Domain is no longer under my control.

I have no way to contact Lena, but she's back. So let's talk? You could've talked to me, what's up? I have a FUCK ton of work put into the guide, over the past years, and you just swoop down from your high horse? Let's chat. Seriously. Your site's broken, your links don't work at all, the design is meh. Not saying I'm not glad you're back, but this isn't how we do things around here. You can be cool and come talk to me. Please? Let's squash this beef you have where you saw my work and decided it wasn't good enough? Years of working on a personal project gone, for what? I have so much more to put into this project. The whole organization is basically still under my control, but now I don't have a platform. I control the Open Collective, the anonymousplanet.net domain, I have the knowledge, and you know you need me for this. Why are you cutting me off? Why not just come back and talk? Do people ever just call or text or email anymore? Before shoving a knife in someone's gut...
chore(export): update PDFs, hashes and signatures [skip ci]
2026-06-11 00:02:29 +02:00 · 2026-06-01 12:50:20 -04:00 · 2026-05-31 10:29:39 +00:00 · 2026-05-31 06:24:20 -04:00
23 changed files with 143 additions and 125 deletions
@@ -1,7 +1,7 @@
-# 1. Push to main → build.yml runs automatically → note the run ID
-# 2. Manually trigger sign.yml with that build run ID → note the sign run ID
-# 3. Manually trigger release.yml with: version=v1.2.5, sign_run_id=<id>
-# 4. Manually trigger changelog.yml with: version=v1.2.5
+# 1. Push to main → 01-build.yml runs automatically → note the run ID
+# 2. Manually trigger 02-sign.yml with that build run ID → note the sign run ID
+# 3. Manually trigger 03-release.yml with: version=v1.2.5, sign_run_id=<id>
+# 4. Manually trigger 04-changelog.yml with: version=v1.2.5

 name: 📖 Build PDFs

@@ -24,7 +24,7 @@ on:
      - "docs/**"
      - "mkdocs.yml"
      - "scripts/**"
-      - ".github/workflows/build.yml"
+      - ".github/workflows/01-build.yml"

 permissions:
  contents: read
@@ -142,7 +142,7 @@ jobs:
            git push origin main
          fi

-      # Upload artifacts for release.yml and verify job to consume
+      # Upload artifacts for 03-release.yml and verify job to consume
      - name: 📤 Upload signatures artifact
        uses: actions/upload-artifact@v4
        with:
@@ -1,14 +1,13 @@
 name: 🚀 Release

 # Manual only — run this deliberately after build and sign are confirmed good.
-# Provide the sign.yml run ID to pull artifacts from. The release tag is
-# generated automatically as release-YYYYMMDD-<short-sha> — no version input
-# needed, no semver drift possible.
+# Provide the 02-sign.yml run ID to pull artifacts from. The release tag is
+# automatically passed to the tag input. Exports "inputs.version" to $TAG.
 on:
  workflow_dispatch:
    inputs:
      sign_run_id:
-        description: 'sign.yml run ID to pull signatures and PDFs from'
+        description: '02-sign.yml run ID to pull signatures and PDFs from'
        required: true
        type: string
      prerelease:
@@ -16,6 +15,10 @@ on:
        required: false
        default: false
        type: boolean
+      version:
+        description: 'Version string to record (e.g. v1.2.4) — required'
+        required: true
+        type: string

 permissions:
  contents: write # create releases and tags
@@ -95,7 +98,7 @@ jobs:
        run: |
          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          DATE=$(date -u +'%Y%m%d')
-          TAG="release-${DATE}-${SHORT_SHA}"
+          TAG="${{ inputs.version }}"
          NAME="Release ${DATE} (${SHORT_SHA})"
          echo "tag=$TAG"   >> $GITHUB_OUTPUT
          echo "name=$NAME" >> $GITHUB_OUTPUT
@@ -108,12 +111,12 @@ jobs:
          tag_name:   ${{ steps.tag.outputs.tag }}
          name:       ${{ steps.tag.outputs.name }}
          prerelease: ${{ inputs.prerelease || false }}
-          draft:      false
+          draft:      true
          fail_on_unmatched_files: false
          body: |
            ## 📖 The Hitchhiker's Guide to Online Anonymity

-            Built from [`${{ github.sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) on `${{ github.ref_name }}`.
+            Built from [`${{ inputs.version }}`](${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ inputs.version }}).

            ---

@@ -1,25 +0,0 @@
-name: 🗑️ DEPRECATED — Build & Sign & Release (combined)
-
-# DEPRECATED — replaced by build.yml, sign.yml, and release.yml
-# This workflow is disabled. It is kept only as a reference until the
-# split workflows have been confirmed stable in production.
-# Do not trigger this workflow.
-
-on:
-  workflow_dispatch:
-    inputs:
-      _disabled:
-        description: 'This workflow is deprecated. Use build.yml → sign.yml → release.yml instead.'
-        required: false
-        type: string
-
-jobs:
-  noop:
-    name: Deprecated — no-op
-    runs-on: ubuntu-latest
-    steps:
-      - name: ❌ Workflow is deprecated
-        run: |
-          echo "This workflow is deprecated."
-          echo "Use build.yml → sign.yml → release.yml instead."
-          exit 1
@@ -1 +1 @@
-anonymousplanet.org
+www.anonymousplanet.org
@@ -20,6 +20,28 @@ Notable changes to the guide and its tooling. Follows [Keep a Changelog](https:/

 ---

+## [v1.2.4]
+
+!!! Note "Meta"
+
+    - Rename workflows (GH - now we can know the order)
+
+!!! Note "Changed"
+
+    - Change the repo URL for our tor mirror
+    - Fix recommended reading admonition
+    - Refactoring some things and removing others
+    - More meta changes to the pipeline
+    - Rewrite developer guide for current pipeline
+
+!!! Note "Fixed"
+
+    - Fix an inline reference
+    - Use the Anonymous Planet RSK for releases (we used the MSK for testing)
+    - Prevent history dump and filter noise commits
+    - Actually save per-page PDFs for qpdf, not PNGs
+    - Fail fast with helpful message if pdftoppm or qpdf missing
+
 ## [v1.2.3]

 CI/CD pipeline split into independent stages, dark PDF quality improved, release signing automated, and the changelog now updates itself on every build. Skipping v1.2.2 which was a placeholder and contained broken Python unsuitable for a tag/release.
@@ -28,17 +50,17 @@ CI/CD pipeline split into independent stages, dark PDF quality improved, release

    - **Dark mode PDF** (`scripts/convert.py`): pixel-level converter replaces the broken `--prefers-color-scheme=dark` Chromium flag. Produces a 200 DPI hacker-themed PDF (`#1f1f31` background, `#e0e0e0` text, `#5e8bde` links) with batched page processing to avoid OOM on large documents.
    - **Three independent CI workflows** replacing the old monolithic `build-sign-release.yml`:
-        - `build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
-        - `sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
-        - `release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
+        - `01-build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
+        - `02-sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
+        - `03-release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
    - **`scripts/update_changelog.py`**: reads `git log` since the last version tag, categorises commits by conventional-commit prefix, and prepends a new entry to this file automatically after each successful build.
-    - **`changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
+    - **`04-changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
    - **`scripts/tag_release.py`**: interactive guided helper for maintainers to create GPG-signed annotated tags. Checks clean tree and branch, auto-increments the version, pulls the message from the changelog, resolves the release signing key, creates and verifies the tag, then prints the push command.
    - **`docs/code/develop.md`**: full developer reference covering prerequisites, local build instructions, the pipeline flow, all required GitHub Secrets, the release process, verification steps, and a troubleshooting section for every known CI failure mode.

 !!! warning "Changed"

-    - `build-sign-release.yml` deprecated - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
+    - `build-sign-release.yml` deprecated (now removed) - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
    - The full pipeline (build → sign → release → changelog) now chains automatically via `workflow_run` on every push to `main`.
    - GPG signing uses `--pinentry-mode loopback` and `--passphrase-fd 0` to avoid interactive prompts on headless runners.
    - VirusTotal scans moved to the release stage so they run once per release, not once per build.
@@ -79,5 +101,6 @@ First automated PDF build and the start of the CI pipeline.

 ---

+[v1.2.4]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.4
 [v1.2.3]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.3
 [v1.2.1]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.1
@@ -52,26 +52,25 @@ You also need **Google Chrome** or **Microsoft Edge** installed for the light-mo
 ```
 .github/
  workflows/
-    build.yml              # builds PDFs, uploads artifact
-    sign.yml               # hashes + GPG signs, uploads signatures artifact
-    release.yml            # publishes GitHub Release with all assets
-    changelog.yml          # prepends a new entry to docs/changelog/index.md
-    publish.yml            # deploys MkDocs site to GitHub Pages
-    build-sign-release.yml # DEPRECATED - fails on trigger, kept for reference
+    01-build.yml      # builds PDFs, uploads artifact
+    02-sign.yml       # hashes + GPG signs, uploads signatures artifact
+    03-release.yml    # publishes GitHub Release with all assets
+    04-changelog.yml  # prepends a new entry to docs/changelog/index.md
+    publish.yml       # deploys MkDocs site to GitHub Pages
 docs/
-  guide/index.md           # the guide (single Markdown file)
-  changelog/               # release notes
-  code/                    # this page
-export/                    # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
-pgp/                       # public signing keys
+  guide/index.md      # the guide (single Markdown file)
+  changelog/          # release notes
+  code/               # this page
+export/               # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
+pgp/                  # public signing keys
 scripts/
-  build_guide_pdf.py       # MkDocs + Chromium PDF builder
-  convert.py               # pixel-based dark mode PDF converter
-  update_changelog.py      # auto-generates changelog entries from git log
-  setup_workflow.py        # GitHub Secrets setup assistant
-  verify_pdf.py            # signature verification helper
+  build_guide_pdf.py  # MkDocs + Chromium PDF builder
+  convert.py          # pixel-based dark mode PDF converter
+  update_changelog.py # auto-generates changelog entries from git log
+  setup_workflow.py   # GitHub Secrets setup assistant
+  verify_pdf.py       # signature verification helper
  archived/
-    tag_release.py         # ARCHIVED - GPG tag helper (not used in current flow)
+    tag_release.py    # ARCHIVED - GPG tag helper (not used in current flow)
 ```

 ---
@@ -120,39 +119,39 @@ Opens at `http://127.0.0.1:8000`.

 ## CI/CD pipeline overview

-The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released.
+The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released. The workflows are numbered to help guide you.

 ```
 push to main  (or manual trigger)
      │
      ▼
-  build.yml
+  01-build.yml
  Builds thgtoa.pdf + thgtoa-dark.pdf.
  Uploads artifact: pdfs
  Note the run ID.
      │
-      │  # manually trigger sign.yml with the build run ID
+      │  # manually trigger 02-sign.yml with the build run ID
      ▼
-  sign.yml
+  02-sign.yml
  Downloads pdfs artifact. Hashes (SHA-256 + BLAKE2b) and GPG-signs
  all files. Commits export/ back to main. Uploads artifacts:
  signatures, pdfs-signed
  Note the run ID.
      │
-      │  # manually trigger release.yml with the sign run ID
+      │  # manually trigger 03-release.yml with the sign run ID
      ▼
-  release.yml
+  03-release.yml
  Downloads signatures + pdfs-signed artifacts. Runs VirusTotal.
  Creates GitHub Release tagged release-YYYYMMDD-<short-sha>.
      │
-      │  # manually trigger changelog.yml with the version string
+      │  # manually trigger 04-changelog.yml with the version string
      ▼
-  changelog.yml
+  04-changelog.yml
  Runs update_changelog.py, prepends a new ## [vX.Y.Z] entry,
  commits back to main.
 ```

-Each stage is independent. If signing fails (e.g. an expired key), re-run only `sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.
+Each stage is independent. If signing fails (e.g. an expired/revoked key, other problems in CI), re-run only `02-sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.

 !!! warning "Before you push"

@@ -166,7 +165,7 @@ Each stage is independent. If signing fails (e.g. an expired key), re-run only `

 ### 1. Trigger a build

-Push to `main` - `build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.
+Push to `main` - `01-build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.

 Once it completes successfully, **note the run ID** from the URL or the Actions list.

@@ -180,7 +179,7 @@ Go to **Actions → Sign PDFs → Run workflow**.
 |-------|-------|
 | `build_run_id` | The run ID from step 1 |

-`sign.yml` will:
+`02-sign.yml` will:

 - Download the PDFs artifact from the build run
 - Compute SHA-256 and BLAKE2b hashes, writing `thgtoa.pdf.sha256`, `thgtoa.pdf.b2sum`, `sha256sums.txt`, `b2sums.txt`, and the dark equivalents
@@ -201,7 +200,7 @@ Go to **Actions → Release → Run workflow**.
 | `sign_run_id` | The run ID from step 2 |
 | `prerelease` | `false` for a normal release |

-`release.yml` will:
+`03-release.yml` will:

 - Download `signatures` and `pdfs-signed` artifacts from the sign run
 - Upload both PDFs to VirusTotal
@@ -221,7 +220,7 @@ Go to **Actions → Update Changelog → Run workflow**.
 | `version` | The human-readable version string, e.g. `v1.2.4` |
 | `dry_run` | `true` to preview without committing |

-`changelog.yml` runs `scripts/update_changelog.py`, which:
+`04-changelog.yml` runs `scripts/update_changelog.py`, which:

 - Reads git log since the last `## [vX.Y.Z]` heading in the changelog
 - Categorises commits into Added / Changed / Fixed using conventional-commit prefixes
@@ -249,7 +248,7 @@ This format is always unique, requires no version decision at release time, and

 ## Commit message format

-All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook.
+All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook. Not because we want to limit cooperation with others, but becasue it promotes a cleaner Changelog; we can avoid all the noise by doing this programatically.

 ```
 <type>(<scope>): <description>
@@ -297,7 +296,7 @@ The passphrase protecting the private key above. Must match exactly - no trailin

 ### `ACTIONS_SSH_SIGNING_KEY`

-An SSH private key used by `sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:
+An SSH private key used by `02-sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:

 ```bash
 ssh-keygen -t ed25519 -C "github-actions signing key" -f actions_signing_key
@@ -307,11 +306,11 @@ Add the **private key** as the `ACTIONS_SSH_SIGNING_KEY` secret, and the **publi

 ### `VT_API_KEY`

-A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.
+A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `03-release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.

 ### `CHANGELOG_PAT`

-A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.
+A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `04-changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.

 **Creating one:** GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens → set Contents to Read and write for this repo only.

@@ -319,11 +318,11 @@ A GitHub Personal Access Token with `contents: write` scope on this repository.

 | Secret | Required by | What happens if missing |
 |--------|------------|------------------------|
-| `GPG_PRIVATE_KEY` | `sign.yml` | Signing step fails - no `.asc` files produced |
-| `GPG_PASSPHRASE` | `sign.yml` | GPG import succeeds but signing fails |
-| `ACTIONS_SSH_SIGNING_KEY` | `sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
-| `VT_API_KEY` | `release.yml` | VirusTotal step fails - release is not published |
-| `CHANGELOG_PAT` | `changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |
+| `GPG_PRIVATE_KEY` | `02-sign.yml` | Signing step fails - no `.asc` files produced |
+| `GPG_PASSPHRASE` | `02-sign.yml` | GPG import succeeds but signing fails |
+| `ACTIONS_SSH_SIGNING_KEY` | `02-sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
+| `VT_API_KEY` | `03-release.yml` | VirusTotal step fails - release is not published |
+| `CHANGELOG_PAT` | `04-changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |

 ---

@@ -350,9 +349,27 @@ b2sum     -c b2sums.txt

 A successful verify looks like:

+```txt
+gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
+gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
+gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
+Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
 ```
-gpg: Signature made ...
-gpg: Good signature from "Anonymous Planet (Release) ..."
+
+You can safely ignore Github, Codeberg, etc. warnings like "The email in this signature doesn’t match the committer email."
+
+```txt
+λ > git tag -v v1.2.3
+object cdc54d8b3bc2b286827b23921d8d4062f85295cf
+type commit
+tag v1.2.3
+tagger nopeitsnothing <no@anonymousplanet.org> 1780212206 -0400
+
+v1.2.3
+gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
+gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
+gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
+Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
 ```

 ---
@@ -374,10 +391,10 @@ The `GPG_PRIVATE_KEY` secret is missing or malformed. Re-export with `gpg --armo
 **GPG signing fails with `Bad passphrase`**
 The `GPG_PASSPHRASE` secret has a trailing space or newline. Paste it again with no surrounding whitespace.

-**`release.yml` fails on VirusTotal**
+**`03-release.yml` fails on VirusTotal**
 The `VT_API_KEY` is missing, invalid, or over the rate limit (500 requests/day on the free tier). Check the secret and re-run after a few minutes.

-**`sign.yml` fails downloading PDF artifact**
+**`02-sign.yml` fails downloading PDF artifact**
 The `build_run_id` is wrong, or the artifact has expired (90-day retention). Trigger a new build and use the fresh run ID.

 **Changelog already contains version X**
@@ -1,2 +1,2 @@
-7b9549543555e0da64175a3de010f50720a1d39d63d85da325433b03897ff0a1212b6c10467fec7c5cbe91dc7cab4f3ce17421be1e3dda8853d42ab5f1c34070  thgtoa.pdf
-f0125984a62fb3776086230375d546e35459208cdccf1978007f92752b61274d66ef66694842668894db72bc3a39fd746b0579f264319f0b68ffdcfbe9e1ae1f  thgtoa-dark.pdf
+39e7f8098d6c9511b98f83f4548ef8bac0d604fe820c4dbe1f731dbdff47676c0800872ba329492427cdfdf66734f55d03e3b4dd95b48e9e2ca2b3b4cd716213  thgtoa.pdf
+ba29fcd4ee9bd43a7ed96752bc372f7d374d69f3d37e33e04d07fd14fe4e62afccbc05471e8ad89632d31045a56eee9bde7c15a0c405f64c977e5e4ac30654fa  thgtoa-dark.pdf
@@ -1,2 +1,2 @@
-54f44ad46d844bdfddb2579371059ef88cb56ff5eeba42644998e386a18d70ae  thgtoa.pdf
-c9a05d9fc09baa745099f029eab568dd1ed8fe36a9316a8919665629991a078c  thgtoa-dark.pdf
+ad7b3e327559dd835755615103bb1c59ef6f41ba652f6ee40c8fcdd082914f49  thgtoa.pdf
+1174ec6f1e074b6b0115cea54ee135e82e56771d7129dcf367037a7020d5b39c  thgtoa-dark.pdf
@@ -69302,7 +69302,7 @@ xref
 0021910912 00000 n 
 0022036117 00000 n 
 0022036228 00000 n 
-trailer << /Root 1 0 R /Size 723 /ID [<34966b1de2265041f3a7412e09160d59><34966b1de2265041f3a7412e09160d59>] >>
+trailer << /Root 1 0 R /Size 723 /ID [<cd419da56268851842bfb9bf41343595><cd419da56268851842bfb9bf41343595>] >>
 startxref
 22147277
 %%EOF
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahv3FQAKCRDOxgrt6LmS
-orf3AP9xFUMGyki3135dZ9gm953aWNvRrLHjdcBz7pyh3e41awD/WFem/9WCLH1C
-2Q91cqnL1ysnnf1y6wpp0XtewWMnBQA=
-=TLm3
+iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwNewAKCRDOxgrt6LmS
+opw7AQDdsg3JaS2vy2ZYCI4L1F+guKHF/zItJUSTj76DdOVzSAD+PKDCa4Io6OO9
+7v2odiJHOrbYNmte5FhhffUZL8Nz1A4=
+=oBfF
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-f0125984a62fb3776086230375d546e35459208cdccf1978007f92752b61274d66ef66694842668894db72bc3a39fd746b0579f264319f0b68ffdcfbe9e1ae1f
+ba29fcd4ee9bd43a7ed96752bc372f7d374d69f3d37e33e04d07fd14fe4e62afccbc05471e8ad89632d31045a56eee9bde7c15a0c405f64c977e5e4ac30654fa
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fbdDgEAoSslLR47ydW/3r1wJOPY
-X/waLkVbkGZpHqwd4RjywwcA/3B7Ci+jUg+yP5TRsuChagEhwyO5vw2DxSlUGoB4
-+ksH
-=2ja9
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIRsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJkrQD/etBsZk8BI71Dn0mgTDIQ
+HaYuAqtld5MmKaV9AxlniWABANt6V/0ivcXSsxajFdvpdu4TI9D4GR07ZeKFjYXV
+EZsM
+=/p57
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faErgD/Svj1G+B7gmrZQ6AsLZ5J
-HfeldxjmrXE99dig1iHtl5IBAMndZZb+95TO03IZ9eLGfYuyTz4GCUanmftsY9yv
-LAIN
-=MEd0
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIsEgD+PNgOOJy7GPQUYuaDlxeh
+ldQWf58ivLfQ6zpgeSSTiqIA/19EDw+Un9AYuxikZGp39vcNFxEhnwD7dRWZo/Ie
+ZyAE
+=OrTx
 -----END PGP SIGNATURE-----
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahv3FAAKCRDOxgrt6LmS
-otN3AQCAT+U5gzR11x2OiWq9xx0bCYYQc973rtabc/OB1RkwHgD+IUys8A9pAyf7
-5Npq+4SiPjhduZ7w82tMRffxdKAhWAU=
-=K+IA
+iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwNegAKCRDOxgrt6LmS
+ov0tAQCNiaIONY2A6zRVXUcOolOOCJY1pi9SvuJ/yalbTQewawEAsi7bhFYAo6c0
+yAy/jBcGD5E5HzLlmjkGvYcwsvWPfQo=
+=lnwq
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-7b9549543555e0da64175a3de010f50720a1d39d63d85da325433b03897ff0a1212b6c10467fec7c5cbe91dc7cab4f3ce17421be1e3dda8853d42ab5f1c34070
+39e7f8098d6c9511b98f83f4548ef8bac0d604fe820c4dbe1f731dbdff47676c0800872ba329492427cdfdf66734f55d03e3b4dd95b48e9e2ca2b3b4cd716213
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fatsgEAixDzH+zTnKYMEx3sikWp
-dsNTiHTU6wJY/brVJIU879UBAJntBIq72vqwKtMb/ZlVvomdDvKVllZw8ZsYBz1n
-aTkM
-=vkgy
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIBsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJ6/QEAk2Ta0gygpWKSKstLjKwX
+wmqIyrEza93Xk22owhYi3FAA/jQslZb0MahgPZyf3PQ8syUlBJS8gKQ8nBEpf5BO
+Q/EK
+=Fvmv
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faAGQEAyEhVKrRoXIsV3E5f1FZg
-8fcsmbxCnKBqxichCkf0dWYBAIvbI146mQLHaNqLDaTIqCUQbkq1aE/YMFDGykUG
-ngsJ
-=/0RY
+iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIN4gEA2T011PhyNNqhGcj0uVTD
+47AZKLxWhZXnLzD0sRUHY/oBAMWFfSXrKN5q8yml5dWLbvFqbcIpefgHD8smBd6v
+fzUH
+=3Cxi
 -----END PGP SIGNATURE-----
@@ -4,4 +4,4 @@ Scripts kept for reference but no longer part of the active pipeline.

 | Script | Why archived |
 |--------|-------------|
-| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `release.yml`. Re-enable if semver release tagging is reintroduced. |
+| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `03-release.yml`. Re-enable if semver release tagging is reintroduced. |
@@ -396,7 +396,7 @@ def main() -> int:
    print("\n" + "=" * 70)
    print("  ✓ All done. Push the tag with:")
    print(f"\n    git push origin {version}\n")
-    print("  The release.yml workflow can then be triggered manually from")
+    print("  The 03-release.yml workflow can then be triggered manually from")
    print("  GitHub Actions to publish the GitHub Release for this tag.")
    print("=" * 70 + "\n")

@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 """Auto-generate and prepend a changelog entry to docs/changelog/index.md.

-Called by .github/workflows/changelog.yml. Reads git log since the last
+Called by .github/workflows/04-changelog.yml. Reads git log since the last
 changelog version, categorises commits by conventional-commit prefix,
 and prepends a new ## [vX.Y.Z] section in the MkDocs admonition format used
 by the rest of the file.