- call_tool: 30s hard timeout via tokio::time::timeout
- discover_server: 60s hard timeout wrapping full connect+discover sequence
- delete_mcp_server: write_audit_event before cascade delete, capturing
server name, tool count, and resource count
- initiate_mcp_oauth: append cryptographically random state nonce for CSRF
- pr-review.yml: rewrite prompt to require line-quoted evidence for every
finding and eliminate hallucinated false positives
- Implement AgentRegistry system with devops-incident-responder agent
- Add domain detection based on conversation keywords
- Inject devops-incident-responder as primary system prompt
- Auto-switch domain prompts silently when context shifts
- Fix version update script to handle JSON format correctly
- Always display version in bottom-left corner
- Add release notes fallback to git commits if CHANGELOG empty
This implements the full devops-incident-responder agent as the primary
system prompt, with domain-specific SME prompts layered on top based on
conversation content analysis. The version display bug is fixed by removing
the collapsed condition, and release notes now have a fallback mechanism.
Replace direct Ollama API calls with liteLLM proxy at
172.0.0.29:11434 using qwen2.5-72b (72B VLLM model). Increase
timeouts to 300s for larger model inference. Reuses existing
OLLAMA_API_KEY secret for liteLLM auth.
Also add push-to-master trigger on test.yml so merges to master
run the full CI suite (previously only pull_request events triggered).
- Remove --locked flag from cargo fmt, clippy, and test commands in CI
- Update build.rs to use Rust 2021 direct variable interpolation in format strings
- Add --locked to fmt, clippy, and test commands in CI
- Remove updateCargoLock() and rely on cargo generate-lockfile
- Add .git directory existence check in update-version.mjs
- Use package.json as dynamic fallback instead of hardcoded 0.2.50
- Ensure execSync uses shell: false explicitly
- Replace npm ci with npm install in CI
- Remove --locked flag from cargo clippy/test
- Add cargo generate-lockfile after version update
- Update update-version.mjs with semver validation
- Add build.rs for Rust-level version injection
- Add build.rs to read version from git describe --tags
- Create update-version.mjs script to sync version across files
- Add get_app_version() command to Rust backend
- Update App.tsx to use custom version command
- Run version update in CI before Rust checks
- set -euo pipefail (was -eu; pipefail catches silent pipe failures)
- Validate TAG against ^v[0-9]+\.[0-9]+\.[0-9]+$ before use in commit
message and JSON payload — prevents shell injection
- Tolerate 404 on SHA fetch (new file): curl 2>/dev/null or true keeps
CURRENT_SHA empty rather than causing jq to abort
- Use jq -n to build JSON payload — conditionally omits sha field when
file does not exist yet; eliminates manual string escaping
- Check HTTP status of PUT; print response body and exit 1 on non-2xx
- Add Accept: application/json header to SHA fetch request
git push origin HEAD:master fails when master advances between the job's
fetch and its push. Replace with PUT /repos/.../contents/CHANGELOG.md
which atomically updates the file on master regardless of HEAD position.
- Add cliff.toml with Tera template: feat/fix/perf/docs/refactor included;
ci/chore/build/test/style excluded
- Bootstrap CHANGELOG.md from all existing semver tags (v0.1.0–v0.2.49)
- Add changelog job to auto-tag.yml: runs after autotag in parallel with
build jobs; installs git-cliff v2.7.0 musl binary, generates CHANGELOG.md,
PATCHes Gitea release body with per-release notes, commits CHANGELOG.md
to master with [skip ci] to prevent re-trigger, uploads as release asset
- Add set -eu to all changelog job steps
- Null-check RELEASE_ID before API calls; create release if missing
(race-condition fix: changelog finishes before build jobs create release)
- Add Changelog Generation section to docs/wiki/CICD-Pipeline.md
linuxdeploy is itself an AppImage. Running it inside a Docker container
requires APPIMAGE_EXTRACT_AND_RUN=1 so it extracts and runs its payload
directly rather than relying on FUSE (unavailable in containers).
Already set on build-linux-arm64 — missing from the amd64 job.
Dockerfiles:
- Remove || true from rustup component add in all three Linux images;
rust:1.88-slim default profile already includes both components so the
command is a clean no-op, not a failure risk — silencing errors served
no purpose and only hid potential toolchain issues
- Add ca-certificates explicitly to Dockerfile.linux-amd64 and
Dockerfile.windows-cross (rust:1.88-slim includes it, but being
explicit is consistent with the arm64 fix and future-proofs against
base image changes)
Workflows:
- Upgrade actions/cache@v3 → @v4 across test.yml and auto-tag.yml
(v3 deprecated; v4 has parallel uploads and better large-cache support)
- Add linux-amd64 suffix to cargo cache keys in test.yml Rust jobs and
auto-tag.yml build-linux-amd64 job; all four jobs target the same
architecture and now share a cache, benefiting from cross-job hits
(registry cache is source tarballs, not compiled artifacts — no
pollution risk between targets)
Not changed:
- alpine:latest + docker-cli in build-images.yml is correct; the reviewer
confused DinD with socket passthrough — docker:24-cli also has no daemon,
both use the host socket; the builds already proved alpine works
- curl|bash for rustup is the official install method; rustup.rs publishes
no checksums for the installer script itself
act_runner v0.3.1 has special-case handling for images named docker:*:
it automatically adds /var/run/docker.sock to the container's bind
mounts. The runner's own global config already mounts the socket, so
the two entries collide and the container fails to start with
"Duplicate mount point: /var/run/docker.sock".
Fix: use alpine:latest (no special handling) and install docker-cli
via apk alongside git in each Checkout step. The docker socket is
still available via the runner's global bind — we just stop triggering
the duplicate.
Dockerfiles:
- Merge rustup target add and component add into one chained RUN with
|| true guard, making it safe if rustfmt/clippy are already present
in the base image's default toolchain profile (rust:1.88-slim default
profile includes both; the guard is belt-and-suspenders)
test.yml:
- Add --locked to cargo clippy and cargo test to enforce Cargo.lock
during CI, preventing silent dependency upgrades
Not addressed (accepted/out of scope):
- git in images: already installed in all three Dockerfiles (lines 19,
13, 15 respectively) — reviewer finding was incorrect
- HTTP registry: accepted risk for air-gapped self-hosted infrastructure
- Image signing (Cosign): no infrastructure in place yet
- Hardcoded registry IP: consistent with project-wide pattern
Switch all test and release build jobs from raw base images to the
pre-baked images already defined in .docker/ and pushed to the local
Gitea registry. Add actions/cache@v3 for Cargo registry and npm to
eliminate redundant downloads on subsequent runs.
Changes:
- Dockerfile.linux-amd64/arm64: bake in rustfmt and clippy components
- test.yml: rust jobs → trcaa-linux-amd64:rust1.88-node22; drop inline
apt-get and rustup component-add steps; add cargo cache
- test.yml: frontend jobs → add npm cache
- auto-tag.yml: build-linux-amd64 → trcaa-linux-amd64; drop Install
dependencies step and rustup target add
- auto-tag.yml: build-windows-amd64 → trcaa-windows-cross; drop Install
dependencies step and rustup target add
- auto-tag.yml: build-linux-arm64 → trcaa-linux-arm64 (ubuntu:22.04-based);
drop ~40-line Install dependencies step, . "$HOME/.cargo/env", and
rustup target add (all pre-baked in image ENV PATH)
- All build jobs: add cargo and npm cache steps
- docs/wiki/CICD-Pipeline.md: document pre-baked images, cache keys,
and insecure-registries daemon prerequisite
Expected savings: ~70% faster PR test suite (~1.5 min vs ~5 min),
~72% faster release builds (~7 min vs ~25 min) after cache warms up.
NOTE: Trigger build-images.yml via workflow_dispatch before merging
to ensure images contain rustfmt/clippy before workflow changes land.
- Replace flawed sed-based redaction with grep -v line-removal covering
JS/YAML assignments, Authorization headers, AWS keys (AKIA…), Slack
tokens (xox…), GitHub tokens (gh[opsu]_…), URLs with embedded
credentials, and long Base64 strings
- Add -c flag to jq -n when building Ollama request body (compact JSON)
- Remove jq . full response dump to prevent LLM-echoed secrets in logs
- Change Gitea API Authorization header from `token` to `Bearer`
Root cause of false-positive "critical" errors:
- sed pattern was matching api_key/token within YAML variable names
(e.g. OLLAMA_API_KEY:) and redacting the ${{ secrets.X }} value,
producing mangled syntax that confused the AI reviewer
- Fix: use [^$[:space:]] to skip values starting with $ (template
expressions and shell variable references)
Other fixes:
- Replace --retry-all-errors with --retry-connrefused --retry-max-time 120
to avoid wasting retries on unrecoverable 4xx errors
- Check HTTP_CODE before jq validation so error messages are meaningful
- Add permissions: pull-requests: write to job
- Add edited to pull_request.types so title changes trigger re-review
- Change git diff .. to git diff ... (three-dot merge-base diff)
- Replace hardcoded server/repo URLs with github.server_url and
github.repository context variables (portability)
- Log review length before posting to detect truncation
Security:
- Replace http://172.0.0.29:3000 git remote with https://gogs.tftsr.com
- Replace http://172.0.0.29:3000 Gitea API URL with https://gogs.tftsr.com
- Remove internal 172.0.0.29 from container DNS (keep 8.8.8.8, 1.1.1.1)
- Move PR_TITLE and PR_NUMBER to env vars to prevent shell injection
Correctness:
- Fix diff_size comparison from lexicographic > '0' to != '0'
- Strip leading whitespace from wc -l output via tr -d ' '
- Switch diff truncation from head -c 20000 to head -n 500 (line-safe)
- Add jq empty validation before parsing Ollama response
Reliability:
- Add --connect-timeout 30 and --retry 3 --retry-delay 5 to Ollama curl
- Add --connect-timeout 10 to review POST curl
- Change Post review comment to if: always() so it runs on analysis failure
- Post explicit failure comment when analysis produces no output
Workflow changes:
- Switch Ollama to https://ollama-ui.tftsr.com/ollama/v1 (OpenAI-compat)
with OLLAMA_API_KEY secret — removes hardcoded internal IP
- Update endpoint to /chat/completions and response parsing to
.choices[0].message.content for OpenAI-compat format
- Add concurrency block to prevent racing on same PR number
- Add shell: bash + set -euo pipefail to all steps
- Add TF_TOKEN presence validation before posting review
- Add --max-time 30 and HTTP status check to comment POST curl
- Redact common secret patterns from diff before sending to Ollama
- Add binary diff warning via grep for "^Binary files"
- Add UTC timestamps to Ollama call and review post log lines
- Add always-run Cleanup step to remove /tmp artifacts
Version consistency:
- Sync Cargo.toml and package.json from 0.1.0 to 0.2.50 to match
tauri.conf.json
- Restore 014_create_ai_providers migration and tests missing due to
branch diverging from master before PR #34 merged
- Bump version from 0.2.10 to 0.2.50 to match master and avoid regression
- Trim diff input to 20 KB to prevent Ollama token overflow
- Add --max-time 120 to curl to prevent workflow hanging indefinitely
- Fix OLLAMA_URL to point at actual Ollama server (172.0.1.42:11434)
- Fix API path from /v1/chat to /api/chat (Ollama native endpoint)
- Fix response parsing from OpenAI format to Ollama native (.message.content)
- Use jq to safely construct JSON bodies in both Analyze and Post steps
- Add HTTP status code check and response body logging for diagnostics
- Add --test-threads=1 flag to all Rust test commands
- Update .gitea/workflows/test.yml to use serial test execution
- Update AGENTS.md to reflect the serial test requirement
Environment variable modifications in Rust tests cause race conditions
when tests run in parallel because std::env is shared global state.
Add three Dockerfiles under .docker/ and a build-images.yml workflow that
pushes them to the local Gitea container registry (172.0.0.29:3000).
Each image pre-installs all system deps, Node.js 22, and the Rust cross-
compilation target so release builds can skip apt-get entirely:
trcaa-linux-amd64:rust1.88-node22 — webkit2gtk, gtk3, all Tauri deps
trcaa-windows-cross:rust1.88-node22 — mingw-w64, nsis, Windows target
trcaa-linux-arm64:rust1.88-node22 — arm64 multiarch dev libs, Rust 1.88
build-images.yml triggers automatically when .docker/ changes on master
and supports workflow_dispatch for manual/first-time builds.
auto-tag.yml is NOT changed in this commit — switch it to use the new
images in the follow-up PR (after images are pushed to the registry).
One-time server setup required before first use:
echo '{"insecure-registries":["172.0.0.29:3000"]}' \
| sudo tee /etc/docker/daemon.json && sudo systemctl restart docker
- AIProviders: hide top model row when custom_rest active (dropdown lower in form handles it);
clear auth header prefill on format switch; rename User ID / CORE ID → Email Address
- Dashboard + Ollama: add border-border/bg-card classes to Refresh buttons for dark-bg contrast
- Security + settingsStore: wire PII toggle state to persisted Zustand store so pattern
selections survive app restarts
- App: add Sun/Moon theme toggle button to sidebar footer (always visible when collapsed)
- system.rs: add install_ollama_from_bundle command (copies bundled binary to /usr/local/bin)
- auto-tag.yml: add Download Ollama step to all 4 platform build jobs with SHA256 verification
- tauri.conf.json: add resources/ollama/* to bundle resources
- docs: add install_ollama_from_bundle to IPC-Commands wiki
Security: CI download steps verify SHA256 against Ollama's published sha256sums.txt before bundling.
linuxdeploy-aarch64.AppImage cannot be reliably executed in a cross-
compile context (amd64 host, aarch64 target) even with QEMU binfmt
and APPIMAGE_EXTRACT_AND_RUN. The .deb and .rpm cover all major arm64
Linux distros. An arm64 AppImage can be added later via a native
arm64 build job if required.
linuxdeploy and its plugins are themselves AppImages. Inside a Docker
container FUSE is unavailable, so they cannot self-mount. Setting
APPIMAGE_EXTRACT_AND_RUN=1 causes them to extract to a temp directory
and run directly, bypassing the FUSE requirement.
The act runner executes run: blocks with sh (dash), not bash.
'source' is a bash built-in; POSIX sh uses '.' instead.
Co-Authored-By: fix/arm64-source-sh <noreply@local>
$GITHUB_PATH is unset in this Gitea Actions environment, causing the
echo redirect to fail with a non-zero exit, which killed the Install
dependencies step before the Build step could run.
The append was unnecessary — the Build step already sources
$HOME/.cargo/env as its first line, which puts Cargo's bin dir in PATH.
Co-Authored-By: fix/yaml-heredoc-indent <noreply@local>
The Debian single-mirror multiarch approach causes irreconcilable
apt dependency conflicts when both amd64 and arm64 point at the same
repo: the binary-all index is duplicated and certain -dev package pairs
lack Multi-Arch: same. This produces "held broken packages" regardless
of sources.list tweaks.
Ubuntu 22.04 routes arm64 through ports.ubuntu.com/ubuntu-ports, a
separate mirror from archive.ubuntu.com (amd64). This eliminates all
cross-arch index overlaps. Rust is installed via rustup since it is not
pre-installed in the Ubuntu base image. libayatana-appindicator3-dev
is dropped — no tray icon is used by this application.
Co-Authored-By: fix/yaml-heredoc-indent <noreply@local>
YAML block scalars end when a line is found with less indentation than
the scalar's own indent level. The heredoc body was at column 0 while
the rest of the run: block was at column 10, causing Gitea's YAML parser
to reject the entire workflow file with:
yaml: line 412: could not find expected ':'
This silently invalidated auto-tag.yml on every push to master since the
apt-sources commit was merged, which is why PR#9 and PR#10 merges produced
no action runs.
Fix: replace the heredoc with a printf that stays within the block scalar's
indentation so the YAML remains valid.
Gitea 1.22 silently drops a push event for a workflow when a run for that
same workflow+branch is already in progress. This caused the PR#9 merge to
master to produce no auto-tag run.
- workflow_dispatch: allows manual triggering via API when an event is dropped
- concurrency group (cancel-in-progress: false): causes Gitea to queue a second
run rather than discard it when one is already active
rust:1.88-slim (Debian Bookworm) uses DEB822-format sources which have no arch
restriction. After dpkg --add-architecture arm64, apt tries to resolve deps for
both amd64 and arm64 simultaneously and hits 'held broken packages' conflicts on
shared -dev packages.
Fix: remove debian.sources and write a clean sources.list that pins amd64 repos
to [arch=amd64] and arm64 repos to [arch=arm64]. This gives apt a clear,
non-conflicting view of each architecture's package set.
build-linux-arm64: switch from QEMU-emulated linux-arm64 runner to cross-compile
on linux-amd64 using aarch64-linux-gnu toolchain. Removes the uname -m arch guard
that was causing the job to exit immediately (QEMU reports x86_64 as kernel arch),
and fixes the artifact path to the explicit target directory.
All build jobs: replace `cargo install tauri-cli --locked` with `npx tauri build`,
using the pre-compiled @tauri-apps/cli binary from devDependencies. Eliminates the
20-30 min Tauri CLI recompilation on every run.
wiki-sync: move from test.yml to auto-tag.yml. test.yml only fires on pull_request
events so the `if: github.ref == 'refs/heads/master'` guard was never true and the
wiki was never updated. auto-tag.yml triggers on push to master, so wiki sync now
runs on every merge.
Update releaseWorkflowCrossPlatformArtifacts.test.ts to match the new workflow.
Drop fragile job-condition gates that were blocking release jobs, and upload linux artifacts with arch-prefixed release asset names so amd64 and arm64 outputs can coexist even when bundle filenames are identical.
Made-with: Cursor
Avoid cross-compiling GTK/glib on the arm release job by building natively on ARM64 hosts, add an explicit architecture guard, and restrict uploads to arm64/aarch64 artifact filenames so amd64 outputs cannot be published as arm releases.
Made-with: Cursor
Build linux arm64 bundles with --target aarch64-unknown-linux-gnu and upload from the target-specific bundle path so arm64 releases cannot accidentally publish amd64 artifacts.
Made-with: Cursor
Delete .gitea/workflows/release.yml and keep release orchestration in auto-tag.yml only, then update related workflow tests and docs to reference the unified pipeline.
Made-with: Cursor
Remove auto-tag job output dependencies and conditional gates so release build jobs always run after autotag completes, resolving skipped fan-out caused by output/if evaluation issues in Gitea Actions.
Made-with: Cursor
Rename the auto-tag job id to a non-hyphenated identifier and update needs/output references so dependent release jobs evaluate conditions correctly and reliably run after tagging.
Made-with: Cursor
Run linux/windows/macos/arm release build and upload jobs in the auto-tag workflow with needs:auto-tag outputs so release execution no longer depends on a second tag-triggered workflow dispatch path.
Made-with: Cursor
Switch auto-tag to create and push tags via git instead of the tag API so Gitea emits a real tag push event that reliably starts release builds. Document the trigger behavior and add a workflow regression test.
Made-with: Cursor
Make all release upload steps fail fast when expected artifacts are missing, replace existing same-name assets before uploading, and print HTTP/body details on upload failures so Linux/Windows publishing issues are diagnosable and reruns remain deterministic.
Made-with: Cursor
Override OpenSSL vendoring for the windows-gnu release build so cross-compiles no longer fail on pkg-config lookup, and fail fast when Linux release jobs produce no artifacts so incomplete releases are detected immediately.
Made-with: Cursor
Avoid duplicate Test workflow executions by removing push triggers and keeping pull_request validation as the single gate. Also fix remaining clippy format string violations in integration modules to keep rust-clippy passing.
Made-with: Cursor
Avoid rerunning the full test workflow on direct master pushes while keeping pull request validation intact. Update the CI/CD wiki page to reflect the new trigger behavior.
Made-with: Cursor
Find the generated .app bundle dynamically in release CI so macOS packaging no longer depends on the legacy TFTSR.app name. Add a unit test to prevent regressions by asserting the old hardcoded path is not reintroduced.
Made-with: Cursor
The ARM64 build was failing because explicitly specifying
--target aarch64-unknown-linux-gnu on an ARM64 runner was
triggering cross-compilation logic.
Changes:
- Remove rustup target add (not needed for native build)
- Remove --target flag from cargo tauri build
- Update artifact path: target/aarch64-unknown-linux-gnu/release/bundle
→ target/release/bundle
This allows the native ARM64 toolchain to build without
attempting cross-compilation and avoids the pkg-config
cross-compilation configuration requirement.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Updated wiki-sync job to use secrets.Wiki for authentication
- Simplified clone/push logic with token-based auth
- Wiki push will now succeed with proper credentials
- Bumped version to 0.2.8
The workflow now uses the 'Wiki' secret created in Gitea Actions
to authenticate wiki repository pushes. This fixes the authentication
issue that was preventing automatic wiki synchronization.
- Added wiki-sync job to .gitea/workflows/test.yml
- Runs only on pushes to master branch
- Automatically copies docs/wiki/*.md to Gogs wiki repository
- Supports token-based authentication via secrets.GITHUB_TOKEN
- Handles wiki initialization if repository doesn't exist
- Bumped version to 0.2.7
Wiki sync will now automatically update the Gogs wiki at
https://gogs.tftsr.com/sarman/tftsr-devops_investigation/wiki
whenever docs/wiki/ files are modified on master.
- Use jq instead of grep for JSON parsing
- Add explicit error checking for RELEASE_ID
- Add informative logging for debugging upload failures
- Fail fast if release ID cannot be retrieved
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The linux-arm64 job runs on a native ARM64 runner, so cross-compilation
setup is not needed. Removed dpkg --add-architecture, cross-compiler,
and architecture-specific package suffixes. This fixes "held broken
packages" error during dependency installation.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove .woodpecker/ directory entirely (not in use)
- Fix ARM64 build in .gitea/workflows/release.yml:
- Remove --platform flag (Docker version too old)
- Use cross-compilation instead (dpkg multiarch + gcc-aarch64-linux-gnu)
- Set PKG_CONFIG environment variables for ARM64 libraries
- Set CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER
This matches the working cross-compilation approach from commit d489338b.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- domainPrompts.ts: closing }; was inside the Record object after 'automation',
leaving hpe_infra/dell_hardware/identity orphaned outside the object — caused
3 TS1005/TS1109 errors and broke the macOS and all frontend builds
- release.yml: replace multiarch cross-compilation (broken due to WebKit arm64
package conflicts) with --platform linux/arm64 container option so QEMU runs
a native ARM64 image directly — no cross-compilation, no package conflicts
The linux-arm64 runner runs an x86_64 Docker container so cross-compilation
requires the ARM64 sysroot via dpkg --add-architecture arm64, gcc-aarch64-linux-gnu,
and arm64 variants of all system libraries. PKG_CONFIG env vars point to the
aarch64 library paths so Tauri can find webkit/gtk/etc at compile time.
- globals.css: add button reset with -webkit-appearance: none and
-webkit-text-fill-color: currentColor so SelectTrigger text is visible
on macOS WebKit without breaking Tailwind text-* variant overrides
- release.yml: build .app only first, ad-hoc sign it, then create DMG
via hdiutil so the signed .app is inside the DMG (previously codesign
ran after Tauri already sealed the unsigned .app into the DMG)
Creates a new vX.Y.Z tag on each push to master using the Gitea API.
The new tag triggers release.yml to build and publish installers for
all platforms automatically.
- globals.css: remove button from WebKit -webkit-text-fill-color override that
was causing button text to be invisible (text color matched background in dark mode)
- Security.tsx: toggle enabled state uses bg-blue-500 instead of bg-primary;
in dark mode --primary is near-white making the white knob invisible
- tauriCommands.ts: fix createIssueCmd to pass flat args (not wrapped in newIssue),
map domain->category, and return Issue instead of IssueDetail
- NewIssue/index.tsx: update call site to use Issue return type directly
- release.yml: add ad-hoc codesign step for macOS .app so Gatekeeper shows
"unidentified developer" instead of "damaged" error
- Register Apple Silicon Mac as act_runner with label macos-arm64
- Add build-macos-arm64 job to Gitea Actions release pipeline
- Produces unsigned .dmg artifact for aarch64-apple-darwin
- Update CICD-Pipeline.md to reflect Gitea Actions agents
Gitea 1.22 expression evaluator rewrites github.ref_name to
format('{0}', github.ref_name) which produces '%!t(string=v0.1.0)'
instead of 'v0.1.0'. Use the pre-set shell env var directly.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
rust:1.88-slim has an empty package cache. apt-get install git
was failing with 'Unable to locate package git'.
Add apt-get update -qq before every apt-get install in checkout steps.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
actions/checkout@v4 requires Node.js which is not in rust:1.88-slim.
Replace with direct git init+fetch+checkout using the Gitea instance URL.
Also fix release.yml: each build job creates the release (idempotent)
and uploads its own artifacts inline via Gitea API.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
