Add a `channel: stable | beta` workflow_dispatch input to release.yml.
`stable` is unchanged (byte-for-byte). `beta` produces a Windows agent
binary signed by the identical fail-closed Azure Trusted Signing path,
but skips the semver bump, changelog, and release commit, and publishes
a prerelease-tagged Gitea release (vX.Y.Z-beta.<run_number>) at HEAD.
So every binary handed to a tester is signed, not just formal releases.
- prerelease tags excluded from stable LAST_TAG detection (both lookups)
so a beta tag can't corrupt the next stable version computation
- beta tag force-created/pushed -> idempotent on failed-run re-runs
- changelog download gated to stable; release prerelease flag plumbed
through to the Gitea REST payload
Reviewed-by: Code Review Agent (APPROVE WITH NITS; N1 hardened)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jsign 7.1 signs guruconnect.exe successfully via Azure Trusted Signing, but the separate
verify step called `jsign --info` (not a real jsign subcommand) and wrongly failed the job.
jsign's non-zero exit under `set -euo pipefail` already gates signing fail-closed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jsign 6.0 lacks the TRUSTEDSIGNING keystore type (only AZUREKEYVAULT); Azure Trusted
Signing support requires jsign >= 7.0. 7.1 matches /usr/share/jsign on the build host.
Fixes the release sign-and-publish step.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Windows agent jobs (build-and-test + release): set PROTOC env + add protoc to PATH
(prost-build needs it; the runner did not inherit the machine env), and fix the artifact
path to the workspace-root target/ (Cargo workspace, not agent/target/).
- Commit root Cargo.lock (was missing) -> fixes `cargo audit` (Couldn't load Cargo.lock) and
makes builds reproducible.
- Security audit is now a single workspace-root `cargo audit`, informational (warn-only) like
clippy; re-tighten in the GC re-spec.
- Remove test.yml: redundant with build-and-test and broken (`no library targets` — server is
a binary crate).
Native MSVC agent build verified on the Pluto runner (4m20s, clean compile).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The build-agent job (build-and-test.yml) and a new build-agent-windows job (release.yml)
now run on the windows-msvc Gitea Actions runner on Pluto, building native
x86_64-pc-windows-msvc with crt-static. release.yml hands the unsigned guruconnect.exe to
the Linux job, which signs it with Azure Trusted Signing (jsign). Removes the fragile
mingw/GNU cross-compile. Reviewed by Code Review Agent (approve-with-nits).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Release builds (auto-versioning + Azure Trusted Signing + Gitea release) no longer
run on every push to main; trigger deliberately via workflow_dispatch. build-and-test.yml
remains the automatic PR/push CI gate.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
