From 5bde9c22fed5bbde090d636b83e7ed9b1381a85f Mon Sep 17 00:00:00 2001
From: Emanuele <106186915+OneStepAt4time@users.noreply.github.com>
Date: Sat, 16 May 2026 10:55:03 +0200
Subject: [PATCH 1/3] =?UTF-8?q?fix(ci):=20skip=20check-tag-freshness=20for?=
 =?UTF-8?q?=20tag-push=20events=20=E2=80=94=20unblocks=20CI=20release=20pu?=
 =?UTF-8?q?blish?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The check was always failing for push:tags triggers because GitHub
guarantees a pushed tag is fresh (branch protection blocks force-push).
Only run the freshness check for workflow_dispatch where someone could
accidentally re-trigger an existing tag.

Fixes #3538

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3300bca18..d65e1d2e0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -394,8 +394,14 @@ jobs:
         run: |
           set -euo pipefail
           TAG="${GITHUB_REF_NAME}"
-          # Recovery releases are always triggered by tag push — tag always exists.
-          # Skip freshness check for annotated tags containing 'recovery-release: true'.
+          # Tag-push events: GitHub already rejects pushes to existing tags (unless force-pushed,
+          # which branch protection blocks). The tag was just created — freshness is guaranteed.
+          if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
+            echo "::notice::Tag ${TAG} was just pushed — skipping freshness check for tag-push event."
+            exit 0
+          fi
+          # For workflow_dispatch: guard against accidentally re-running for an existing tag.
+          # Recovery releases skip this check (they always retag).
           if git cat-file -t "${TAG}" 2>/dev/null | grep -qx tag &&
              git cat-file tag "${TAG}" 2>/dev/null | grep -Fxq "recovery-release: true"; then
             echo "::notice::Tag ${TAG} is a recovery release — skipping freshness check."

From 6fbfe02d54015476ba95d9581e79da33402dfd6a Mon Sep 17 00:00:00 2001
From: Emanuele <106186915+OneStepAt4time@users.noreply.github.com>
Date: Sat, 16 May 2026 11:04:41 +0200
Subject: [PATCH 2/3] fix(ci): download artifacts before
 attest-build-provenance

The job was looking for *.tgz and deploy/helm/aegis/*.tgz in the working
directory but never downloaded them from previous jobs. Adds the two
download-artifact steps so the glob finds the files.

Fixes the last failing step in the v0.6.7 release CI run (25957844280).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d65e1d2e0..4c2e68473 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -979,6 +979,14 @@ jobs:
       attestations: write
     steps:
       - uses: actions/checkout@v6
+      - uses: actions/download-artifact@v8
+        with:
+          name: package
+          path: .
+      - uses: actions/download-artifact@v8
+        with:
+          name: helm-chart
+          path: deploy/helm/aegis
       - name: Generate build provenance attestation
         uses: actions/attest-build-provenance@v4
         with:

From 0f7ae4f7ca89fd56e90e17a61b430d442b2c76a4 Mon Sep 17 00:00:00 2001
From: Emanuele <106186915+OneStepAt4time@users.noreply.github.com>
Date: Sat, 16 May 2026 11:13:05 +0200
Subject: [PATCH 3/3] fix(ci): skip ClawHub publish gracefully when version
 already exists

Mirror the same already-exists pattern used by publish-npm: capture output,
check for "already exists" error, emit a notice and exit 0 instead of 1.

Removes the last remaining failure from the v0.6.7 clean release run.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release.yml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4c2e68473..b909427cf 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -963,7 +963,16 @@ jobs:
         run: |
           set -euo pipefail
           VERSION=$(node -p "require('./package.json').version")
-          npx clawhub@latest publish skill/ --slug onestep-aegis --name "Aegis Bridge" --version "$VERSION" --changelog "Release v$VERSION - HTTP/MCP Claude Code orchestration"
+          set +e
+          OUTPUT=$(npx clawhub@latest publish skill/ --slug onestep-aegis --name "Aegis Bridge" --version "$VERSION" --changelog "Release v$VERSION - HTTP/MCP Claude Code orchestration" 2>&1)
+          STATUS=$?
+          set -e
+          echo "$OUTPUT"
+          if [ $STATUS -ne 0 ] && echo "$OUTPUT" | grep -qi "already exists"; then
+            echo "::notice::ClawHub version $VERSION already exists — skipping."
+          elif [ $STATUS -ne 0 ]; then
+            exit $STATUS
+          fi
 
   # H1: SLSA build provenance attestation.
   # Generates machine-readable provenance for every release artifact.