chore(export): update PDFs, hashes and signatures [skip ci]

2026-06-11 00:02:29 +02:00 · 2026-05-31 08:54:02 +00:00
23 changed files with 125 additions and 143 deletions
@@ -0,0 +1,25 @@
+name: 🗑️ DEPRECATED — Build & Sign & Release (combined)
+
+# DEPRECATED — replaced by build.yml, sign.yml, and release.yml
+# This workflow is disabled. It is kept only as a reference until the
+# split workflows have been confirmed stable in production.
+# Do not trigger this workflow.
+
+on:
+  workflow_dispatch:
+    inputs:
+      _disabled:
+        description: 'This workflow is deprecated. Use build.yml → sign.yml → release.yml instead.'
+        required: false
+        type: string
+
+jobs:
+  noop:
+    name: Deprecated — no-op
+    runs-on: ubuntu-latest
+    steps:
+      - name: ❌ Workflow is deprecated
+        run: |
+          echo "This workflow is deprecated."
+          echo "Use build.yml → sign.yml → release.yml instead."
+          exit 1
@@ -1,7 +1,7 @@
-# 1. Push to main → 01-build.yml runs automatically → note the run ID
-# 2. Manually trigger 02-sign.yml with that build run ID → note the sign run ID
-# 3. Manually trigger 03-release.yml with: version=v1.2.5, sign_run_id=<id>
-# 4. Manually trigger 04-changelog.yml with: version=v1.2.5
+# 1. Push to main → build.yml runs automatically → note the run ID
+# 2. Manually trigger sign.yml with that build run ID → note the sign run ID
+# 3. Manually trigger release.yml with: version=v1.2.5, sign_run_id=<id>
+# 4. Manually trigger changelog.yml with: version=v1.2.5

 name: 📖 Build PDFs

@@ -24,7 +24,7 @@ on:
      - "docs/**"
      - "mkdocs.yml"
      - "scripts/**"
-      - ".github/workflows/01-build.yml"
+      - ".github/workflows/build.yml"

 permissions:
  contents: read
@@ -1,13 +1,14 @@
 name: 🚀 Release

 # Manual only — run this deliberately after build and sign are confirmed good.
-# Provide the 02-sign.yml run ID to pull artifacts from. The release tag is
-# automatically passed to the tag input. Exports "inputs.version" to $TAG.
+# Provide the sign.yml run ID to pull artifacts from. The release tag is
+# generated automatically as release-YYYYMMDD-<short-sha> — no version input
+# needed, no semver drift possible.
 on:
  workflow_dispatch:
    inputs:
      sign_run_id:
-        description: '02-sign.yml run ID to pull signatures and PDFs from'
+        description: 'sign.yml run ID to pull signatures and PDFs from'
        required: true
        type: string
      prerelease:
@@ -15,10 +16,6 @@ on:
        required: false
        default: false
        type: boolean
-      version:
-        description: 'Version string to record (e.g. v1.2.4) — required'
-        required: true
-        type: string

 permissions:
  contents: write # create releases and tags
@@ -98,7 +95,7 @@ jobs:
        run: |
          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          DATE=$(date -u +'%Y%m%d')
-          TAG="${{ inputs.version }}"
+          TAG="release-${DATE}-${SHORT_SHA}"
          NAME="Release ${DATE} (${SHORT_SHA})"
          echo "tag=$TAG"   >> $GITHUB_OUTPUT
          echo "name=$NAME" >> $GITHUB_OUTPUT
@@ -111,12 +108,12 @@ jobs:
          tag_name:   ${{ steps.tag.outputs.tag }}
          name:       ${{ steps.tag.outputs.name }}
          prerelease: ${{ inputs.prerelease || false }}
-          draft:      true
+          draft:      false
          fail_on_unmatched_files: false
          body: |
            ## 📖 The Hitchhiker's Guide to Online Anonymity

-            Built from [`${{ inputs.version }}`](${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ inputs.version }}).
+            Built from [`${{ github.sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) on `${{ github.ref_name }}`.

            ---

@@ -142,7 +142,7 @@ jobs:
            git push origin main
          fi

-      # Upload artifacts for 03-release.yml and verify job to consume
+      # Upload artifacts for release.yml and verify job to consume
      - name: 📤 Upload signatures artifact
        uses: actions/upload-artifact@v4
        with:
@@ -1 +1 @@
-www.anonymousplanet.org
+anonymousplanet.org
@@ -20,28 +20,6 @@ Notable changes to the guide and its tooling. Follows [Keep a Changelog](https:/

 ---

-## [v1.2.4]
-
-!!! Note "Meta"
-
-    - Rename workflows (GH - now we can know the order)
-
-!!! Note "Changed"
-
-    - Change the repo URL for our tor mirror
-    - Fix recommended reading admonition
-    - Refactoring some things and removing others
-    - More meta changes to the pipeline
-    - Rewrite developer guide for current pipeline
-
-!!! Note "Fixed"
-
-    - Fix an inline reference
-    - Use the Anonymous Planet RSK for releases (we used the MSK for testing)
-    - Prevent history dump and filter noise commits
-    - Actually save per-page PDFs for qpdf, not PNGs
-    - Fail fast with helpful message if pdftoppm or qpdf missing
-
 ## [v1.2.3]

 CI/CD pipeline split into independent stages, dark PDF quality improved, release signing automated, and the changelog now updates itself on every build. Skipping v1.2.2 which was a placeholder and contained broken Python unsuitable for a tag/release.
@@ -50,17 +28,17 @@ CI/CD pipeline split into independent stages, dark PDF quality improved, release

    - **Dark mode PDF** (`scripts/convert.py`): pixel-level converter replaces the broken `--prefers-color-scheme=dark` Chromium flag. Produces a 200 DPI hacker-themed PDF (`#1f1f31` background, `#e0e0e0` text, `#5e8bde` links) with batched page processing to avoid OOM on large documents.
    - **Three independent CI workflows** replacing the old monolithic `build-sign-release.yml`:
-        - `01-build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
-        - `02-sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
-        - `03-release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
+        - `build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
+        - `sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
+        - `release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
    - **`scripts/update_changelog.py`**: reads `git log` since the last version tag, categorises commits by conventional-commit prefix, and prepends a new entry to this file automatically after each successful build.
-    - **`04-changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
+    - **`changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
    - **`scripts/tag_release.py`**: interactive guided helper for maintainers to create GPG-signed annotated tags. Checks clean tree and branch, auto-increments the version, pulls the message from the changelog, resolves the release signing key, creates and verifies the tag, then prints the push command.
    - **`docs/code/develop.md`**: full developer reference covering prerequisites, local build instructions, the pipeline flow, all required GitHub Secrets, the release process, verification steps, and a troubleshooting section for every known CI failure mode.

 !!! warning "Changed"

-    - `build-sign-release.yml` deprecated (now removed) - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
+    - `build-sign-release.yml` deprecated - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
    - The full pipeline (build → sign → release → changelog) now chains automatically via `workflow_run` on every push to `main`.
    - GPG signing uses `--pinentry-mode loopback` and `--passphrase-fd 0` to avoid interactive prompts on headless runners.
    - VirusTotal scans moved to the release stage so they run once per release, not once per build.
@@ -101,6 +79,5 @@ First automated PDF build and the start of the CI pipeline.

 ---

-[v1.2.4]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.4
 [v1.2.3]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.3
 [v1.2.1]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.1
@@ -52,25 +52,26 @@ You also need **Google Chrome** or **Microsoft Edge** installed for the light-mo
 ```
 .github/
  workflows/
-    01-build.yml      # builds PDFs, uploads artifact
-    02-sign.yml       # hashes + GPG signs, uploads signatures artifact
-    03-release.yml    # publishes GitHub Release with all assets
-    04-changelog.yml  # prepends a new entry to docs/changelog/index.md
-    publish.yml       # deploys MkDocs site to GitHub Pages
+    build.yml              # builds PDFs, uploads artifact
+    sign.yml               # hashes + GPG signs, uploads signatures artifact
+    release.yml            # publishes GitHub Release with all assets
+    changelog.yml          # prepends a new entry to docs/changelog/index.md
+    publish.yml            # deploys MkDocs site to GitHub Pages
+    build-sign-release.yml # DEPRECATED - fails on trigger, kept for reference
 docs/
-  guide/index.md      # the guide (single Markdown file)
-  changelog/          # release notes
-  code/               # this page
-export/               # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
-pgp/                  # public signing keys
+  guide/index.md           # the guide (single Markdown file)
+  changelog/               # release notes
+  code/                    # this page
+export/                    # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
+pgp/                       # public signing keys
 scripts/
-  build_guide_pdf.py  # MkDocs + Chromium PDF builder
-  convert.py          # pixel-based dark mode PDF converter
-  update_changelog.py # auto-generates changelog entries from git log
-  setup_workflow.py   # GitHub Secrets setup assistant
-  verify_pdf.py       # signature verification helper
+  build_guide_pdf.py       # MkDocs + Chromium PDF builder
+  convert.py               # pixel-based dark mode PDF converter
+  update_changelog.py      # auto-generates changelog entries from git log
+  setup_workflow.py        # GitHub Secrets setup assistant
+  verify_pdf.py            # signature verification helper
  archived/
-    tag_release.py    # ARCHIVED - GPG tag helper (not used in current flow)
+    tag_release.py         # ARCHIVED - GPG tag helper (not used in current flow)
 ```

 ---
@@ -119,39 +120,39 @@ Opens at `http://127.0.0.1:8000`.

 ## CI/CD pipeline overview

-The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released. The workflows are numbered to help guide you.
+The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released.

 ```
 push to main  (or manual trigger)
      │
      ▼
-  01-build.yml
+  build.yml
  Builds thgtoa.pdf + thgtoa-dark.pdf.
  Uploads artifact: pdfs
  Note the run ID.
      │
-      │  # manually trigger 02-sign.yml with the build run ID
+      │  # manually trigger sign.yml with the build run ID
      ▼
-  02-sign.yml
+  sign.yml
  Downloads pdfs artifact. Hashes (SHA-256 + BLAKE2b) and GPG-signs
  all files. Commits export/ back to main. Uploads artifacts:
  signatures, pdfs-signed
  Note the run ID.
      │
-      │  # manually trigger 03-release.yml with the sign run ID
+      │  # manually trigger release.yml with the sign run ID
      ▼
-  03-release.yml
+  release.yml
  Downloads signatures + pdfs-signed artifacts. Runs VirusTotal.
  Creates GitHub Release tagged release-YYYYMMDD-<short-sha>.
      │
-      │  # manually trigger 04-changelog.yml with the version string
+      │  # manually trigger changelog.yml with the version string
      ▼
-  04-changelog.yml
+  changelog.yml
  Runs update_changelog.py, prepends a new ## [vX.Y.Z] entry,
  commits back to main.
 ```

-Each stage is independent. If signing fails (e.g. an expired/revoked key, other problems in CI), re-run only `02-sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.
+Each stage is independent. If signing fails (e.g. an expired key), re-run only `sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.

 !!! warning "Before you push"

@@ -165,7 +166,7 @@ Each stage is independent. If signing fails (e.g. an expired/revoked key, other

 ### 1. Trigger a build

-Push to `main` - `01-build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.
+Push to `main` - `build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.

 Once it completes successfully, **note the run ID** from the URL or the Actions list.

@@ -179,7 +180,7 @@ Go to **Actions → Sign PDFs → Run workflow**.
 |-------|-------|
 | `build_run_id` | The run ID from step 1 |

-`02-sign.yml` will:
+`sign.yml` will:

 - Download the PDFs artifact from the build run
 - Compute SHA-256 and BLAKE2b hashes, writing `thgtoa.pdf.sha256`, `thgtoa.pdf.b2sum`, `sha256sums.txt`, `b2sums.txt`, and the dark equivalents
@@ -200,7 +201,7 @@ Go to **Actions → Release → Run workflow**.
 | `sign_run_id` | The run ID from step 2 |
 | `prerelease` | `false` for a normal release |

-`03-release.yml` will:
+`release.yml` will:

 - Download `signatures` and `pdfs-signed` artifacts from the sign run
 - Upload both PDFs to VirusTotal
@@ -220,7 +221,7 @@ Go to **Actions → Update Changelog → Run workflow**.
 | `version` | The human-readable version string, e.g. `v1.2.4` |
 | `dry_run` | `true` to preview without committing |

-`04-changelog.yml` runs `scripts/update_changelog.py`, which:
+`changelog.yml` runs `scripts/update_changelog.py`, which:

 - Reads git log since the last `## [vX.Y.Z]` heading in the changelog
 - Categorises commits into Added / Changed / Fixed using conventional-commit prefixes
@@ -248,7 +249,7 @@ This format is always unique, requires no version decision at release time, and

 ## Commit message format

-All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook. Not because we want to limit cooperation with others, but becasue it promotes a cleaner Changelog; we can avoid all the noise by doing this programatically.
+All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook.

 ```
 <type>(<scope>): <description>
@@ -296,7 +297,7 @@ The passphrase protecting the private key above. Must match exactly - no trailin

 ### `ACTIONS_SSH_SIGNING_KEY`

-An SSH private key used by `02-sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:
+An SSH private key used by `sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:

 ```bash
 ssh-keygen -t ed25519 -C "github-actions signing key" -f actions_signing_key
@@ -306,11 +307,11 @@ Add the **private key** as the `ACTIONS_SSH_SIGNING_KEY` secret, and the **publi

 ### `VT_API_KEY`

-A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `03-release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.
+A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.

 ### `CHANGELOG_PAT`

-A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `04-changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.
+A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.

 **Creating one:** GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens → set Contents to Read and write for this repo only.

@@ -318,11 +319,11 @@ A GitHub Personal Access Token with `contents: write` scope on this repository.

 | Secret | Required by | What happens if missing |
 |--------|------------|------------------------|
-| `GPG_PRIVATE_KEY` | `02-sign.yml` | Signing step fails - no `.asc` files produced |
-| `GPG_PASSPHRASE` | `02-sign.yml` | GPG import succeeds but signing fails |
-| `ACTIONS_SSH_SIGNING_KEY` | `02-sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
-| `VT_API_KEY` | `03-release.yml` | VirusTotal step fails - release is not published |
-| `CHANGELOG_PAT` | `04-changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |
+| `GPG_PRIVATE_KEY` | `sign.yml` | Signing step fails - no `.asc` files produced |
+| `GPG_PASSPHRASE` | `sign.yml` | GPG import succeeds but signing fails |
+| `ACTIONS_SSH_SIGNING_KEY` | `sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
+| `VT_API_KEY` | `release.yml` | VirusTotal step fails - release is not published |
+| `CHANGELOG_PAT` | `changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |

 ---

@@ -349,27 +350,9 @@ b2sum     -c b2sums.txt

 A successful verify looks like:

-```txt
-gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
-gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
-gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
-Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
 ```
-
-You can safely ignore Github, Codeberg, etc. warnings like "The email in this signature doesn’t match the committer email."
-
-```txt
-λ > git tag -v v1.2.3
-object cdc54d8b3bc2b286827b23921d8d4062f85295cf
-type commit
-tag v1.2.3
-tagger nopeitsnothing <no@anonymousplanet.org> 1780212206 -0400
-
-v1.2.3
-gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
-gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
-gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
-Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
+gpg: Signature made ...
+gpg: Good signature from "Anonymous Planet (Release) ..."
 ```

 ---
@@ -391,10 +374,10 @@ The `GPG_PRIVATE_KEY` secret is missing or malformed. Re-export with `gpg --armo
 **GPG signing fails with `Bad passphrase`**
 The `GPG_PASSPHRASE` secret has a trailing space or newline. Paste it again with no surrounding whitespace.

-**`03-release.yml` fails on VirusTotal**
+**`release.yml` fails on VirusTotal**
 The `VT_API_KEY` is missing, invalid, or over the rate limit (500 requests/day on the free tier). Check the secret and re-run after a few minutes.

-**`02-sign.yml` fails downloading PDF artifact**
+**`sign.yml` fails downloading PDF artifact**
 The `build_run_id` is wrong, or the artifact has expired (90-day retention). Trigger a new build and use the fresh run ID.

 **Changelog already contains version X**
@@ -1,2 +1,2 @@
-39e7f8098d6c9511b98f83f4548ef8bac0d604fe820c4dbe1f731dbdff47676c0800872ba329492427cdfdf66734f55d03e3b4dd95b48e9e2ca2b3b4cd716213  thgtoa.pdf
-ba29fcd4ee9bd43a7ed96752bc372f7d374d69f3d37e33e04d07fd14fe4e62afccbc05471e8ad89632d31045a56eee9bde7c15a0c405f64c977e5e4ac30654fa  thgtoa-dark.pdf
+7b9549543555e0da64175a3de010f50720a1d39d63d85da325433b03897ff0a1212b6c10467fec7c5cbe91dc7cab4f3ce17421be1e3dda8853d42ab5f1c34070  thgtoa.pdf
+f0125984a62fb3776086230375d546e35459208cdccf1978007f92752b61274d66ef66694842668894db72bc3a39fd746b0579f264319f0b68ffdcfbe9e1ae1f  thgtoa-dark.pdf
@@ -1,2 +1,2 @@
-ad7b3e327559dd835755615103bb1c59ef6f41ba652f6ee40c8fcdd082914f49  thgtoa.pdf
-1174ec6f1e074b6b0115cea54ee135e82e56771d7129dcf367037a7020d5b39c  thgtoa-dark.pdf
+54f44ad46d844bdfddb2579371059ef88cb56ff5eeba42644998e386a18d70ae  thgtoa.pdf
+c9a05d9fc09baa745099f029eab568dd1ed8fe36a9316a8919665629991a078c  thgtoa-dark.pdf
@@ -69302,7 +69302,7 @@ xref
 0021910912 00000 n 
 0022036117 00000 n 
 0022036228 00000 n 
-trailer << /Root 1 0 R /Size 723 /ID [<cd419da56268851842bfb9bf41343595><cd419da56268851842bfb9bf41343595>] >>
+trailer << /Root 1 0 R /Size 723 /ID [<34966b1de2265041f3a7412e09160d59><34966b1de2265041f3a7412e09160d59>] >>
 startxref
 22147277
 %%EOF
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwNewAKCRDOxgrt6LmS
-opw7AQDdsg3JaS2vy2ZYCI4L1F+guKHF/zItJUSTj76DdOVzSAD+PKDCa4Io6OO9
-7v2odiJHOrbYNmte5FhhffUZL8Nz1A4=
-=oBfF
+iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahv3FQAKCRDOxgrt6LmS
+orf3AP9xFUMGyki3135dZ9gm953aWNvRrLHjdcBz7pyh3e41awD/WFem/9WCLH1C
+2Q91cqnL1ysnnf1y6wpp0XtewWMnBQA=
+=TLm3
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-ba29fcd4ee9bd43a7ed96752bc372f7d374d69f3d37e33e04d07fd14fe4e62afccbc05471e8ad89632d31045a56eee9bde7c15a0c405f64c977e5e4ac30654fa
+f0125984a62fb3776086230375d546e35459208cdccf1978007f92752b61274d66ef66694842668894db72bc3a39fd746b0579f264319f0b68ffdcfbe9e1ae1f
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIRsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJkrQD/etBsZk8BI71Dn0mgTDIQ
-HaYuAqtld5MmKaV9AxlniWABANt6V/0ivcXSsxajFdvpdu4TI9D4GR07ZeKFjYXV
-EZsM
-=/p57
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fbdDgEAoSslLR47ydW/3r1wJOPY
+X/waLkVbkGZpHqwd4RjywwcA/3B7Ci+jUg+yP5TRsuChagEhwyO5vw2DxSlUGoB4
+ksH
+=2ja9
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIsEgD+PNgOOJy7GPQUYuaDlxeh
-ldQWf58ivLfQ6zpgeSSTiqIA/19EDw+Un9AYuxikZGp39vcNFxEhnwD7dRWZo/Ie
-ZyAE
-=OrTx
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faErgD/Svj1G+B7gmrZQ6AsLZ5J
+HfeldxjmrXE99dig1iHtl5IBAMndZZb+95TO03IZ9eLGfYuyTz4GCUanmftsY9yv
+LAIN
+=MEd0
 -----END PGP SIGNATURE-----
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwNegAKCRDOxgrt6LmS
-ov0tAQCNiaIONY2A6zRVXUcOolOOCJY1pi9SvuJ/yalbTQewawEAsi7bhFYAo6c0
-yAy/jBcGD5E5HzLlmjkGvYcwsvWPfQo=
-=lnwq
+iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahv3FAAKCRDOxgrt6LmS
+otN3AQCAT+U5gzR11x2OiWq9xx0bCYYQc973rtabc/OB1RkwHgD+IUys8A9pAyf7
+5Npq+4SiPjhduZ7w82tMRffxdKAhWAU=
+=K+IA
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-39e7f8098d6c9511b98f83f4548ef8bac0d604fe820c4dbe1f731dbdff47676c0800872ba329492427cdfdf66734f55d03e3b4dd95b48e9e2ca2b3b4cd716213
+7b9549543555e0da64175a3de010f50720a1d39d63d85da325433b03897ff0a1212b6c10467fec7c5cbe91dc7cab4f3ce17421be1e3dda8853d42ab5f1c34070
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIBsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJ6/QEAk2Ta0gygpWKSKstLjKwX
-wmqIyrEza93Xk22owhYi3FAA/jQslZb0MahgPZyf3PQ8syUlBJS8gKQ8nBEpf5BO
-Q/EK
-=Fvmv
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fatsgEAixDzH+zTnKYMEx3sikWp
+dsNTiHTU6wJY/brVJIU879UBAJntBIq72vqwKtMb/ZlVvomdDvKVllZw8ZsYBz1n
+aTkM
+=vkgy
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIN4gEA2T011PhyNNqhGcj0uVTD
-47AZKLxWhZXnLzD0sRUHY/oBAMWFfSXrKN5q8yml5dWLbvFqbcIpefgHD8smBd6v
-fzUH
-=3Cxi
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faAGQEAyEhVKrRoXIsV3E5f1FZg
+8fcsmbxCnKBqxichCkf0dWYBAIvbI146mQLHaNqLDaTIqCUQbkq1aE/YMFDGykUG
+ngsJ
+=/0RY
 -----END PGP SIGNATURE-----
@@ -4,4 +4,4 @@ Scripts kept for reference but no longer part of the active pipeline.

 | Script | Why archived |
 |--------|-------------|
-| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `03-release.yml`. Re-enable if semver release tagging is reintroduced. |
+| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `release.yml`. Re-enable if semver release tagging is reintroduced. |
@@ -396,7 +396,7 @@ def main() -> int:
    print("\n" + "=" * 70)
    print("  ✓ All done. Push the tag with:")
    print(f"\n    git push origin {version}\n")
-    print("  The 03-release.yml workflow can then be triggered manually from")
+    print("  The release.yml workflow can then be triggered manually from")
    print("  GitHub Actions to publish the GitHub Release for this tag.")
    print("=" * 70 + "\n")

@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 """Auto-generate and prepend a changelog entry to docs/changelog/index.md.

-Called by .github/workflows/04-changelog.yml. Reads git log since the last
+Called by .github/workflows/changelog.yml. Reads git log since the last
 changelog version, categorises commits by conventional-commit prefix,
 and prepends a new ## [vX.Y.Z] section in the MkDocs admonition format used
 by the rest of the file.