From 67ecacd0db48a9c2245e15cd78553c2c561e9659 Mon Sep 17 00:00:00 2001
From: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com>
Date: Sat, 16 May 2026 22:04:20 +0200
Subject: [PATCH] chore(ci): align workflows with bitbox_flutter (develop
 default, auto-tag, auto-release-pr)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bring the repo's CI plumbing in line with the DFXswiss/bitbox_flutter
template now that develop is the default branch:

* test.yml → test.yaml, renamed `name: test` to `name: PR checks`,
  trigger expanded to push develop+main.
* auto-release-pr.yaml: every push to develop opens (or reuses) a
  `Release: develop -> main` PR.
* auto-tag.yaml: every push to main bumps the patch version and
  creates a GitHub release. Adapted from the bitbox_flutter template
  to also emit the `go/vX.Y.Z` submodule tag — without it `go install`
  for the audit CLI cannot resolve the package (see CONTRIBUTING).

Repo settings (default branch develop, branch rulesets mirroring
bitbox_flutter) were applied directly via the GitHub API.
---
 .github/workflows/auto-release-pr.yaml    | 70 ++++++++++++++++++
 .github/workflows/auto-tag.yaml           | 89 +++++++++++++++++++++++
 .github/workflows/{test.yml => test.yaml} |  6 +-
 3 files changed, 162 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/auto-release-pr.yaml
 create mode 100644 .github/workflows/auto-tag.yaml
 rename .github/workflows/{test.yml => test.yaml} (98%)

diff --git a/.github/workflows/auto-release-pr.yaml b/.github/workflows/auto-release-pr.yaml
new file mode 100644
index 0000000..cbb705b
--- /dev/null
+++ b/.github/workflows/auto-release-pr.yaml
@@ -0,0 +1,70 @@
+name: Auto Release PR
+
+on:
+  push:
+    branches: [develop]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: auto-release-pr
+  cancel-in-progress: false
+
+jobs:
+  create-release-pr:
+    name: Create Release PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Fetch main branch
+        run: git fetch origin main
+
+      - name: Check for existing PR
+        id: check-pr
+        run: |
+          PR_COUNT=$(gh pr list --base main --head develop --state open --json number --jq 'length')
+          echo "pr_exists=$([[ $PR_COUNT -gt 0 ]] && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT
+          echo "::notice::Open PRs from develop to main: $PR_COUNT"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check for differences
+        id: check-diff
+        if: steps.check-pr.outputs.pr_exists == 'false'
+        run: |
+          DIFF_COUNT=$(git rev-list --count origin/main..origin/develop)
+          echo "has_changes=$([[ $DIFF_COUNT -gt 0 ]] && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT
+          echo "commit_count=$DIFF_COUNT" >> $GITHUB_OUTPUT
+          echo "::notice::Commits ahead of main: $DIFF_COUNT"
+
+      - name: Create Release PR
+        if: steps.check-pr.outputs.pr_exists == 'false' && steps.check-diff.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMIT_COUNT: ${{ steps.check-diff.outputs.commit_count }}
+        run: |
+          printf '%s\n' \
+            "## Automatic Release PR" \
+            "" \
+            "This PR was automatically created after changes were pushed to develop." \
+            "" \
+            "**Commits:** ${COMMIT_COUNT} new commit(s)" \
+            "" \
+            "### Checklist" \
+            "- [ ] Review all changes" \
+            "- [ ] Verify CI passes" \
+            "- [ ] Approve and merge when ready for production" \
+            > /tmp/pr-body.md
+
+          gh pr create \
+            --base main \
+            --head develop \
+            --title "Release: develop -> main" \
+            --body-file /tmp/pr-body.md
diff --git a/.github/workflows/auto-tag.yaml b/.github/workflows/auto-tag.yaml
new file mode 100644
index 0000000..c0912c8
--- /dev/null
+++ b/.github/workflows/auto-tag.yaml
@@ -0,0 +1,89 @@
+name: Auto Tag on Merge
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+
+concurrency:
+  group: auto-tag
+  cancel-in-progress: false
+
+jobs:
+  create-tag:
+    name: Create Release Tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Get latest tag
+        id: get-tag
+        run: |
+          LATEST_TAG=$(git tag -l --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n 1)
+
+          if [ -z "$LATEST_TAG" ]; then
+            echo "No existing tags found, starting with v0.0.0"
+            LATEST_TAG="v0.0.0"
+          fi
+
+          echo "latest_tag=$LATEST_TAG" >> $GITHUB_OUTPUT
+          echo "::notice::Latest tag: $LATEST_TAG"
+
+      - name: Calculate next version
+        id: next-version
+        run: |
+          LATEST_TAG="${{ steps.get-tag.outputs.latest_tag }}"
+
+          VERSION="${LATEST_TAG#v}"
+          MAJOR=$(echo "$VERSION" | cut -d. -f1)
+          MINOR=$(echo "$VERSION" | cut -d. -f2)
+          PATCH=$(echo "$VERSION" | cut -d. -f3)
+
+          NEW_PATCH=$((PATCH + 1))
+          NEW_TAG="v${MAJOR}.${MINOR}.${NEW_PATCH}"
+
+          echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT
+          echo "::notice::New tag: $NEW_TAG"
+
+      - name: Check if tag exists
+        id: check-tag
+        run: |
+          NEW_TAG="${{ steps.next-version.outputs.new_tag }}"
+          if git rev-parse "$NEW_TAG" >/dev/null 2>&1; then
+            echo "::error::Tag $NEW_TAG already exists!"
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create tag and release
+        if: steps.check-tag.outputs.exists == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEW_TAG: ${{ steps.next-version.outputs.new_tag }}
+          PREV_TAG: ${{ steps.get-tag.outputs.latest_tag }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Go submodule convention: the module at /go/ needs a `go/vX.Y.Z`
+          # tag on the same commit, otherwise `go install` cannot resolve
+          # the package — see CONTRIBUTING.md "Releases".
+          GO_TAG="go/${NEW_TAG}"
+          git tag -a "$NEW_TAG" -m "Release $NEW_TAG"
+          git tag -a "$GO_TAG" -m "$GO_TAG: submodule tag matching $NEW_TAG"
+          git push origin "$NEW_TAG" "$GO_TAG"
+
+          if [ "$PREV_TAG" = "v0.0.0" ]; then
+            gh release create "$NEW_TAG" --title "$NEW_TAG" --generate-notes
+          else
+            gh release create "$NEW_TAG" --title "$NEW_TAG" --generate-notes --notes-start-tag "$PREV_TAG"
+          fi
+
+          echo "::notice::Created tags $NEW_TAG and $GO_TAG, plus release $NEW_TAG"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yaml
similarity index 98%
rename from .github/workflows/test.yml
rename to .github/workflows/test.yaml
index 67842d1..d1227f7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yaml
@@ -1,9 +1,9 @@
-name: test
+name: PR checks
 
 on:
-  push:
-    branches: [main]
   pull_request:
+  push:
+    branches: [develop, main]
 
 permissions:
   contents: read