chore: sync .mokogitea/workflows/pre-release.yml from moko-platform [skip ci]

rc(v05.06.00): security backports, actions deadlock fix, dep bumps (#228)

.mokogitea/workflows/auto-release.yml

@@ -63,17 +63,19 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 1
 
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
           if ! command -v composer &> /dev/null; then
             sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
           fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
             /tmp/moko-platform-api
@@ -85,7 +87,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_promote.php \
             --from auto --to release-candidate \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" \
             --branch "${{ github.event.pull_request.head.ref || 'dev' }}"
 
@@ -95,7 +97,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_cascade.php \
             --stability release-candidate \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}"
 
       - name: Summary
@@ -116,19 +118,27 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
+      - name: Configure git for bot pushes
+        run: |
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
         run: |
           # Ensure PHP + Composer are available
           if ! command -v composer &> /dev/null; then
             sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
           fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
             /tmp/moko-platform-api
@@ -155,6 +165,8 @@ jobs:
             echo "skip=true" >> "$GITHUB_OUTPUT"
             exit 0
           fi
+          # Strip any pre-release suffix merged from dev (e.g. 01.02.20-dev → 01.02.20)
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
           MAJOR=$(echo "$VERSION" | cut -d. -f1)
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "release_tag=stable" >> "$GITHUB_OUTPUT"
@@ -167,7 +179,7 @@ jobs:
         if: steps.version.outputs.skip != 'true'
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/release-candidate" 2>/dev/null || echo "{}")
           RC_ID=$(echo "$RC_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
 
@@ -189,6 +201,8 @@ jobs:
           MOKO_API="/tmp/moko-platform-api/cli"
           php ${MOKO_API}/version_bump.php --path . --minor 2>&1 || true
           VERSION=$(php ${MOKO_API}/version_read.php --path .)
+          # Strip any pre-release suffix — stable releases have no suffix
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "Bumped to: ${VERSION}"
 
@@ -261,6 +275,18 @@ jobs:
 
       # Step 5 (updates.xml) moved after Step 8 to include SHA-256 checksum
 
+      - name: "Step 4b: Promote and prune CHANGELOG"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          MOKO_API="/tmp/moko-platform-api/cli"
+          if [ -f "CHANGELOG.md" ]; then
+            php ${MOKO_API}/changelog_promote.php --path . --version "$VERSION" 2>&1 || true
+            php ${MOKO_API}/changelog_prune.php --path . --keep 5 2>&1 || true
+          fi
+
       - name: Commit release changes
         if: >-
           steps.version.outputs.skip != 'true' &&
@@ -271,14 +297,11 @@ jobs:
             exit 0
           fi
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(release): build ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          git push -u origin HEAD
+          # Detached HEAD on PR merge — push explicitly to main
+          git push origin HEAD:refs/heads/main
 
       # -- STEP 6: Create tag ---------------------------------------------------
       - name: "Step 6: Create git tag"
@@ -306,7 +329,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_promote.php \
             --from release-candidate --to stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" \
             --path . --branch main
           echo "Promoted RC → stable (${VERSION})" >> $GITHUB_STEP_SUMMARY
@@ -322,7 +345,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_create.php \
             --path . --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --branch main
           echo "Release created: ${VERSION}" >> $GITHUB_STEP_SUMMARY
 
@@ -338,7 +361,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_package.php \
             --path . --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
       # -- STEP 5: Write update stream (after build so SHA-256 is available) -----
@@ -349,9 +372,9 @@ jobs:
           SHA256="${{ steps.package.outputs.sha256_zip }}"
 
           # Fetch latest updates.xml from main so preserve logic has all channels
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          curl -sf -H "Authorization: token ${GA_TOKEN}" \
+          curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
             "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
             python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
             > updates.xml 2>/dev/null || true
@@ -366,13 +389,10 @@ jobs:
 
           # Commit updates.xml if changed
           if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
             git add updates.xml
             git commit -m "chore: update stable channel ${VERSION} [skip ci]" \
               --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push origin HEAD 2>&1 || true
+            git push origin HEAD:refs/heads/main 2>&1 || true
           fi
 
       # -- STEP 8b: Update release description with changelog ----------------------
@@ -384,7 +404,7 @@ jobs:
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
           php /tmp/moko-platform-api/cli/release_body_update.php \
             --path . --version "${VERSION}" --tag "${RELEASE_TAG}" \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
             2>&1 || true
           echo "Release body updated" >> $GITHUB_STEP_SUMMARY
@@ -393,7 +413,7 @@ jobs:
       - name: "Step 9: Mirror release to GitHub"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_MIRROR_TOKEN != ''
         continue-on-error: true
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
@@ -402,8 +422,8 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_mirror.php \
             --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GH_TOKEN }}" --gh-repo "$GH_REPO" \
+            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
             --branch main 2>&1 || true
           echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
 
@@ -411,21 +431,18 @@ jobs:
       - name: "Step 10: Push main to GitHub mirror"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_MIRROR_TOKEN != ''
         continue-on-error: true
         run: |
           GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
           GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
           GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
           git fetch origin main --depth=1
           git push github origin/main:refs/heads/main --force 2>/dev/null \
             && echo "main branch pushed to GitHub mirror" \
             || echo "WARNING: GitHub mirror push failed"
-          git push github origin/main:refs/heads/version --force 2>/dev/null \
-            && echo "version branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror version push failed"
 
       # -- Clean up lesser pre-releases (cascade) ---------------------------------
       # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
@@ -437,7 +454,7 @@ jobs:
           php /tmp/moko-platform-api/cli/release_cascade.php \
             --stability stable \
             --version "${VERSION}" \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" 2>/dev/null || true
 
       - name: "Step 11: Delete and recreate dev branch from main"
@@ -445,7 +462,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           # Delete dev branch
           curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -459,26 +476,25 @@ jobs:
 
           echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
 
-      - name: "Step 12: Update version branch from main"
+      - name: "Step 12: Create version branch from main"
         if: steps.version.outputs.skip != 'true'
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          BRANCH_NAME="version/${VERSION}"
           MAIN_SHA=$(git rev-parse HEAD)
 
-          # Try delete + recreate (handles protected branch edge cases)
+          # Delete old version branch if it exists (same version re-release)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-            "${API_BASE}/branches/version" 2>/dev/null && echo "Deleted old version branch"
+
+          # Create version/XX.YY.ZZ from main
+          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
+
+          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
 
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"version","old_branch_name":"main"}' 2>/dev/null \
-            && echo "Created version branch from main (${MAIN_SHA})" \
-            || echo "WARNING: version branch update failed"
 
-          echo "Version branch updated to main (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
 
       # -- Dolibarr post-release: Reset dev version -----------------------------
       - name: "Post-release: Reset dev version"
@@ -487,7 +503,7 @@ jobs:
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "${API_BASE}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
             --branch dev --path . 2>&1 || true
 
       # -- Summary --------------------------------------------------------------

.mokogitea/workflows/pre-release.yml

@@ -50,16 +50,18 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
           if ! command -v composer &> /dev/null; then
             sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
           fi
+          # Always fetch latest CLI tools — never use stale cache from previous runs
+          rm -rf /tmp/moko-platform-api
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
             /tmp/moko-platform-api
@@ -87,16 +89,24 @@ jobs:
           VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
           [ -z "$VERSION" ] && VERSION="00.00.01"
 
+          # Strip any existing suffix from version before applying stability
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
+
           php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "${{ github.ref_name }}" 2>/dev/null || true
+            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
 
           # Verify version consistency across all files
           php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
 
+          # Update VERSION variable with suffix
+          if [ -n "$SUFFIX" ]; then
+            VERSION="${VERSION}${SUFFIX}"
+          fi
+
           # Commit version bump
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git diff --cached --quiet || {
             git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
@@ -112,7 +122,7 @@ jobs:
           EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
           ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
           [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
+          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
 
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
@@ -131,7 +141,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php ${MOKO_CLI}/release_create.php \
             --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --branch dev --prerelease
 
       - name: Build package and upload
@@ -142,7 +152,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php ${MOKO_CLI}/release_package.php \
             --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
       - name: Update updates.xml
@@ -199,7 +209,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           php ${MOKO_CLI}/release_cascade.php \
             --stability "${{ steps.meta.outputs.stability }}" \

.mokogitea/workflows/update-server.yml

@@ -4,18 +4,16 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Universal
+# INGROUP: moko-platform.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/update-server.yml
-# VERSION: 04.07.00
+# VERSION: 05.00.00
-# BRIEF: Update server XML feed with stable/rc/beta/alpha/dev entries (universal)
+# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
 #
-# Writes updates.xml with multiple <update> entries:
+# Thin wrapper around moko-platform CLI tools.
-#   - <tag>stable</tag>     on push to main (from auto-release)
+# Builds packages, updates updates.xml, and optionally deploys via SFTP.
-#   - <tag>rc</tag>         on push to rc/**
-#   - <tag>development</tag> on push to dev or dev/**
 #
-# Joomla filters by user's "Minimum Stability" setting.
+# Joomla filters update entries by the user's "Minimum Stability" setting.
 
 name: "Update Server"
 
@@ -66,7 +64,7 @@ permissions:
 
 jobs:
   update-xml:
-    name: Update updates.xml
+    name: Update Server
     runs-on: release
     if: >-
       github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
@@ -75,50 +73,51 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
       - name: Setup moko-platform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
+          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
         run: |
           if ! command -v composer &> /dev/null; then
             sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
           fi
-          if [ -d "/tmp/moko-platform" ]; then
+          # Always fetch latest CLI tools — never use stale cache from previous runs
-            echo "moko-platform already available — skipping clone"
+          rm -rf /tmp/moko-platform
-          else
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
             /tmp/moko-platform 2>/dev/null || true
-          fi
           if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
             cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
           fi
+          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
 
-      - name: Generate updates.xml entry
+      - name: Detect platform
-        id: update
+        id: platform
+        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
+
+      - name: Resolve stability and bump version
+        id: meta
         run: |
           BRANCH="${{ github.ref_name }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          VERSION=$(php /tmp/moko-platform/cli/version_read.php --path . 2>/dev/null || echo "0.0.0")
 
-          # Auto-bump patch on all branches (dev, alpha, beta, rc)
+          # Configure git for bot pushes
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          BUMPED=$(php /tmp/moko-platform/cli/version_bump.php --path . 2>/dev/null || true)
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          if [ -n "$BUMPED" ]; then
-            VERSION=$(php /tmp/moko-platform/cli/version_read.php --path . 2>/dev/null || echo "$VERSION")
-            git add -A
-            git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" 2>/dev/null || true
-            git push 2>/dev/null || true
-          fi
 
-          # Determine stability from branch or input
+          # Auto-bump patch version
+          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
+
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
+
+          # Strip any existing suffix before applying stability
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
+
+          # Determine stability from branch or manual input
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             STABILITY="${{ inputs.stability }}"
           elif [[ "$BRANCH" == rc/* ]]; then
@@ -127,263 +126,96 @@ jobs:
             STABILITY="beta"
           elif [[ "$BRANCH" == alpha/* ]]; then
             STABILITY="alpha"
-          elif [[ "$BRANCH" == dev/* ]] || [[ "$BRANCH" == "dev" ]]; then
+          else
             STABILITY="development"
-          else
-            STABILITY="stable"
           fi
 
+          # Version suffix per stability stream
+          case "$STABILITY" in
+            development) SUFFIX="-dev";  TAG="development" ;;
+            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
+            beta)        SUFFIX="-beta";  TAG="beta" ;;
+            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
+            *)           SUFFIX="";       TAG="stable" ;;
+          esac
+
+          # Propagate version with stability suffix to all manifest files
+          php ${MOKO_CLI}/version_set_platform.php \
+            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
+          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
+
+          # Re-read version (now includes suffix from version_set_platform)
+          if [ -n "$SUFFIX" ]; then
+            VERSION="${VERSION}${SUFFIX}"
+          fi
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
 
-          # Parse manifest (portable — no grep -P)
+          # Commit version bump if changed
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          git add -A
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla manifest found — skipping"
-            exit 0
-          fi
-
-          # Extract fields using sed (works on all runners)
-          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_VERSION=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
-          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
-          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
-
-          # Fallbacks
-          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
-          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
-
-          # Derive element if not in manifest: try XML filename, then repo name
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            case "$EXT_ELEMENT" in
-              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-            esac
-          fi
-
-          # Use manifest version if README version is empty
-          [ "$VERSION" = "0.0.0" ] && [ -n "$EXT_VERSION" ] && VERSION="$EXT_VERSION"
-
-          [ -z "$TARGET_PLATFORM" ] && TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
-
-          # Joomla requires <client> on ALL extension types for update matching
-          if [ -n "$EXT_CLIENT" ]; then
-            CLIENT_TAG="<client>${EXT_CLIENT}</client>"
-          else
-            CLIENT_TAG="<client>site</client>"
-          fi
-
-          FOLDER_TAG=""
-          [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ] && FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
-
-          PHP_TAG=""
-          [ -n "$PHP_MINIMUM" ] && PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
-
-          # Version suffix for non-stable
-          DISPLAY_VERSION="$VERSION"
-          case "$STABILITY" in
-            development) DISPLAY_VERSION="${VERSION}-dev" ;;
-            alpha)       DISPLAY_VERSION="${VERSION}-alpha" ;;
-            beta)        DISPLAY_VERSION="${VERSION}-beta" ;;
-            rc)          DISPLAY_VERSION="${VERSION}-rc" ;;
-          esac
-
-          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
-
-          # Each stability level has its own release tag
-          case "$STABILITY" in
-            development) RELEASE_TAG="development" ;;
-            alpha)       RELEASE_TAG="alpha" ;;
-            beta)        RELEASE_TAG="beta" ;;
-            rc)          RELEASE_TAG="release-candidate" ;;
-            *)           RELEASE_TAG="v${MAJOR}" ;;
-          esac
-
-          PACKAGE_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.zip"
-          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}"
-          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}"
-
-          # -- Build install packages (ZIP + tar.gz) --------------------
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ -d "$SOURCE_DIR" ]; then
-            EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
-            TAR_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.tar.gz"
-
-            cd "$SOURCE_DIR"
-            zip -r "/tmp/${PACKAGE_NAME}" . -x $EXCLUDES
-            cd ..
-            tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
-              --exclude='.ftpignore' --exclude='sftp-config*' \
-              --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
-
-            SHA256=$(sha256sum "/tmp/${PACKAGE_NAME}" | cut -d' ' -f1)
-
-            # Ensure release exists on Gitea
-            RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-            RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-            if [ -z "$RELEASE_ID" ]; then
-              # Create release
-              RELEASE_JSON=$(curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/json" \
-                "${API_BASE}/releases" \
-                -d "$(python3 -c "import json; print(json.dumps({
-                  'tag_name': '${RELEASE_TAG}',
-                  'name': '${RELEASE_TAG} (${DISPLAY_VERSION})',
-                  'body': '${STABILITY} release',
-                  'prerelease': True,
-                  'target_commitish': 'main'
-                }))")" 2>/dev/null || true)
-              RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-            fi
-
-            if [ -n "$RELEASE_ID" ]; then
-              # Delete existing assets with same name before uploading
-              ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
-              for ASSET_FILE in "$PACKAGE_NAME" "$TAR_NAME"; do
-                ASSET_ID=$(echo "$ASSETS" | python3 -c "
-          import sys,json
-          assets = json.load(sys.stdin)
-          for a in assets:
-              if a['name'] == '${ASSET_FILE}':
-                  print(a['id']); break
-          " 2>/dev/null || true)
-                if [ -n "$ASSET_ID" ]; then
-                  curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                    "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
-                fi
-              done
-
-              # Upload both formats
-              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/octet-stream" \
-                --data-binary @"/tmp/${PACKAGE_NAME}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${PACKAGE_NAME}" > /dev/null 2>&1 || true
-
-              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/octet-stream" \
-                --data-binary @"/tmp/${TAR_NAME}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
-            fi
-
-            echo "Packages: ${PACKAGE_NAME} + ${TAR_NAME} (SHA: ${SHA256})" >> $GITHUB_STEP_SUMMARY
-          else
-            SHA256=""
-          fi
-
-          # -- Build the new entry (canonical format matching release.yml) --
-          NEW_ENTRY=""
-          NEW_ENTRY="${NEW_ENTRY}  <update>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <name>${EXT_NAME}</name>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <description>${EXT_NAME} ${STABILITY} build.</description>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <element>${EXT_ELEMENT}</element>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <type>${EXT_TYPE}</type>\n"
-          [ -n "$CLIENT_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${CLIENT_TAG}\n"
-          [ -n "$FOLDER_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${FOLDER_TAG}\n"
-          NEW_ENTRY="${NEW_ENTRY}    <version>${VERSION}</version>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <creationDate>$(date +%Y-%m-%d)</creationDate>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <infourl title='${EXT_NAME}'>https://git.mokoconsulting.tech/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${RELEASE_TAG}</infourl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <downloads>\n"
-          NEW_ENTRY="${NEW_ENTRY}      <downloadurl type='full' format='zip'>${DOWNLOAD_URL}</downloadurl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    </downloads>\n"
-          [ -n "$SHA256" ] && NEW_ENTRY="${NEW_ENTRY}    <sha256>${SHA256}</sha256>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <tags><tag>${STABILITY}</tag></tags>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <maintainer>Moko Consulting</maintainer>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <maintainerurl>https://mokoconsulting.tech</maintainerurl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <targetplatform name='joomla' version='(5|6).*'/>\n"
-          [ -n "$PHP_MINIMUM" ] && NEW_ENTRY="${NEW_ENTRY}    <php_minimum>${PHP_MINIMUM}</php_minimum>\n"
-          NEW_ENTRY="${NEW_ENTRY}  </update>"
-
-          # -- Write new entry to temp file --------------------------------
-          printf '%b' "$NEW_ENTRY" > /tmp/new_entry.xml
-
-          # -- Merge into updates.xml ----------------------------------------
-          # Cascade: stable→all | rc→rc+lower | beta→beta+lower | alpha→alpha+dev | dev→dev
-          CASCADE_MAP="stable:development,alpha,beta,rc,stable rc:development,alpha,beta,rc beta:development,alpha,beta alpha:development,alpha development:development"
-          TARGETS=""
-          for entry in $CASCADE_MAP; do
-            key="${entry%%:*}"
-            vals="${entry#*:}"
-            if [ "$key" = "${STABILITY}" ]; then
-              TARGETS="$vals"
-              break
-            fi
-          done
-          [ -z "$TARGETS" ] && TARGETS="${STABILITY}"
-
-          echo "Cascade: ${STABILITY} → ${TARGETS}"
-
-          # Create updates.xml if missing
-          if [ ! -f "updates.xml" ]; then
-            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>" > updates.xml
-            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting -->" >> updates.xml
-            printf '%s\n' "<updates>" >> updates.xml
-            printf '%s\n' "</updates>" >> updates.xml
-          fi
-
-          # Update existing blocks or create missing ones
-          export PY_TARGETS="$TARGETS" PY_VERSION="$VERSION" PY_DATE="$(date +%Y-%m-%d)"
-          python3 << 'PYEOF'
-          import re, os
-
-          targets = os.environ["PY_TARGETS"].split(",")
-          version = os.environ["PY_VERSION"]
-          date = os.environ["PY_DATE"]
-
-          with open("updates.xml") as f:
-              content = f.read()
-          with open("/tmp/new_entry.xml") as f:
-              new_entry_template = f.read()
-
-          for tag in targets:
-              tag = tag.strip()
-              # Build entry with this tag's name
-              new_entry = re.sub(r"<tag>[^<]*</tag>", f"<tag>{tag}</tag>", new_entry_template)
-
-              # Try to find existing block (handles both single-line and multi-line <tags>)
-              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)"
-              match = re.search(block_pattern, content, re.DOTALL)
-
-              if match:
-                  # Update in place — replace entire block
-                  content = content.replace(match.group(1), new_entry.strip())
-                  print(f"  UPDATED: <tag>{tag}</tag> → {version}")
-              else:
-                  # Create — insert before </updates>
-                  content = content.replace("</updates>", "\n" + new_entry.strip() + "\n\n</updates>")
-                  print(f"  CREATED: <tag>{tag}</tag> → {version}")
-
-          # Clean up excessive blank lines
-          content = re.sub(r"\n{3,}", "\n\n", content)
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-          # Commit
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git add updates.xml
           git diff --cached --quiet || {
-            git commit -m "chore: update updates.xml (${STABILITY}: ${DISPLAY_VERSION}) [skip ci]" \
+            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
               --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
             git push
           }
 
-      # -- Sync updates.xml to main (for non-main branches) ----------------------
+      - name: Create release and upload package
+        id: package
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          TAG="${{ steps.meta.outputs.tag }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Create or update Gitea release
+          php ${MOKO_CLI}/release_create.php \
+            --path . --version "$VERSION" --tag "$TAG" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
+            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
+
+          # Build package and upload
+          php ${MOKO_CLI}/release_package.php \
+            --path . --version "$VERSION" --tag "$TAG" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
+            --repo "${GITEA_REPO}" --output /tmp || true
+
+      - name: Update updates.xml
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.package.outputs.sha256_zip }}"
+
+          if [ ! -f "updates.xml" ]; then
+            echo "No updates.xml — skipping"
+            exit 0
+          fi
+
+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
+          php ${MOKO_CLI}/updates_xml_build.php \
+            --path . --version "${VERSION}" --stability "${STABILITY}" \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG}
+
+          # Commit and push updates.xml
+          git add updates.xml
+          git diff --cached --quiet || {
+            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
+            git push
+          }
+
       - name: Sync updates.xml to main
-        if: github.ref_name != 'main'
+        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
             "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
 
           if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
@@ -394,27 +226,22 @@ jobs:
           payload = json.dumps({
               'content': content,
               'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${STABILITY} [skip ci]',
+              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
               'branch': 'main'
           }).encode()
           req = urllib.request.Request(
               '${API_BASE}/contents/updates.xml',
               data=payload, method='PUT',
               headers={
-                  'Authorization': 'token ${GA_TOKEN}',
+                  'Authorization': 'token ${GITEA_TOKEN}',
                   'Content-Type': 'application/json'
               })
           try:
               urllib.request.urlopen(req)
               print('updates.xml synced to main')
           except Exception as e:
-              print(f'ERROR: failed to sync updates.xml to main: {e}', file=sys.stderr)
+              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-              sys.exit(1)
+          "
-          " \
-              && echo "updates.xml synced to main (${STABILITY})" >> $GITHUB_STEP_SUMMARY \
-              || echo "::error::failed to sync updates.xml to main" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "::error::could not get updates.xml SHA from main — file may not exist on main yet" >> $GITHUB_STEP_SUMMARY
           fi
 
       - name: SFTP deploy to dev server
@@ -428,12 +255,11 @@ jobs:
           DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
           DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
         run: |
-          # -- Permission check: admin or maintain role required --------
+          # Permission check: admin or maintain role required
           ACTOR="${{ github.actor }}"
-          REPO="${{ github.repository }}"
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
             python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
           case "$PERMISSION" in
@@ -463,198 +289,24 @@ jobs:
             printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
           fi
 
-          PLATFORM=$(php /tmp/moko-platform/cli/platform_detect.php --path . 2>/dev/null || true)
+          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/moko-platform/deploy/deploy-joomla.php" ]; then
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php /tmp/moko-platform/deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "/tmp/moko-platform/deploy/deploy-sftp.php" ]; then
+          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php /tmp/moko-platform/deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
           fi
           rm -f /tmp/deploy_key /tmp/sftp-config.json
           echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
 
-      - name: Validate updates.xml integrity
-        run: |
-          ERRORS=0
-
-          if [ ! -f "updates.xml" ]; then
-            echo "::error::updates.xml not found"
-            exit 1
-          fi
-
-          # Well-formed XML
-          if ! python3 -c "import xml.etree.ElementTree as ET; ET.parse('updates.xml')" 2>/dev/null; then
-            echo "::error::updates.xml is not valid XML"
-            ERRORS=$((ERRORS+1))
-          fi
-
-          python3 << 'PYEOF'
-          import xml.etree.ElementTree as ET, sys, re, os
-
-          tree = ET.parse("updates.xml")
-          root = tree.getroot()
-          updates = root.findall("update")
-          errors = 0
-          warnings = 0
-          seen_tags = set()
-
-          # All 5 channels MUST be present
-          REQUIRED_CHANNELS = {"stable", "rc", "beta", "alpha", "dev"}
-          VALID_TAGS = REQUIRED_CHANNELS | {"development"}  # accept legacy alias
-          REPO = os.environ.get("GITEA_REPO", "")
-          ORG = os.environ.get("GITEA_ORG", "MokoConsulting")
-          REPO_BASE = f"https://git.mokoconsulting.tech/{ORG}/"
-
-          # Gitea release tag names per channel (Moko standard)
-          RELEASE_TAG_MAP = {
-              "stable": "stable",
-              "rc": "release-candidate",
-              "beta": "beta",
-              "alpha": "alpha",
-              "dev": "development",
-              "development": "development",
-          }
-
-          # Joomla update XML required fields per
-          # https://docs.joomla.org/Deploying_an_Update_Server
-          REQUIRED_FIELDS = ["name", "element", "type", "version", "infourl"]
-
-          for i, u in enumerate(updates):
-              tag_el = u.find("tags/tag")
-              tag = tag_el.text.strip() if tag_el is not None and tag_el.text else None
-              label = f"Entry {i+1} (<tag>{tag or '?'}</tag>)"
-
-              # -- Required Joomla fields --
-              for field in REQUIRED_FIELDS:
-                  el = u.find(field)
-                  if el is None or not (el.text or "").strip():
-                      print(f"::error::{label}: missing required <{field}>")
-                      errors += 1
-
-              # -- <downloads><downloadurl> --
-              dl = u.find("downloads/downloadurl")
-              if dl is None or not (dl.text or "").strip():
-                  print(f"::error::{label}: missing <downloads><downloadurl>")
-                  errors += 1
-              else:
-                  dl_url = dl.text.strip()
-                  # Must point to org repo
-                  if REPO_BASE not in dl_url:
-                      print(f"::error::{label}: download URL not under {REPO_BASE}: {dl_url}")
-                      errors += 1
-                  # Must end in .zip
-                  if not dl_url.endswith(".zip"):
-                      print(f"::error::{label}: download URL must end in .zip: {dl_url}")
-                      errors += 1
-                  # Must use correct Gitea release tag in path
-                  if tag and tag in RELEASE_TAG_MAP:
-                      expected_tag = RELEASE_TAG_MAP[tag]
-                      if f"/download/{expected_tag}/" not in dl_url:
-                          print(f"::error::{label}: download URL should contain /download/{expected_tag}/ but got: {dl_url}")
-                          errors += 1
-
-              # -- <client> (required for Joomla to match update) --
-              client = u.find("client")
-              if client is None or not (client.text or "").strip():
-                  print(f"::error::{label}: missing <client> (required for Joomla update matching)")
-                  errors += 1
-
-              # -- <targetplatform> --
-              tp = u.find("targetplatform")
-              if tp is None:
-                  print(f"::error::{label}: missing <targetplatform>")
-                  errors += 1
-              else:
-                  tp_name = tp.get("name", "")
-                  tp_ver = tp.get("version", "")
-                  if tp_name != "joomla":
-                      print(f"::error::{label}: targetplatform name should be 'joomla', got '{tp_name}'")
-                      errors += 1
-                  if not tp_ver:
-                      print(f"::error::{label}: targetplatform missing version regex")
-                      errors += 1
-                  elif "5" not in tp_ver or "6" not in tp_ver:
-                      print(f"::warning::{label}: targetplatform version may not cover Joomla 5+6: {tp_ver}")
-                      warnings += 1
-
-              # -- <type> must be valid Joomla type --
-              type_el = u.find("type")
-              if type_el is not None and type_el.text:
-                  valid_types = {"component", "module", "plugin", "template", "library", "package", "file"}
-                  if type_el.text.strip() not in valid_types:
-                      print(f"::error::{label}: invalid type '{type_el.text}' (expected: {valid_types})")
-                      errors += 1
-
-              # -- <version> format (XX.YY.ZZ with optional suffix) --
-              ver_el = u.find("version")
-              if ver_el is not None and ver_el.text:
-                  if not re.match(r"^\d{2}\.\d{2}\.\d{2}(-\w+)?$", ver_el.text.strip()):
-                      print(f"::warning::{label}: version '{ver_el.text}' does not match XX.YY.ZZ format")
-                      warnings += 1
-
-              # -- <maintainer> and <maintainerurl> --
-              for field in ["maintainer", "maintainerurl"]:
-                  el = u.find(field)
-                  if el is None or not (el.text or "").strip():
-                      print(f"::warning::{label}: missing <{field}>")
-                      warnings += 1
-
-              # -- Valid stability tag --
-              if tag is None:
-                  print(f"::error::{label}: missing <tags><tag>")
-                  errors += 1
-              elif tag not in VALID_TAGS:
-                  print(f"::error::{label}: invalid tag '{tag}' (expected: {VALID_TAGS})")
-                  errors += 1
-
-              # -- Duplicate tag check --
-              norm_tag = "dev" if tag == "development" else tag
-              if norm_tag in seen_tags:
-                  print(f"::error::{label}: duplicate channel '{tag}'")
-                  errors += 1
-              if norm_tag:
-                  seen_tags.add(norm_tag)
-
-          # -- All 5 channels must exist --
-          missing = REQUIRED_CHANNELS - seen_tags
-          if missing:
-              print(f"::error::Missing required update channels: {', '.join(sorted(missing))}")
-              errors += 1
-
-          # -- Version ordering: higher stability must not exceed dev version --
-          channel_versions = {}
-          for u in updates:
-              tag_el = u.find("tags/tag")
-              ver_el = u.find("version")
-              if tag_el is not None and ver_el is not None and tag_el.text and ver_el.text:
-                  norm = "dev" if tag_el.text.strip() == "development" else tag_el.text.strip()
-                  # Strip suffix for comparison (01.00.18-dev -> 01.00.18)
-                  base_ver = re.sub(r"-\w+$", "", ver_el.text.strip())
-                  channel_versions[norm] = base_ver
-
-          # Cascade check: dev >= alpha >= beta >= rc >= stable
-          ORDER = ["dev", "alpha", "beta", "rc", "stable"]
-          for j in range(1, len(ORDER)):
-              current = ORDER[j]
-              previous = ORDER[j - 1]
-              if current in channel_versions and previous in channel_versions:
-                  if channel_versions[current] > channel_versions[previous]:
-                      print(f"::error::{current} version ({channel_versions[current]}) is ahead of {previous} ({channel_versions[previous]})")
-                      errors += 1
-
-          # -- Summary --
-          print(f"\nupdates.xml validation: {len(updates)} entries, {errors} error(s), {warnings} warning(s)")
-          if errors > 0:
-              sys.exit(1)
-          PYEOF
-
       - name: Summary
         if: always()
         run: |
-          echo "## Joomla Update Server" >> $GITHUB_STEP_SUMMARY
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          DISPLAY="${{ steps.meta.outputs.display_version }}"
+          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
           echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
           echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY_VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Element | \`${EXT_ELEMENT}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Download | [ZIP](${DOWNLOAD_URL}) |" >> $GITHUB_STEP_SUMMARY