From 895b671c844390e329779942118c5d136e621039 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller@mokoconsulting.tech>
Date: Thu, 23 Apr 2026 18:18:22 -0500
Subject: [PATCH] =?UTF-8?q?chore:=20sync=20auto-release.yml=20=E2=80=94=20?=
 =?UTF-8?q?remove=20skip=20gates=20blocking=20patches=20[skip=20ci]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/auto-release.yml | 325 ++++++++++++++++++++---------
 1 file changed, 230 insertions(+), 95 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 87f13cf..b8e9f8e 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
 # PATH: /templates/workflows/joomla/auto-release.yml.template
 # VERSION: 04.06.00
 # BRIEF: Joomla build & release — ZIP package, updates.xml, SHA-256 checksum
@@ -22,13 +22,15 @@
 # |    4. Update [VERSION: XX.YY.ZZ] badges in markdown files              |
 # |    5. Write updates.xml (Joomla update server XML)                      |
 # |    6. Create git tag vXX.YY.ZZ                                        |
-# |    7a. Patch: update existing GitHub Release for this minor            |
+# |    7a. Patch: update existing Gitea Release for this minor             |
 # |    8. Build ZIP, upload asset, write SHA-256 to updates.xml             |
 # |                                                                        |
 # |  Every version change: archives main -> version/XX.YY branch           |
 # |  All patches release (including 00). Patch 00/01 = full pipeline.      |
 # |  First release only (patch == 01):                                     |
-# |    7b. Create new GitHub Release                                       |
+# |    7b. Create new Gitea Release                                        |
+# |                                                                        |
+# |  GitHub mirror: stable/rc releases only (continue-on-error)            |
 # |                                                                        |
 # +========================================================================+
 
@@ -46,6 +48,9 @@ on:
 
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 
 permissions:
   contents: write
@@ -61,19 +66,21 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN || github.token }}
+          token: ${{ secrets.GA_TOKEN }}
           fetch-depth: 0
 
-      - name: Set authenticated push URL
-        run: git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
       - name: Setup MokoStandards tools
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
         run: |
-          git clone --depth 1 --branch version/04 --quiet \
-            "https://x-access-token:${GH_TOKEN}@git.mokoconsulting.tech/MokoConsulting/MokoStandards-API.git" \
+          # Ensure PHP + Composer are available
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
             /tmp/mokostandards-api
           cd /tmp/mokostandards-api
           composer install --no-dev --no-interaction --quiet
@@ -99,7 +106,8 @@ jobs:
           echo "branch=version/${MAJOR}" >> "$GITHUB_OUTPUT"
           echo "minor=$MINOR" >> "$GITHUB_OUTPUT"
           echo "major=$MAJOR" >> "$GITHUB_OUTPUT"
-          echo "release_tag=v${MAJOR}" >> "$GITHUB_OUTPUT"
+          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          echo "stability=stable" >> "$GITHUB_OUTPUT"
           echo "skip=false" >> "$GITHUB_OUTPUT"
           if [ "$PATCH" = "00" ] || [ "$PATCH" = "01" ]; then
             echo "is_minor=true" >> "$GITHUB_OUTPUT"
@@ -125,11 +133,8 @@ jobs:
           echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
           echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
 
-          if [ "$TAG_EXISTS" = "true" ] && [ "$BRANCH_EXISTS" = "true" ]; then
-            echo "already_released=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "already_released=false" >> "$GITHUB_OUTPUT"
-          fi
+          # Tag and branch may persist across patch releases — never skip
+          echo "already_released=false" >> "$GITHUB_OUTPUT"
 
       # -- SANITY CHECKS -------------------------------------------------------
       - name: "Sanity: Pre-release validation"
@@ -285,9 +290,15 @@ jobs:
           [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
           [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
 
-          # Templates/modules don't have <element> — derive from <name> (lowercased)
+          # Derive element if not in manifest:
+          # 1. Try XML filename (e.g. mokowaas.xml → mokowaas)
+          # 2. Fall back to repo name (lowercased)
           if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(echo "$EXT_NAME" | tr '[:upper:]' '[:lower:]' | tr -d ' ')
+            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            # If filename is generic (templateDetails, manifest), use repo name
+            case "$EXT_ELEMENT" in
+              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+            esac
           fi
 
           # Build client tag: plugins and frontend modules need <client>site</client>
@@ -306,7 +317,7 @@ jobs:
 
           # Build targetplatform (fallback to Joomla 5 if not in manifest)
           if [ -z "$TARGET_PLATFORM" ]; then
-            TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="5.*" %s>' "/")
+            TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
           fi
 
           # Build php_minimum tag
@@ -315,11 +326,12 @@ jobs:
             PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
           fi
 
-          DOWNLOAD_URL="https://git.mokoconsulting.tech/${{ github.repository }}/releases/download/v${VERSION}/${EXT_ELEMENT}-${VERSION}.zip"
-          INFO_URL="https://git.mokoconsulting.tech/${{ github.repository }}/releases/tag/v${VERSION}"
+          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/stable/${EXT_ELEMENT}-${VERSION}.zip"
+          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/stable"
 
-          # -- Build stable entry to temp file ─────────────────────────
-          {
+          # -- Build update entry for a given stability tag
+          build_entry() {
+            local TAG_NAME="$1"
             printf '%s\n' '  <update>'
             printf '%s\n' "    <name>${EXT_NAME}</name>"
             printf '%s\n' "    <description>${EXT_NAME} update</description>"
@@ -328,9 +340,7 @@ jobs:
             printf '%s\n' "    <version>${VERSION}</version>"
             [ -n "$CLIENT_TAG" ] && printf '%s\n' "    ${CLIENT_TAG}"
             [ -n "$FOLDER_TAG" ] && printf '%s\n' "    ${FOLDER_TAG}"
-            printf '%s\n' '    <tags>'
-            printf '%s\n' '      <tag>stable</tag>'
-            printf '%s\n' '    </tags>'
+            printf '%s\n' "    <tags><tag>${TAG_NAME}</tag></tags>"
             printf '%s\n' "    <infourl title=\"${EXT_NAME}\">${INFO_URL}</infourl>"
             printf '%s\n' '    <downloads>'
             printf '%s\n' "      <downloadurl type=\"full\" format=\"zip\">${DOWNLOAD_URL}</downloadurl>"
@@ -340,35 +350,27 @@ jobs:
             printf '%s\n' '    <maintainer>Moko Consulting</maintainer>'
             printf '%s\n' '    <maintainerurl>https://mokoconsulting.tech</maintainerurl>'
             printf '%s\n' '  </update>'
-          } > /tmp/stable_entry.xml
-
-          # -- Write updates.xml preserving dev/rc entries ──────────────
-          # Extract existing entries for other stability levels
-          # Order reflects release workflow: development → alpha → beta → rc → stable
-          if [ -f "updates.xml" ]; then
-            printf 'import re, sys\n' > /tmp/extract.py
-            printf 'with open("updates.xml") as f: c = f.read()\n' >> /tmp/extract.py
-            printf 'tag = sys.argv[1]\n' >> /tmp/extract.py
-            printf 'm = re.search(r"(  <update>.*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)", c, re.DOTALL)\n' >> /tmp/extract.py
-            printf 'if m: print(m.group(1))\n' >> /tmp/extract.py
-          fi
-          DEV_ENTRY=$(python3 /tmp/extract.py development 2>/dev/null || true)
-          ALPHA_ENTRY=$(python3 /tmp/extract.py alpha 2>/dev/null || true)
-          BETA_ENTRY=$(python3 /tmp/extract.py beta 2>/dev/null || true)
-          RC_ENTRY=$(python3 /tmp/extract.py rc 2>/dev/null || true)
+          }
 
+          # -- Write updates.xml with cascading channels
+          # Stable release updates ALL channels (development, alpha, beta, rc, stable)
           {
-            printf '%s\n' '<?xml version="1.0" encoding="utf-8"?>'
+            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>"
+            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting <hello@mokoconsulting.tech>"
+            printf '%s\n' " SPDX-License-Identifier: GPL-3.0-or-later"
+            printf '%s\n' " VERSION: ${VERSION}"
+            printf '%s\n' " -->"
+            printf '%s\n' ""
             printf '%s\n' '<updates>'
-            [ -n "$DEV_ENTRY" ] && echo "$DEV_ENTRY"
-            [ -n "$ALPHA_ENTRY" ] && echo "$ALPHA_ENTRY"
-            [ -n "$BETA_ENTRY" ] && echo "$BETA_ENTRY"
-            [ -n "$RC_ENTRY" ] && echo "$RC_ENTRY"
-            cat /tmp/stable_entry.xml
+            build_entry "development"
+            build_entry "alpha"
+            build_entry "beta"
+            build_entry "rc"
+            build_entry "stable"
             printf '%s\n' '</updates>'
           } > updates.xml
 
-          echo "updates.xml: ${VERSION} (stable + rc/dev preserved)" >> $GITHUB_STEP_SUMMARY
+          echo "updates.xml: ${VERSION} (all channels updated to stable)" >> $GITHUB_STEP_SUMMARY
 
       # -- Commit all changes ---------------------------------------------------
       - name: Commit release changes
@@ -383,10 +385,12 @@ jobs:
           VERSION="${{ steps.version.outputs.version }}"
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
+          # Set push URL with token for branch-protected repos
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(release): build ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          git push
+          git push -u origin HEAD
 
       # -- STEP 6: Create tag ---------------------------------------------------
       - name: "Step 6: Create git tag"
@@ -406,69 +410,75 @@ jobs:
           fi
           echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
 
-      # -- STEP 7: Create or update GitHub Release ------------------------------
-      - name: "Step 7: GitHub Release"
+      # -- STEP 7: Create or update Gitea Release --------------------------------
+      - name: "Step 7: Gitea Release"
         if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.tag_exists != 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
+          steps.version.outputs.skip != 'true'
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
           BRANCH="${{ steps.version.outputs.branch }}"
           MAJOR="${{ steps.version.outputs.major }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
           NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
           [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
-          echo "$NOTES" > /tmp/release_notes.md
 
           # Check if the major release already exists
-          EXISTING=$(gh release view "$RELEASE_TAG" --json tagName -q .tagName 2>/dev/null || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
 
-          if [ -z "$EXISTING" ]; then
+          if [ -z "$EXISTING_ID" ]; then
             # First release for this major
-            gh release create "$RELEASE_TAG" \
-              --title "v${MAJOR} (latest: ${VERSION})" \
-              --notes-file /tmp/release_notes.md \
-              --target "$BRANCH"
+            curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              "${API_BASE}/releases" \
+              -d "$(python3 -c "import json; print(json.dumps({
+                'tag_name': '${RELEASE_TAG}',
+                'name': 'v${MAJOR} (latest: ${VERSION})',
+                'body': '''${NOTES}''',
+                'target_commitish': '${BRANCH}'
+              }))")"
             echo "Release created: ${RELEASE_TAG} (${VERSION})" >> $GITHUB_STEP_SUMMARY
           else
             # Append version notes to existing major release
-            CURRENT_NOTES=$(gh release view "$RELEASE_TAG" --json body -q .body 2>/dev/null || true)
-            {
-              echo "$CURRENT_NOTES"
-              echo ""
-              echo "---"
-              echo "### ${VERSION}"
-              echo ""
-              cat /tmp/release_notes.md
-            } > /tmp/updated_notes.md
+            CURRENT_BODY=$(echo "$EXISTING" | python3 -c "import sys,json; print(json.load(sys.stdin).get('body',''))" 2>/dev/null || true)
+            UPDATED_BODY="${CURRENT_BODY}
 
-            gh release edit "$RELEASE_TAG" \
-              --title "v${MAJOR} (latest: ${VERSION})" \
-              --notes-file /tmp/updated_notes.md
+          ---
+          ### ${VERSION}
+
+          ${NOTES}"
+
+            curl -sf -X PATCH -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              "${API_BASE}/releases/${EXISTING_ID}" \
+              -d "$(python3 -c "import json,sys; print(json.dumps({
+                'name': 'v${MAJOR} (latest: ${VERSION})',
+                'body': sys.stdin.read()
+              }))" <<< "$UPDATED_BODY")"
             echo "Release updated: ${RELEASE_TAG} -> ${VERSION}" >> $GITHUB_STEP_SUMMARY
           fi
 
       # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
-      # Every patch builds an install-ready ZIP and uploads it to the minor release.
-      # Result: one Release per minor version with a ZIP for each patch.
       - name: "Step 8: Build Joomla package and update checksum"
         if: >-
           steps.version.outputs.skip != 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GA_TOKEN || github.token }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
           REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
           # All ZIPs upload to the major release tag (vXX)
-          gh release view "$RELEASE_TAG" --json tagName > /dev/null 2>&1 || {
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+          if [ -z "$RELEASE_ID" ]; then
             echo "No release ${RELEASE_TAG} found — skipping ZIP upload"
             exit 0
-          }
+          fi
 
           # Find extension element name from manifest
           MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
@@ -502,27 +512,109 @@ jobs:
           SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
           SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
 
+          # -- Delete existing assets with same name before uploading ------
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
+          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
+            ASSET_ID=$(echo "$ASSETS" | python3 -c "
+          import sys,json
+          assets = json.load(sys.stdin)
+          for a in assets:
+              if a['name'] == '${ASSET_NAME}':
+                  print(a['id']); break
+          " 2>/dev/null || true)
+            if [ -n "$ASSET_ID" ]; then
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
+            fi
+          done
+
           # -- Upload both to release tag ----------------------------------
-          gh release upload "$RELEASE_TAG" "/tmp/${ZIP_NAME}" --clobber 2>/dev/null || true
-          gh release upload "$RELEASE_TAG" "/tmp/${TAR_NAME}" --clobber 2>/dev/null || true
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"/tmp/${ZIP_NAME}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
+
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"/tmp/${TAR_NAME}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
 
           # -- Update updates.xml with both download formats ---------------
           if [ -f "updates.xml" ]; then
-            ZIP_URL="https://git.mokoconsulting.tech/${{ github.repository }}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
-            TAR_URL="https://git.mokoconsulting.tech/${{ github.repository }}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
+            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
+            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
 
-            # Replace downloads block with both formats + SHA
-            sed -i "s|<downloads>.*</downloads>|<downloads>\n      <downloadurl type=\"full\" format=\"zip\">${ZIP_URL}</downloadurl>\n      <downloadurl type=\"full\" format=\"tar.gz\">${TAR_URL}</downloadurl>\n    </downloads>|" updates.xml 2>/dev/null || true
-            if grep -q '<sha256>' updates.xml; then
-              sed -i "s|<sha256>.*</sha256>|<sha256>${SHA256_ZIP}</sha256>|" updates.xml
-            else
-              sed -i "s|</downloads>|</downloads>\n    <sha256>${SHA256_ZIP}</sha256>|" updates.xml
-            fi
+            # Use Python to update only the stable entry's downloads + sha256
+            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
+            python3 << 'PYEOF'
+          import re, os
 
+          with open("updates.xml") as f:
+              content = f.read()
+
+          zip_url = os.environ["PY_ZIP_URL"]
+          tar_url = os.environ["PY_TAR_URL"]
+          sha = os.environ["PY_SHA"]
+
+          # Find the stable update block and replace its downloads + sha256
+          def replace_stable(m):
+              block = m.group(0)
+              # Replace downloads block
+              new_downloads = (
+                  "    <downloads>\n"
+                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
+                  "    </downloads>"
+              )
+              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
+              # Add or replace sha256
+              if '<sha256>' in block:
+                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
+              else:
+                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
+              return block
+
+          content = re.sub(
+              r'  <update>.*?<tag>stable</tag>.*?</update>',
+              replace_stable,
+              content,
+              flags=re.DOTALL
+          )
+
+          with open("updates.xml", "w") as f:
+              f.write(content)
+          PYEOF
+
+            CURRENT_BRANCH="${{ github.ref_name }}"
             git add updates.xml
             git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
               --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
             git push || true
+
+            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
+            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
+
+            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
+
+            if [ -n "$FILE_SHA" ]; then
+              CONTENT=$(base64 -w0 updates.xml)
+              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                "${API}/contents/updates.xml" \
+                -d "$(jq -n \
+                  --arg content "$CONTENT" \
+                  --arg sha "$FILE_SHA" \
+                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
+                  --arg branch "main" \
+                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
+                )" > /dev/null 2>&1 \
+                && echo "updates.xml synced to main via API" \
+                || echo "WARNING: failed to sync updates.xml to main"
+            else
+              echo "WARNING: could not get updates.xml SHA from main"
+            fi
           fi
 
           echo "### Joomla Packages" >> $GITHUB_STEP_SUMMARY
@@ -532,7 +624,50 @@ jobs:
           echo "| \`${ZIP_NAME}\` | ${ZIP_SIZE} | \`${SHA256_ZIP}\` |" >> $GITHUB_STEP_SUMMARY
           echo "| \`${TAR_NAME}\` | ${TAR_SIZE} | \`${SHA256_TAR}\` |" >> $GITHUB_STEP_SUMMARY
           echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
-          echo "| Download | [${PACKAGE_NAME}](https://git.mokoconsulting.tech/${{ github.repository }}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}) |" >> $GITHUB_STEP_SUMMARY
+          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
+      - name: "Step 9: Mirror release to GitHub"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.version.outputs.stability == 'stable' &&
+          secrets.GH_TOKEN != ''
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+
+          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
+          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+          echo "$NOTES" > /tmp/release_notes.md
+
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+
+          if [ -z "$EXISTING" ]; then
+            gh release create "$RELEASE_TAG" \
+              --repo "$GH_REPO" \
+              --title "v${MAJOR} (latest: ${VERSION})" \
+              --notes-file /tmp/release_notes.md \
+              --target "$BRANCH" || true
+          else
+            gh release edit "$RELEASE_TAG" \
+              --repo "$GH_REPO" \
+              --title "v${MAJOR} (latest: ${VERSION})" || true
+          fi
+
+          # Upload assets to GitHub mirror
+          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
+            if [ -f "$PKG" ]; then
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+            fi
+          done
+          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
 
       # -- Summary --------------------------------------------------------------
       - name: Pipeline Summary
@@ -553,5 +688,5 @@ jobs:
             echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
             echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
             echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](https://github.com/${{ github.repository }}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
           fi