ci(GitHub-CI): draft only, also use version output

Set the draft to true and manually verify tags before release Set our version tag so we use [vX.X.X] for cleaner release
2026-06-11 00:02:29 +02:00 · 2026-05-31 06:15:01 -04:00
parent cc5ad371a8
commit 45a8539a9e
20 changed files with 56095 additions and 53058 deletions
@@ -1,7 +1,7 @@
-# 1. Push to main → build.yml runs automatically → note the run ID
+# 1. Push to main → 01-build.yml runs automatically → note the run ID
-# 2. Manually trigger sign.yml with that build run ID → note the sign run ID
+# 2. Manually trigger 02-sign.yml with that build run ID → note the sign run ID
-# 3. Manually trigger release.yml with: version=v1.2.5, sign_run_id=<id>
+# 3. Manually trigger 03-release.yml with: version=v1.2.5, sign_run_id=<id>
-# 4. Manually trigger changelog.yml with: version=v1.2.5
+# 4. Manually trigger 04-changelog.yml with: version=v1.2.5
 name: 📖 Build PDFs
@@ -24,7 +24,7 @@ on:
      - "docs/**"
      - "mkdocs.yml"
      - "scripts/**"
-      - ".github/workflows/build.yml"
+      - ".github/workflows/01-build.yml"
 permissions:
  contents: read
@@ -142,7 +142,7 @@ jobs:
            git push origin main
          fi
-      # Upload artifacts for release.yml and verify job to consume
+      # Upload artifacts for 03-release.yml and verify job to consume
      - name: 📤 Upload signatures artifact
        uses: actions/upload-artifact@v4
        with:
@@ -1,14 +1,13 @@
 name: 🚀 Release
 # Manual only — run this deliberately after build and sign are confirmed good.
-# Provide the sign.yml run ID to pull artifacts from. The release tag is
+# Provide the 02-sign.yml run ID to pull artifacts from. The release tag is
-# generated automatically as release-YYYYMMDD-<short-sha> — no version input
+# automatically passed to the tag input. Exports "inputs.version" to $TAG.
 # needed, no semver drift possible.
 on:
  workflow_dispatch:
    inputs:
      sign_run_id:
-        description: 'sign.yml run ID to pull signatures and PDFs from'
+        description: '02-sign.yml run ID to pull signatures and PDFs from'
        required: true
        type: string
      prerelease:
@@ -16,6 +15,10 @@ on:
        required: false
        default: false
        type: boolean
      version:
        description: 'Version string to record (e.g. v1.2.4) — required'
        required: true
        type: string
 permissions:
  contents: write # create releases and tags
@@ -95,7 +98,7 @@ jobs:
        run: |
          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          DATE=$(date -u +'%Y%m%d')
-          TAG="release-${DATE}-${SHORT_SHA}"
+          TAG="${{ inputs.version }}"
          NAME="Release ${DATE} (${SHORT_SHA})"
          echo "tag=$TAG"   >> $GITHUB_OUTPUT
          echo "name=$NAME" >> $GITHUB_OUTPUT
@@ -108,12 +111,12 @@ jobs:
          tag_name:   ${{ steps.tag.outputs.tag }}
          name:       ${{ steps.tag.outputs.name }}
          prerelease: ${{ inputs.prerelease || false }}
-          draft:      false
+          draft:      true
          fail_on_unmatched_files: false
          body: |
            ## 📖 The Hitchhiker's Guide to Online Anonymity
-            Built from [`${{ github.sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) on `${{ github.ref_name }}`.
+            Built from [`${{ inputs.version }}`](${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ inputs.version }}).
            ---
@@ -1,25 +0,0 @@
 name: 🗑️ DEPRECATED — Build & Sign & Release (combined)
 # DEPRECATED — replaced by build.yml, sign.yml, and release.yml
 # This workflow is disabled. It is kept only as a reference until the
 # split workflows have been confirmed stable in production.
 # Do not trigger this workflow.
 on:
  workflow_dispatch:
    inputs:
      _disabled:
        description: 'This workflow is deprecated. Use build.yml → sign.yml → release.yml instead.'
        required: false
        type: string
 jobs:
  noop:
    name: Deprecated — no-op
    runs-on: ubuntu-latest
    steps:
      - name: ❌ Workflow is deprecated
        run: |
          echo "This workflow is deprecated."
          echo "Use build.yml → sign.yml → release.yml instead."
          exit 1
@@ -20,6 +20,28 @@ Notable changes to the guide and its tooling. Follows [Keep a Changelog](https:/
 ---
 ## [v1.2.4]
 !!! Note "Meta"
    - Rename workflows (GH - now we can know the order)
 !!! Note "Changed"
    - Change the repo URL for our tor mirror
    - Fix recommended reading admonition
    - Refactoring some things and removing others
    - More meta changes to the pipeline
    - Rewrite developer guide for current pipeline
 !!! Note "Fixed"
    - Fix an inline reference
    - Use the Anonymous Planet RSK for releases (we used the MSK for testing)
    - Prevent history dump and filter noise commits
    - Actually save per-page PDFs for qpdf, not PNGs
    - Fail fast with helpful message if pdftoppm or qpdf missing
 ## [v1.2.3]
 CI/CD pipeline split into independent stages, dark PDF quality improved, release signing automated, and the changelog now updates itself on every build. Skipping v1.2.2 which was a placeholder and contained broken Python unsuitable for a tag/release.
@@ -28,17 +50,17 @@ CI/CD pipeline split into independent stages, dark PDF quality improved, release
    - **Dark mode PDF** (`scripts/convert.py`): pixel-level converter replaces the broken `--prefers-color-scheme=dark` Chromium flag. Produces a 200 DPI hacker-themed PDF (`#1f1f31` background, `#e0e0e0` text, `#5e8bde` links) with batched page processing to avoid OOM on large documents.
    - **Three independent CI workflows** replacing the old monolithic `build-sign-release.yml`:
-        - `build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
+        - `01-build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
-        - `sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
+        - `02-sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
-        - `release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
+        - `03-release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
    - **`scripts/update_changelog.py`**: reads `git log` since the last version tag, categorises commits by conventional-commit prefix, and prepends a new entry to this file automatically after each successful build.
-    - **`changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
+    - **`04-changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
    - **`scripts/tag_release.py`**: interactive guided helper for maintainers to create GPG-signed annotated tags. Checks clean tree and branch, auto-increments the version, pulls the message from the changelog, resolves the release signing key, creates and verifies the tag, then prints the push command.
    - **`docs/code/develop.md`**: full developer reference covering prerequisites, local build instructions, the pipeline flow, all required GitHub Secrets, the release process, verification steps, and a troubleshooting section for every known CI failure mode.
 !!! warning "Changed"
-    - `build-sign-release.yml` deprecated - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
+    - `build-sign-release.yml` deprecated (now removed) - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
    - The full pipeline (build → sign → release → changelog) now chains automatically via `workflow_run` on every push to `main`.
    - GPG signing uses `--pinentry-mode loopback` and `--passphrase-fd 0` to avoid interactive prompts on headless runners.
    - VirusTotal scans moved to the release stage so they run once per release, not once per build.
@@ -79,5 +101,6 @@ First automated PDF build and the start of the CI pipeline.
 ---
 [v1.2.4]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.4
 [v1.2.3]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.3
 [v1.2.1]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.1
@@ -52,26 +52,25 @@ You also need **Google Chrome** or **Microsoft Edge** installed for the light-mo
 ```
 .github/
  workflows/
-    build.yml              # builds PDFs, uploads artifact
+    01-build.yml      # builds PDFs, uploads artifact
-    sign.yml               # hashes + GPG signs, uploads signatures artifact
+    02-sign.yml       # hashes + GPG signs, uploads signatures artifact
-    release.yml            # publishes GitHub Release with all assets
+    03-release.yml    # publishes GitHub Release with all assets
-    changelog.yml          # prepends a new entry to docs/changelog/index.md
+    04-changelog.yml  # prepends a new entry to docs/changelog/index.md
-    publish.yml            # deploys MkDocs site to GitHub Pages
+    publish.yml       # deploys MkDocs site to GitHub Pages
    build-sign-release.yml # DEPRECATED - fails on trigger, kept for reference
 docs/
-  guide/index.md           # the guide (single Markdown file)
+  guide/index.md      # the guide (single Markdown file)
-  changelog/               # release notes
+  changelog/          # release notes
-  code/                    # this page
+  code/               # this page
-export/                    # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
+export/               # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
-pgp/                       # public signing keys
+pgp/                  # public signing keys
 scripts/
-  build_guide_pdf.py       # MkDocs + Chromium PDF builder
+  build_guide_pdf.py  # MkDocs + Chromium PDF builder
-  convert.py               # pixel-based dark mode PDF converter
+  convert.py          # pixel-based dark mode PDF converter
-  update_changelog.py      # auto-generates changelog entries from git log
+  update_changelog.py # auto-generates changelog entries from git log
-  setup_workflow.py        # GitHub Secrets setup assistant
+  setup_workflow.py   # GitHub Secrets setup assistant
-  verify_pdf.py            # signature verification helper
+  verify_pdf.py       # signature verification helper
  archived/
-    tag_release.py         # ARCHIVED - GPG tag helper (not used in current flow)
+    tag_release.py    # ARCHIVED - GPG tag helper (not used in current flow)
 ```
 ---
@@ -120,39 +119,39 @@ Opens at `http://127.0.0.1:8000`.
 ## CI/CD pipeline overview
-The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released.
+The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released. The workflows are numbered to help guide you.
 ```
 push to main  (or manual trigger)
      │
      ▼
-  build.yml
+  01-build.yml
  Builds thgtoa.pdf + thgtoa-dark.pdf.
  Uploads artifact: pdfs
  Note the run ID.
      │
-      │  # manually trigger sign.yml with the build run ID
+      │  # manually trigger 02-sign.yml with the build run ID
      ▼
-  sign.yml
+  02-sign.yml
  Downloads pdfs artifact. Hashes (SHA-256 + BLAKE2b) and GPG-signs
  all files. Commits export/ back to main. Uploads artifacts:
  signatures, pdfs-signed
  Note the run ID.
      │
-      │  # manually trigger release.yml with the sign run ID
+      │  # manually trigger 03-release.yml with the sign run ID
      ▼
-  release.yml
+  03-release.yml
  Downloads signatures + pdfs-signed artifacts. Runs VirusTotal.
  Creates GitHub Release tagged release-YYYYMMDD-<short-sha>.
      │
-      │  # manually trigger changelog.yml with the version string
+      │  # manually trigger 04-changelog.yml with the version string
      ▼
-  changelog.yml
+  04-changelog.yml
  Runs update_changelog.py, prepends a new ## [vX.Y.Z] entry,
  commits back to main.
 ```
-Each stage is independent. If signing fails (e.g. an expired key), re-run only `sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.
+Each stage is independent. If signing fails (e.g. an expired/revoked key, other problems in CI), re-run only `02-sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.
 !!! warning "Before you push"
@@ -166,7 +165,7 @@ Each stage is independent. If signing fails (e.g. an expired key), re-run only `
 ### 1. Trigger a build
-Push to `main` - `build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.
+Push to `main` - `01-build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.
 Once it completes successfully, **note the run ID** from the URL or the Actions list.
@@ -180,7 +179,7 @@ Go to **Actions → Sign PDFs → Run workflow**.
 |-------|-------|
 | `build_run_id` | The run ID from step 1 |
-`sign.yml` will:
+`02-sign.yml` will:
 - Download the PDFs artifact from the build run
 - Compute SHA-256 and BLAKE2b hashes, writing `thgtoa.pdf.sha256`, `thgtoa.pdf.b2sum`, `sha256sums.txt`, `b2sums.txt`, and the dark equivalents
@@ -201,7 +200,7 @@ Go to **Actions → Release → Run workflow**.
 | `sign_run_id` | The run ID from step 2 |
 | `prerelease` | `false` for a normal release |
-`release.yml` will:
+`03-release.yml` will:
 - Download `signatures` and `pdfs-signed` artifacts from the sign run
 - Upload both PDFs to VirusTotal
@@ -221,7 +220,7 @@ Go to **Actions → Update Changelog → Run workflow**.
 | `version` | The human-readable version string, e.g. `v1.2.4` |
 | `dry_run` | `true` to preview without committing |
-`changelog.yml` runs `scripts/update_changelog.py`, which:
+`04-changelog.yml` runs `scripts/update_changelog.py`, which:
 - Reads git log since the last `## [vX.Y.Z]` heading in the changelog
 - Categorises commits into Added / Changed / Fixed using conventional-commit prefixes
@@ -249,7 +248,7 @@ This format is always unique, requires no version decision at release time, and
 ## Commit message format
-All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook.
+All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook. Not because we want to limit cooperation with others, but becasue it promotes a cleaner Changelog; we can avoid all the noise by doing this programatically.
 ```
 <type>(<scope>): <description>
@@ -297,7 +296,7 @@ The passphrase protecting the private key above. Must match exactly - no trailin
 ### `ACTIONS_SSH_SIGNING_KEY`
-An SSH private key used by `sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:
+An SSH private key used by `02-sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:
 ```bash
 ssh-keygen -t ed25519 -C "github-actions signing key" -f actions_signing_key
@@ -307,11 +306,11 @@ Add the **private key** as the `ACTIONS_SSH_SIGNING_KEY` secret, and the **publi
 ### `VT_API_KEY`
-A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.
+A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `03-release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.
 ### `CHANGELOG_PAT`
-A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.
+A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `04-changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.
 **Creating one:** GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens → set Contents to Read and write for this repo only.
@@ -319,11 +318,11 @@ A GitHub Personal Access Token with `contents: write` scope on this repository.
 | Secret | Required by | What happens if missing |
 |--------|------------|------------------------|
-| `GPG_PRIVATE_KEY` | `sign.yml` | Signing step fails - no `.asc` files produced |
+| `GPG_PRIVATE_KEY` | `02-sign.yml` | Signing step fails - no `.asc` files produced |
-| `GPG_PASSPHRASE` | `sign.yml` | GPG import succeeds but signing fails |
+| `GPG_PASSPHRASE` | `02-sign.yml` | GPG import succeeds but signing fails |
-| `ACTIONS_SSH_SIGNING_KEY` | `sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
+| `ACTIONS_SSH_SIGNING_KEY` | `02-sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
-| `VT_API_KEY` | `release.yml` | VirusTotal step fails - release is not published |
+| `VT_API_KEY` | `03-release.yml` | VirusTotal step fails - release is not published |
-| `CHANGELOG_PAT` | `changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |
+| `CHANGELOG_PAT` | `04-changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |
 ---
@@ -350,9 +349,27 @@ b2sum     -c b2sums.txt
 A successful verify looks like:
 ```txt
 gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
 gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
 gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
 Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
 ```
-gpg: Signature made ...
+
-gpg: Good signature from "Anonymous Planet (Release) ..."
+You can safely ignore Github, Codeberg, etc. warnings like "The email in this signature doesn’t match the committer email."
 ```txt
 λ > git tag -v v1.2.3
 object cdc54d8b3bc2b286827b23921d8d4062f85295cf
 type commit
 tag v1.2.3
 tagger nopeitsnothing <no@anonymousplanet.org> 1780212206 -0400
 v1.2.3
 gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
 gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
 gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
 Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
 ```
 ---
@@ -374,10 +391,10 @@ The `GPG_PRIVATE_KEY` secret is missing or malformed. Re-export with `gpg --armo
 **GPG signing fails with `Bad passphrase`**
 The `GPG_PASSPHRASE` secret has a trailing space or newline. Paste it again with no surrounding whitespace.
-**`release.yml` fails on VirusTotal**
+**`03-release.yml` fails on VirusTotal**
 The `VT_API_KEY` is missing, invalid, or over the rate limit (500 requests/day on the free tier). Check the secret and re-run after a few minutes.
-**`sign.yml` fails downloading PDF artifact**
+**`02-sign.yml` fails downloading PDF artifact**
 The `build_run_id` is wrong, or the artifact has expired (90-day retention). Trigger a new build and use the fresh run ID.
 **Changelog already contains version X**
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----
-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHhsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fY6QAD/YCGJqs9HiRllFrF9EluE
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIW0QEA//CdwPzw4bU8YLlP4nOk
-Ga4XUEQ/R6Q2zc+X6lX856sBAJIpxeMxUmMUXyr3xBAHxUf5eV+nQYkQQMKI81L1
+5tSpz/mIaeLUcQarwqBXmJ0BALEV2caVahsMhlPT2micliSoe6MMD/AWRMUFzhWL
-x8gL
+oOAI
-=VX6l
+=/siY
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-f212d0425b38d5cd10da6dc804b60f143da23d4b07051aae31d0966082519b300af0e1c423683e0223738b33b138c687232b1c8bd68cf643777bbc5b588152bd  ./export/thgtoa-dark.pdf
+42cbd3e2e1b6909823c144869863dbba472255ae7af20e4cabc216869d83fe335895ac50941ae8efd1c8da99890991c51ff77ffbf57387c877df3f251ba45451  thgtoa-dark.pdf
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----
-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIRsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fbdDgEAoSslLR47ydW/3r1wJOPY
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJkrQD/etBsZk8BI71Dn0mgTDIQ
-X/waLkVbkGZpHqwd4RjywwcA/3B7Ci+jUg+yP5TRsuChagEhwyO5vw2DxSlUGoB4
+HaYuAqtld5MmKaV9AxlniWABANt6V/0ivcXSsxajFdvpdu4TI9D4GR07ZeKFjYXV
-+ksH
+EZsM
-=2ja9
+=/p57
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----
-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faErgD/Svj1G+B7gmrZQ6AsLZ5J
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIsEgD+PNgOOJy7GPQUYuaDlxeh
-HfeldxjmrXE99dig1iHtl5IBAMndZZb+95TO03IZ9eLGfYuyTz4GCUanmftsY9yv
+ldQWf58ivLfQ6zpgeSSTiqIA/19EDw+Un9AYuxikZGp39vcNFxEhnwD7dRWZo/Ie
-LAIN
+ZyAE
-=MEd0
+=OrTx
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----
-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDDhsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7favvgEAvFFSB5NrsrKMYvGG5ZYB
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIi2AEA0ZG4r5QrPBULg3vsMOfV
-iLIyt8Sn1rZmlVkibssMPq0BAImpZe8S7hWNkbukyEC4sLbKiOYvjbVipQHnrIUV
+dHreJnJWt8kiUHsbP1y4z7YBANW/0KikD7M4Odob5mN+9SqLmk5Hv3U4qmwMya9v
-xPMH
+JTgG
-=0hnj
+=Z6tx
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-436ed0df78c299f95b8d5ff94f43f26ec2e7825d92d843fc15419630d55ed5e0c98485e738c12715a2b6242633faae38e8a98935b361d44ddde97a1692cb01a1  ./export/thgtoa.pdf
+e2eebd97bf63d7ed429cf13b4f35cc5f18a42c64fbcb5870206776dbd02c3acb6d232114ce5f30062c65030c45c06331011d8bc53bf27dac454f3b3aae46aa89  thgtoa.pdf
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----
-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIBsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fatsgEAixDzH+zTnKYMEx3sikWp
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJ6/QEAk2Ta0gygpWKSKstLjKwX
-dsNTiHTU6wJY/brVJIU879UBAJntBIq72vqwKtMb/ZlVvomdDvKVllZw8ZsYBz1n
+wmqIyrEza93Xk22owhYi3FAA/jQslZb0MahgPZyf3PQ8syUlBJS8gKQ8nBEpf5BO
-aTkM
+Q/EK
-=vkgy
+=Fvmv
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----
-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faAGQEAyEhVKrRoXIsV3E5f1FZg
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIN4gEA2T011PhyNNqhGcj0uVTD
-8fcsmbxCnKBqxichCkf0dWYBAIvbI146mQLHaNqLDaTIqCUQbkq1aE/YMFDGykUG
+47AZKLxWhZXnLzD0sRUHY/oBAMWFfSXrKN5q8yml5dWLbvFqbcIpefgHD8smBd6v
-ngsJ
+fzUH
-=/0RY
+=3Cxi
 -----END PGP SIGNATURE-----
@@ -4,4 +4,4 @@ Scripts kept for reference but no longer part of the active pipeline.
 | Script | Why archived |
 |--------|-------------|
-| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `release.yml`. Re-enable if semver release tagging is reintroduced. |
+| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `03-release.yml`. Re-enable if semver release tagging is reintroduced. |
@@ -396,7 +396,7 @@ def main() -> int:
    print("\n" + "=" * 70)
    print("  ✓ All done. Push the tag with:")
    print(f"\n    git push origin {version}\n")
-    print("  The release.yml workflow can then be triggered manually from")
+    print("  The 03-release.yml workflow can then be triggered manually from")
    print("  GitHub Actions to publish the GitHub Release for this tag.")
    print("=" * 70 + "\n")
@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 """Auto-generate and prepend a changelog entry to docs/changelog/index.md.
-Called by .github/workflows/changelog.yml. Reads git log since the last
+Called by .github/workflows/04-changelog.yml. Reads git log since the last
 changelog version, categorises commits by conventional-commit prefix,
 and prepends a new ## [vX.Y.Z] section in the MkDocs admonition format used
 by the rest of the file.
`@@ -1 +1 @@`
	`f212d0425b38d5cd10da6dc804b60f143da23d4b07051aae31d0966082519b300af0e1c423683e0223738b33b138c687232b1c8bd68cf643777bbc5b588152bd ./export/thgtoa-dark.pdf`	`42cbd3e2e1b6909823c144869863dbba472255ae7af20e4cabc216869d83fe335895ac50941ae8efd1c8da99890991c51ff77ffbf57387c877df3f251ba45451 thgtoa-dark.pdf`
`@@ -1 +1 @@`
	`436ed0df78c299f95b8d5ff94f43f26ec2e7825d92d843fc15419630d55ed5e0c98485e738c12715a2b6242633faae38e8a98935b361d44ddde97a1692cb01a1 ./export/thgtoa.pdf`	`e2eebd97bf63d7ed429cf13b4f35cc5f18a42c64fbcb5870206776dbd02c3acb6d232114ce5f30062c65030c45c06331011d8bc53bf27dac454f3b3aae46aa89 thgtoa.pdf`