Add a `channel: stable | beta` workflow_dispatch input to release.yml.
`stable` is unchanged (byte-for-byte). `beta` produces a Windows agent
binary signed by the identical fail-closed Azure Trusted Signing path,
but skips the semver bump, changelog, and release commit, and publishes
a prerelease-tagged Gitea release (vX.Y.Z-beta.<run_number>) at HEAD.
So every binary handed to a tester is signed, not just formal releases.
- prerelease tags excluded from stable LAST_TAG detection (both lookups)
so a beta tag can't corrupt the next stable version computation
- beta tag force-created/pushed -> idempotent on failed-run re-runs
- changelog download gated to stable; release prerelease flag plumbed
through to the Gitea REST payload
Reviewed-by: Code Review Agent (APPROVE WITH NITS; N1 hardened)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mike Swanson
87f229509b