ci(pipeline): replace semver tagging with timestamp tags, drop tag_release.py

- release.yml now generates release-YYYYMMDD-<sha> tags automatically
- changelog.yml requires explicit version input, no auto-increment from tags
- sign.yml normalises extensions to .asc and .b2sum
- build-sign-release.yml neutered to a no-op with descriptive error
- tag_release.py archived to scripts/archived/
- update_changelog.py: version_from_changelog() is now primary version source
- .gitignore: fix export/ tracking to match actual file extensions
- docs/code/develop.md: fully rewritten to reflect new manual four-step flow

.github/workflows/sign.yml

@@ -11,8 +11,8 @@ on:
   workflow_dispatch:
     inputs:
       build_run_id:
-        description: 'build.yml run ID to download PDFs from (leave blank for latest)'
-        required: false
+        description: 'build.yml run ID to download PDFs from'
+        required: true
         type: string
 
 permissions:
@@ -39,31 +39,21 @@ jobs:
         with:
           sparse-checkout: pgp
 
-      # Download PDFs from the manually specified run ID (required for manual dispatch)
-      - name: 📥 Resolve source run ID
-        id: src
-        run: |
-          if [ -z "${{ inputs.build_run_id }}" ]; then
-            echo "::error::build_run_id is required — provide the build.yml run ID to pull PDFs from."
-            exit 1
-          fi
-          echo "run_id=${{ inputs.build_run_id }}" >> $GITHUB_OUTPUT
-
       - name: 📥 Download PDF artifacts
         uses: actions/download-artifact@v4
         with:
-          name:    pdfs
-          path:    export/
-          run-id:  ${{ steps.src.outputs.run_id }}
+          name:         pdfs
+          path:         export/
+          run-id:       ${{ inputs.build_run_id }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: 📋 List downloaded files
         run: ls -lh export/
 
       # ------------------------------------------------------------------ #
-      #  Hash
+      #  Hash — extensions match export/ conventions: .sha256, .b2sum
       # ------------------------------------------------------------------ #
-      - name: #️⃣ Hash PDFs
+      - name: "#️⃣ Hash PDFs"
         id: hashes
         run: |
           cd export
@@ -71,20 +61,19 @@ jobs:
           for f in thgtoa.pdf thgtoa-dark.pdf; do
             [ -f "$f" ] || continue
             sha256sum "$f" | awk '{print $1}' > "${f}.sha256"
-            b2sum     "$f" | awk '{print $1}' > "${f}.b2"
+            b2sum     "$f" | awk '{print $1}' > "${f}.b2sum"
           done
 
-          # Combined files (only include files that exist)
+          # Combined summary files
           sha256sum thgtoa.pdf thgtoa-dark.pdf 2>/dev/null > sha256sums.txt || \
             sha256sum thgtoa.pdf               2>/dev/null > sha256sums.txt
           b2sum     thgtoa.pdf thgtoa-dark.pdf 2>/dev/null > b2sums.txt     || \
             b2sum     thgtoa.pdf               2>/dev/null > b2sums.txt
 
-          # Expose individual hashes as outputs (empty string if file absent)
           light_sha256=$(cat thgtoa.pdf.sha256      2>/dev/null || echo "")
           dark_sha256=$(cat  thgtoa-dark.pdf.sha256 2>/dev/null || echo "")
-          light_b2=$(cat     thgtoa.pdf.b2          2>/dev/null || echo "")
-          dark_b2=$(cat      thgtoa-dark.pdf.b2     2>/dev/null || echo "")
+          light_b2=$(cat     thgtoa.pdf.b2sum       2>/dev/null || echo "")
+          dark_b2=$(cat      thgtoa-dark.pdf.b2sum  2>/dev/null || echo "")
 
           echo "light_sha256=$light_sha256" >> $GITHUB_OUTPUT
           echo "dark_sha256=$dark_sha256"   >> $GITHUB_OUTPUT
@@ -97,7 +86,7 @@ jobs:
           cat b2sums.txt
 
       # ------------------------------------------------------------------ #
-      #  GPG sign (maintainer-verifiable detached signatures for release)
+      #  GPG sign — detached ASCII-armor signatures use .asc extension
       # ------------------------------------------------------------------ #
       - name: 🔑 Install GPG
         run: |
@@ -122,8 +111,8 @@ jobs:
             [ -f "$file" ] || return 0
             echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \
               --pinentry-mode loopback \
-              --detach-sign --armor --output "${file}.sig" "$file"
-            echo "Signed: $file"
+              --detach-sign --armor --output "${file}.asc" "$file"
+            echo "Signed: $file → ${file}.asc"
           }
           sign export/thgtoa.pdf
           sign export/thgtoa-dark.pdf
@@ -166,7 +155,7 @@ jobs:
           fi
 
       # ------------------------------------------------------------------ #
-      #  Upload — PDFs + all signatures and hashes together
+      #  Upload artifacts for release.yml to consume
       # ------------------------------------------------------------------ #
       - name: 📤 Upload signatures artifact
         uses: actions/upload-artifact@v4
@@ -177,12 +166,12 @@ jobs:
             export/b2sums.txt
             export/thgtoa.pdf.sha256
             export/thgtoa-dark.pdf.sha256
-            export/thgtoa.pdf.b2
-            export/thgtoa-dark.pdf.b2
-            export/thgtoa.pdf.sig
-            export/thgtoa-dark.pdf.sig
-            export/sha256sums.txt.sig
-            export/b2sums.txt.sig
+            export/thgtoa.pdf.b2sum
+            export/thgtoa-dark.pdf.b2sum
+            export/thgtoa.pdf.asc
+            export/thgtoa-dark.pdf.asc
+            export/sha256sums.txt.asc
+            export/b2sums.txt.asc
           if-no-files-found: error
           retention-days: 90
           compression-level: 0