ci: Joomla release builds ZIP + SHA-256 checksum

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/auto-release.yml

@@ -23,6 +23,7 @@
 # ║    5. Write update.txt / update.xml                                    ║
 # ║    6. Create git tag vXX.YY.ZZ                                        ║
 # ║    7a. Patch: update existing GitHub Release for this minor            ║
+# ║    8.  Joomla only: build ZIP, upload asset, write SHA-256 to XML     ║
 # ║                                                                        ║
 # ║  Every version change: archives main → version/XX.YY branch            ║
 # ║  Patch 00 = development (no release). First release = patch 01.        ║
@@ -426,6 +427,65 @@ jobs:
             fi
           fi
 
+      # ── STEP 8: Joomla package + SHA-256 checksum ──────────────────────
+      - name: "Step 8: Build Joomla package and update checksum"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.tag_exists != 'true'
+        run: |
+          PLATFORM=$(php /tmp/mokostandards/api/cli/platform_detect.php --path . 2>/dev/null || true)
+          [ "$PLATFORM" != "waas-component" ] && exit 0
+
+          VERSION="${{ steps.version.outputs.version }}"
+          TAG="${{ steps.version.outputs.tag }}"
+          REPO="${{ github.repository }}"
+
+          # Find extension element name from manifest
+          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
+          [ -z "$MANIFEST" ] && exit 0
+
+          EXT_ELEMENT=$(grep -oP '<element>\K[^<]+' "$MANIFEST" 2>/dev/null | head -1 || basename "$MANIFEST" .xml)
+          PACKAGE_NAME="${EXT_ELEMENT}-${VERSION}.zip"
+
+          # ── Build ZIP from src/ ───────────────────────────────────────
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "⚠️ No src/ or htdocs/ — skipping package"; exit 0; }
+
+          cd "$SOURCE_DIR"
+          zip -r "/tmp/${PACKAGE_NAME}" . -x '*.git*' '*.DS_Store' 'Thumbs.db' '*.log'
+          cd ..
+
+          # ── Calculate SHA-256 ─────────────────────────────────────────
+          SHA256=$(sha256sum "/tmp/${PACKAGE_NAME}" | cut -d' ' -f1)
+          echo "SHA-256: ${SHA256}"
+
+          # ── Upload as release asset ───────────────────────────────────
+          gh release upload "$TAG" "/tmp/${PACKAGE_NAME}" --clobber 2>/dev/null || \
+            echo "⚠️ Could not upload to $TAG — trying without clobber" && \
+            gh release upload "$TAG" "/tmp/${PACKAGE_NAME}" 2>/dev/null || true
+
+          # ── Update update.xml with SHA-256 ────────────────────────────
+          if [ -f "update.xml" ]; then
+            # Insert <sha256> after </downloads> if not already present
+            if grep -q '<sha256>' update.xml; then
+              sed -i "s|<sha256>.*</sha256>|<sha256>sha256:${SHA256}</sha256>|" update.xml
+            else
+              sed -i "s|</downloads>|</downloads>\n    <sha256>sha256:${SHA256}</sha256>|" update.xml
+            fi
+
+            # Commit checksum update
+            git add update.xml
+            git commit -m "chore(release): add SHA-256 checksum for ${VERSION} [skip ci]" \
+              --author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>" || true
+            git push || true
+
+            echo "🔐 SHA-256: \`${SHA256}\`" >> $GITHUB_STEP_SUMMARY
+            echo "📦 Package: ${PACKAGE_NAME} uploaded to release ${TAG}" >> $GITHUB_STEP_SUMMARY
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+
       # ── Summary ────────────────────────────────────────────────────────
       - name: Pipeline Summary
         if: always()