if JFrog returns an empty
-      # 200 for a package it doesn't have (e.g. hatchling), uv stops there and
-      # reports "no versions found" rather than falling back to PyPI.
-      # Workaround exists (UV_INDEX_STRATEGY=unsafe-best-match) but is fragile.
-      # Projects that need private JFrog packages configure [tool.uv.index] with
-      # explicit=true in their own pyproject.toml — not here.
       - name: Install dependencies
         run: uv sync --frozen --all-extras
 

.github/workflows/rust-ci.yml

@@ -22,7 +22,7 @@ on:
       publish-target:
         type: string
         default: "oss"
-        description: "Publish destination: oss (default, FOSS), internal (deprecated, JFrog), or both"
+        description: "Publish destination (legacy field, ignored — every publish goes to OSS registries)"
       rust-toolchain:
         type: string
         default: "stable"
@@ -78,7 +78,7 @@ on:
       publish-target:
         type: string
         default: "oss"
-        description: "Publish destination: oss (default, FOSS), internal (deprecated, JFrog), or both"
+        description: "Publish destination (legacy field, ignored — every publish goes to OSS registries)"
       rust-toolchain:
         type: string
         default: "stable"

.github/workflows/ts-ci.yml

@@ -22,7 +22,7 @@ on:
       publish-target:
         type: string
         default: "oss"
-        description: "Publish destination: oss (default, FOSS), internal (deprecated, JFrog), or both"
+        description: "Publish destination (legacy field, ignored — every publish goes to OSS registries)"
       node-version:
         type: string
         default: "22"

README.md

@@ -16,12 +16,18 @@ VERSION / pyproject.toml / package.json **before** the build, then tags
 registry. Aligns with kubernetes / rust / python OSS conventions. No
 more orphan tags from "tag every fix:, publish later" mode.
 
-**100% FOSS pipeline by default.** Default `publish.target` is `oss`
-(GitHub Releases + crates.io / PyPI / npm + GHCR + R2). Internal /
-JFrog paths are opt-in and on a 4–6 week deprecation timeline.
+**100% FOSS pipeline.** Every artefact publishes to public registries:
+crates.io, PyPI, npm, GHCR, GitHub Releases, and Cloudflare R2
+(`downloads.hyperi.io`). The legacy `publish.target` knob is accepted
+in `.hyperi-ci.yaml` for backward compatibility but **ignored at
+runtime** — JFrog publishing was removed in v2.1.4. The only switch
+left to flip for full open-source visibility is making the source
+repos themselves public.
 
 See [docs/MIGRATION-GUIDE.md](docs/MIGRATION-GUIDE.md) for the v1 → v2
-migration.
+migration. Pre-v2.1.4 docs that mention JFrog targets, the
+`destinations_internal` block, or `target: internal` are historical
+only — those code paths have been removed.
 
 ## Why Use This
 
@@ -184,31 +190,40 @@ Control where artifacts go with one line in `.hyperi-ci.yaml`:
 ```yaml
 publish:
   channel: release    # spike | alpha | beta | release
-  target: oss         # oss (default, FOSS) | internal (deprecated, JFrog) | both
 ```
 
-### Channel behaviour
+### Publish targets
 
-Pre-release channels (`spike`, `alpha`, `beta`) keep packages off the
-public registries. Stable releases require `channel: release`.
+Every artefact publishes to the OSS registry stack:
 
-| Channel | Registry publish | GH Release | R2 binaries | R2 path |
-|---|---|---|---|---|
-| `spike` | none | Prerelease | Uploaded | `/{project}/spike/v1.3.0/` |
-| `alpha` | none | Prerelease | Uploaded | `/{project}/alpha/v1.3.0/` |
-| `beta`  | none | Prerelease | Uploaded | `/{project}/beta/v1.3.0/` |
-| `release` | configured target | GA | Uploaded | `/{project}/v1.3.0/` |
+| Artefact type | Destination |
+|---|---|
+| Containers | GHCR (`ghcr.io/<org>`) |
+| Rust crates | crates.io |
+| Python packages | PyPI |
+| npm packages | npmjs.com |
+| Binaries (per-tag) | GitHub Releases |
+| Binaries (web-downloadable) | Cloudflare R2 (`downloads.hyperi.io`) |
+| Helm charts | OCI under GHCR |
+
+The `publish.target` field is still accepted in `.hyperi-ci.yaml` for
+backward compatibility — values like `internal` or `both` are read,
+preserved on the `CIConfig` object, and **silently routed to the OSS
+destination map**. JFrog publishing was removed in v2.1.4. The only
+remaining toggle for full FOSS visibility is making the source repos
+themselves public on GitHub.
 
-### Target behaviour
+### Channel behaviour
 
-| `publish.target` | Containers | Binaries | Packages |
-|---|---|---|---|
-| `oss` (default) | GHCR | GitHub Release + R2 | crates.io / PyPI / npm |
-| `internal` | JFrog Docker (deprecated) | JFrog Generic (deprecated) | JFrog Cargo / PyPI / npm (deprecated) |
-| `both` | GHCR + JFrog | GitHub + R2 + JFrog | All registries |
+Pre-release channels (`spike`, `alpha`, `beta`) flag GH Releases as
+prerelease and prefix R2 paths. Stable releases require `channel: release`.
 
-JFrog targets are kept for back-compat; the path is on a 4–6 week
-deprecation timeline. New projects should use `target: oss`.
+| Channel | GH Release | R2 path |
+|---|---|---|
+| `spike` | Prerelease | `/{project}/spike/v1.3.0/` |
+| `alpha` | Prerelease | `/{project}/alpha/v1.3.0/` |
+| `beta`  | Prerelease | `/{project}/beta/v1.3.0/` |
+| `release` | GA | `/{project}/v1.3.0/` + `/{project}/latest/` |
 
 ### Graduating to GA
 

docs/CI-LESSONS.md

@@ -9,6 +9,14 @@ across 14+ consumer projects.
 
 Source: `hyperi-io/ci` (to be archived once cutover is complete).
 
+> **JFrog sections in this document are historical (pre-v2.1.4).**
+> JFrog publishing was removed entirely in v2.1.4. The JFrog auth
+> patterns, registry URLs, and token handling notes below are kept for
+> archaeological context — they describe how things worked before the
+> 100% OSS pipeline. Do not use them as a current reference. The
+> publish path now goes to crates.io / PyPI / npm / GHCR / GitHub
+> Releases / Cloudflare R2 only.
+
 ---
 
 ## Rust

docs/JFROG-MIGRATION.md

@@ -1,16 +1,20 @@
-# JFrog Migration Plan (HISTORICAL)
+# JFrog Migration Plan (HISTORICAL — JFrog removed in v2.1.4)
 
-> **Status: superseded by full JFrog deprecation.**
+> **Status: complete. JFrog publishing was removed in v2.1.4.**
 >
-> This document captured the v1-era plan to *reduce* JFrog to two roles
-> (Telstra delivery, private package staging). With the v2 release the
-> plan has changed: **JFrog is being phased out entirely** on a 4–6
-> week timeline. The default `publish.target` is now `oss` (GitHub
-> Releases + GHCR + crates.io / PyPI / npm + R2). The `internal` and
-> `both` targets are kept as opt-in paths for back-compat through the
-> deprecation window.
+> This document is a historical artefact from the v1 → v2 transition,
+> when JFrog was being *reduced* to a smaller role. With v2.1.4 the
+> reduction completed: **all JFrog publishing code, config, and
+> workflow steps were deleted**. Every artefact now publishes to the
+> OSS registry stack (GHCR / crates.io / PyPI / npm / GitHub Releases
+> / Cloudflare R2). Downstream `.hyperi-ci.yaml` files that still set
+> `publish.target: internal` or `publish.target: both` are accepted —
+> the field is read for back-compat — but its value is **silently
+> routed to the OSS destination map**. There is no JFrog publishing
+> path in the codebase anymore.
 >
-> Document kept for historical context.
+> Document kept for historical context. Do not treat as a current
+> reference.
 
 Reduce JFrog to two roles: Telstra artifact delivery and private package
 staging (PyPI + Cargo). Move everything else to GitHub (GHCR, GitHub

docs/MIGRATION-GUIDE.md

@@ -1,6 +1,21 @@
 # Migration Guide
 
-## v1 → v2 (current)
+## v2.1.4 — JFrog removed
+
+JFrog publishing was removed entirely in v2.1.4. Every artefact now
+publishes to the OSS registry stack: GHCR, crates.io, PyPI, npm,
+GitHub Releases, and Cloudflare R2 (`downloads.hyperi.io`).
+
+If your `.hyperi-ci.yaml` still has `publish.target: internal` or
+`publish.target: both`: **leave it**. The field is read for backward
+compatibility and silently routed to OSS. There is no JFrog code path
+left to enable. New projects should set `target: oss` (or omit the
+field — `oss` is the default).
+
+The only remaining toggle for full open-source visibility is making
+the source repos themselves public on GitHub.
+
+## v1 → v2
 
 v2 introduces the version-first single-run pipeline and tag-on-publish
 semantics. The biggest user-visible changes:
@@ -12,16 +27,17 @@ semantics. The biggest user-visible changes:
 | Tag semantics | Tags accumulate; some published, some not | Tag = "this artefact is in a registry" |
 | Build runs per release | 2 (push run + dispatch run) | 1 |
 | Version stamping | Post-build (binary lags one release) | Pre-build (binary embeds correct version) |
-| Default `publish.target` | `internal` (JFrog) | `oss` (FOSS) |
+| Default `publish.target` | `internal` (JFrog) | `oss` (FOSS); JFrog removed in v2.1.4 |
 
 ### What you have to do
 
-1. **Update `.hyperi-ci.yaml`** — flip `target` to `oss` (or leave at `both`
-   during the JFrog deprecation window):
+1. **Update `.hyperi-ci.yaml`** — `target` no longer matters (JFrog was
+   removed in v2.1.4 and every value routes to OSS), but you can flip
+   to `oss` for clarity:
 
    ```yaml
    publish:
-     target: oss   # was: internal or both
+     target: oss   # was: internal or both — both still accepted, both go to OSS
    ```
 
 2. **Bump `hyperi-ci` to >= 2.0.0** in any local install:
@@ -76,9 +92,10 @@ semantics. The biggest user-visible changes:
   `Publish: true` trailer requires at least one release-worthy commit
   since the last tag. Add a `fix:` / `feat:` commit, or remove the
   trailer.
-- **JFrog registry deprecation**: `internal` and `both` targets keep
-  working through the 4–6 week deprecation window. Plan to flip to
-  `oss` before the JFrog endpoints turn off.
+- **JFrog removed in v2.1.4**: the `internal` and `both` target values
+  are still accepted in `.hyperi-ci.yaml` but ignored — every publish
+  goes to the OSS registry stack. No action required for projects
+  already using `target: oss`.
 
 ---