feat(ci): dispatch a repository event when the main webapp image is published

After the webapp image is pushed on a main build, emit a repository_dispatch
(main-image-published) carrying a digest-pinned image ref so other repositories
in the org can build or deploy from the exact artifact rather than chasing the
moving main tag. Fires only for the mutable main tag, never semver releases or
other tag builds, and only from the canonical repo.

Author: matt-aitken

.claude/rules/server-apps.md

@@ -14,7 +14,9 @@ area: webapp
 type: fix
 ---
 
-Brief description of what changed and why.
+A sentence or two on why this is better for users — what they can now do, what's
+faster, or what no longer breaks. Describe the change from the user's perspective,
+not the code change.
 EOF
 ```
 

.github/workflows/publish-webapp.yml

@@ -29,6 +29,9 @@ on:
       image_repo:
         description: The image repository the build was published to (without tag)
         value: ${{ jobs.publish.outputs.image_repo }}
+      digest:
+        description: Multi-arch index digest (sha256:...) of the published image
+        value: ${{ jobs.publish.outputs.digest }}
     secrets:
       SENTRY_AUTH_TOKEN:
         required: false
@@ -42,6 +45,7 @@ jobs:
       version: ${{ steps.get_tag.outputs.tag }}
       short_sha: ${{ steps.get_commit.outputs.sha_short }}
       image_repo: ${{ steps.set_tags.outputs.image_repo }}
+      digest: ${{ steps.build_push.outputs.digest }}
     steps:
       - name: 🏭 Setup Depot CLI
         uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1

.github/workflows/publish.yml

@@ -15,6 +15,8 @@ on:
         required: false
       SENTRY_AUTH_TOKEN:
         required: false
+      CROSS_REPO_PAT:
+        required: false
   push:
     branches:
       - main
@@ -112,3 +114,45 @@ jobs:
     uses: ./.github/workflows/trivy-image-webapp.yml
     with:
       image-ref: ${{ needs.publish-webapp.outputs.image_repo }}:${{ needs.publish-webapp.outputs.version }}
+
+  # Announce the freshly published mutable `main` webapp image to subscriber
+  # repos in the org via repository_dispatch, handing them a digest-pinned ref to
+  # build or deploy from. Fires only for the `main` tag — never semver releases or
+  # other tag builds — and only from the canonical repo (forks have no PAT).
+  dispatch-main-image:
+    name: 📣 Dispatch main image
+    needs: [publish-webapp]
+    if: github.repository == 'triggerdotdev/trigger.dev' && needs.publish-webapp.outputs.version == 'main'
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Build dispatch payload
+        id: payload
+        env:
+          IMAGE_REPO: ${{ needs.publish-webapp.outputs.image_repo }}
+          DIGEST: ${{ needs.publish-webapp.outputs.digest }}
+          COMMIT: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          # Pin to the exact multi-arch index just pushed so subscribers resolve a
+          # single immutable artifact rather than chasing the moving `main` tag.
+          if [[ -z "${DIGEST}" ]]; then
+            echo "::error::publish-webapp produced no image digest; refusing to dispatch"
+            exit 1
+          fi
+          image="${IMAGE_REPO}@${DIGEST}"
+          # jq --arg JSON-escapes every value, so the ref/commit can't break out of
+          # or inject into the client payload.
+          payload=$(jq -nc \
+            --arg img "$image" \
+            --arg c "$COMMIT" \
+            '{image: $img, commit: $c}')
+          echo "client_payload=$payload" >> "$GITHUB_OUTPUT"
+
+      - name: Send repository_dispatch
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          token: ${{ secrets.CROSS_REPO_PAT }}
+          repository: triggerdotdev/cloud
+          event-type: main-image-published
+          client-payload: ${{ steps.payload.outputs.client_payload }}

.server-changes/README.md

@@ -36,15 +36,15 @@ Speed up batch queue processing by removing stalls and fixing retry race
 
 ### Description
 
-The body text (below the frontmatter) is a one-line description of the change. Keep it concise — it will appear in release notes.
+The body text (below the frontmatter) is a short, user-facing description of the change. It appears verbatim in release notes.
 
 ### Writing guidance
 
-These entries are public-facing - they ship verbatim in user-visible release notes. A few rules to keep them clean:
+These entries are public-facing — they ship verbatim in user-visible release notes. Write them for users, not for whoever reviews the diff:
 
-- **One sentence is usually enough.** The body is the bullet in the changelog. If you need a paragraph, you're probably describing the implementation rather than the change.
+- **Lead with the user benefit.** A sentence or two on why the product is better now — what users can do, what's faster, what no longer breaks. The "why" matters more than a precise account of "what changed."
 - **Describe behavior, not implementation.** Skip internal scopes, middleware names, library specifics, framework internals. Users care about what's different for them, not how it's wired.
-- **Never name internal tools or infra.** Observability stacks, internal services, infra components, monitoring backends, CI surfaces, AWS specifics - none of these belong in user-facing notes.
+- **Never name internal tools or infra.** Observability stacks, internal services, infra components, monitoring backends, CI surfaces, AWS specifics — none of these belong in user-facing notes.
 
 ## Lifecycle
 
@@ -63,7 +63,8 @@ area: webapp
 type: feature
 ---
 
-TRQL query language and the Query page
+Query your runs with TRQL from the new Query page, so you can slice and explore run
+data without leaving the dashboard.
 ```
 
 **Bug fix:**
@@ -74,7 +75,8 @@ area: webapp
 type: fix
 ---
 
-Fix schedule limit counting for orgs with custom limits
+Schedule limits now count correctly for orgs with custom limits, so you can create
+every schedule your plan allows.
 ```
 
 **Improvement:**
@@ -85,5 +87,5 @@ area: webapp
 type: improvement
 ---
 
-Use the replica for API auth queries to reduce primary load
+The dashboard and API stay responsive under heavy load.
 ```