Avoid race conditions during release uploads by moving asset publication out of matrix jobs and into one dedicated job.
Co-authored-by: Cursor <cursoragent@cursor.com>
- Trigger Docker build on push to main (with paths-ignore for docs/md/devenv)
- Push `dev` tag on main, `latest` + semver on release tags, build-only on PRs
- Skip QEMU/provenance/sbom for non-release builds to reduce CI time
- Rename ci.yml to migrations.yml for clarity
- PR docker builds use single arch (amd64 only), tag push uses dual
- Add paths-ignore to skip CI on docs-only changes
- Add concurrency groups to cancel stale runs on re-push
- Build Go binary once instead of 3x go run in migrate job
- Remove push-to-main trigger; only tag push publishes images
- Prerelease tags (e.g. v0.1.0-beta.2) publish their version tag
only, without updating latest or short semver tags
Run migrate up -> down -> up against a temporary PostgreSQL service
container on every PR and push to main, verifying all migrations
apply, rollback, and re-apply correctly.
Add dedicated docker-publish.yml with full CI/CD pipeline:
- Build & push server/agent/web/mcp images on tag, main push, and PR
- Publish to both Docker Hub and GHCR
- Semver tag strategy (latest, version, major.minor, major, sha)
- GHA build cache, SLSA provenance, and SBOM
- PR builds validate without pushing
Remove superseded dockerhub job from release.yml.
Ran