furtka/.forgejo/workflows/release.yml

name: Release

# Tag-triggered: when `git push origin <version>` lands, this builds the
# release tarball and publishes it + the sha256 + release.json to the
# Forgejo releases page for that tag. Boxes then POST /api/furtka/update
# to pull from here.
#
# Version tags only (pattern matches CalVer like 26.0-alpha, 26.1, 27.0-beta).
# Documentation / random tags are ignored by the [0-9]* prefix.
on:
  push:
    tags: ['[0-9]*']

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # changelog section extraction needs history

      - name: Build release tarball
        run: ./scripts/build-release-tarball.sh "${GITHUB_REF_NAME}"

      - name: Publish to Forgejo releases
        env:
          FORGEJO_TOKEN: ${{ secrets.FORGEJO_RELEASE_TOKEN }}
        run: ./scripts/publish-release.sh "${GITHUB_REF_NAME}"
feat(furtka): release CI + \`furtka update\` / \`furtka rollback\` CLI Slice 2 of the self-update story. Tagging a release on main now produces a downloadable self-update payload on the Forgejo releases page, and a running box can pull it down, verify it, atomically swap to the new version, and health-check the result. New pieces: - scripts/build-release-tarball.sh <version> — packages the furtka/ package + bundled apps/ + a root-level VERSION file as dist/furtka-<version>.tar.gz, plus a .sha256 sidecar and a release.json metadata blob. - scripts/publish-release.sh <version> — uses the Forgejo v1 API to create a release (body pulled from the CHANGELOG section for this tag, pre-release auto-flagged on -alpha/-beta/-rc) and upload the three assets sequentially. Needs \$FORGEJO_TOKEN. - .forgejo/workflows/release.yml — tag-triggered, runs both scripts with the new \$FORGEJO_RELEASE_TOKEN repo secret. - furtka/updater.py — check_update, prepare_update, apply_update, run_update, rollback. Atomic symlink swap, sha256 verify (TOCTOU- safe: re-hashes on-disk file), health-check post-restart with auto-rollback on failure, stage-by-stage progress persisted to /var/lib/furtka/update-state.json so the UI can poll independent of the (restarting) API process. Path overrides via FURTKA_ROOT / FURTKA_STATE_DIR / FURTKA_LOCK_PATH so tests pin a tmpdir. - furtka/cli.py — \`furtka update [--check] [--json]\` and \`furtka rollback\`. - tests/test_updater.py — 15 tests: version compare, sha256 verify, tarball extract (including traversal refusal), lockfile, apply happy + rollback paths, rollback CLI, check_update with stubbed Forgejo. - iso/build.sh — writes VERSION at the tarball root so the install path matches the self-update path (previously assumed only the release script did this). RELEASING.md now points at the automated flow — no more manually clicking "Create release" on the Forgejo UI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-16 13:30:45 +02:00			`name: Release`

			# Tag-triggered: when `git push origin <version>` lands, this builds the
			`# release tarball and publishes it + the sha256 + release.json to the`
			`# Forgejo releases page for that tag. Boxes then POST /api/furtka/update`
			`# to pull from here.`
			`#`
			`# Version tags only (pattern matches CalVer like 26.0-alpha, 26.1, 27.0-beta).`
			`# Documentation / random tags are ignored by the [0-9]* prefix.`
			`on:`
			`push:`
			`tags: ['[0-9]*']`

			`jobs:`
			`release:`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@v4`
			`with:`
			`fetch-depth: 0 # changelog section extraction needs history`

			`- name: Build release tarball`
			`run: ./scripts/build-release-tarball.sh "${GITHUB_REF_NAME}"`

			`- name: Publish to Forgejo releases`
			`env:`
			`FORGEJO_TOKEN: ${{ secrets.FORGEJO_RELEASE_TOKEN }}`
			`run: ./scripts/publish-release.sh "${GITHUB_REF_NAME}"`