fix: PR sync always runs, cleans up stale branches

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/auto-release.yml

@@ -499,21 +499,6 @@ jobs:
 
           EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
 
-          # Bundle MokoOnyx payload if payload dir exists
-          if [ -d "${SOURCE_DIR}/payload" ]; then
-            # Get latest MokoOnyx stable ZIP name from release
-            ONYX_API="https://git.mokoconsulting.tech/api/v1/repos/MokoConsulting/MokoOnyx/releases/tags/stable"
-            ONYX_ZIP=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "$ONYX_API" 2>/dev/null \
-              | python3 -c "import sys,json; assets=json.load(sys.stdin).get('assets',[]); zips=[a for a in assets if a['name'].endswith('.zip')]; print(zips[0]['browser_download_url'] if zips else '')" 2>/dev/null)
-            if [ -n "$ONYX_ZIP" ]; then
-              curl -sfL "$ONYX_ZIP" -o "${SOURCE_DIR}/payload/mokoonyx.zip" \
-                && echo "Bundled MokoOnyx payload from ${ONYX_ZIP}" \
-                || echo "WARNING: could not download MokoOnyx payload"
-            else
-              echo "WARNING: could not find MokoOnyx stable release"
-            fi
-          fi
-
           # ZIP package
           cd "$SOURCE_DIR"
           zip -r "/tmp/${ZIP_NAME}" . -x $EXCLUDES
@@ -611,69 +596,66 @@ jobs:
               --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
             git push || true
 
-            # Sync updates.xml to main via PR (respects branch protection)
-            if [ "$CURRENT_BRANCH" != "main" ]; then
-              GA_TOKEN="${{ secrets.GA_TOKEN }}"
-              API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
-              PR_BRANCH="chore/update-xml-${VERSION}"
+            # Sync updates.xml to main via PR (always runs — may be on version/XX branch)
+            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
+            PR_BRANCH="chore/update-xml-${VERSION}"
 
-              # Create branch from main
-              MAIN_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-                "${API}/branches/main" | jq -r '.commit.sha // empty')
+            # Cleanup stale PR branch
+            curl -sf -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/branches/${PR_BRANCH}" > /dev/null 2>&1 || true
 
-              if [ -n "$MAIN_SHA" ]; then
+            # Create fresh branch from main
+            curl -sf -X POST -H "Authorization: token ${GA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "${API}/branches" \
+              -d "$(jq -n --arg name "$PR_BRANCH" \
+                '{new_branch_name: $name, old_branch_name: "main"}')" > /dev/null 2>&1 || true
+
+            # Update updates.xml on PR branch
+            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/contents/updates.xml?ref=${PR_BRANCH}" | jq -r '.sha // empty')
+
+            if [ -n "$FILE_SHA" ]; then
+              CONTENT=$(base64 -w0 updates.xml)
+              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                "${API}/contents/updates.xml" \
+                -d "$(jq -n \
+                  --arg content "$CONTENT" \
+                  --arg sha "$FILE_SHA" \
+                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
+                  --arg branch "$PR_BRANCH" \
+                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
+                )" > /dev/null 2>&1
+
+              # Create and auto-merge PR
+              PR_NUM=$(curl -sf -X POST -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                "${API}/pulls" \
+                -d "$(jq -n \
+                  --arg title "chore: sync updates.xml ${VERSION} [skip ci]" \
+                  --arg head "$PR_BRANCH" \
+                  --arg base "main" \
+                  --arg body "Auto-generated by release workflow." \
+                  '{title: $title, head: $head, base: $base, body: $body}'
+                )" | jq -r '.number // empty')
+
+              if [ -n "$PR_NUM" ]; then
                 curl -sf -X POST -H "Authorization: token ${GA_TOKEN}" \
                   -H "Content-Type: application/json" \
-                  "${API}/branches" \
-                  -d "$(jq -n --arg name "$PR_BRANCH" --arg sha "$MAIN_SHA" \
-                    '{new_branch_name: $name, old_branch_name: "main"}')" > /dev/null 2>&1 || true
-
-                # Update updates.xml on the PR branch
-                FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-                  "${API}/contents/updates.xml?ref=${PR_BRANCH}" | jq -r '.sha // empty')
-
-                if [ -n "$FILE_SHA" ]; then
-                  CONTENT=$(base64 -w0 updates.xml)
-                  curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
-                    -H "Content-Type: application/json" \
-                    "${API}/contents/updates.xml" \
-                    -d "$(jq -n \
-                      --arg content "$CONTENT" \
-                      --arg sha "$FILE_SHA" \
-                      --arg msg "chore: update stable channel to ${VERSION} [skip ci]" \
-                      --arg branch "$PR_BRANCH" \
-                      '{content: $content, sha: $sha, message: $msg, branch: $branch}'
-                    )" > /dev/null 2>&1
-
-                  # Create PR
-                  PR_URL=$(curl -sf -X POST -H "Authorization: token ${GA_TOKEN}" \
-                    -H "Content-Type: application/json" \
-                    "${API}/pulls" \
-                    -d "$(jq -n \
-                      --arg title "chore: update updates.xml for ${VERSION} [skip ci]" \
-                      --arg head "$PR_BRANCH" \
-                      --arg base "main" \
-                      --arg body "Auto-generated by release workflow. Updates updates.xml with SHA-256 and download URLs for ${VERSION}." \
-                      '{title: $title, head: $head, base: $base, body: $body}'
-                    )" | jq -r '.number // empty')
-
-                  # Auto-merge the PR
-                  if [ -n "$PR_URL" ]; then
-                    curl -sf -X POST -H "Authorization: token ${GA_TOKEN}" \
-                      -H "Content-Type: application/json" \
-                      "${API}/pulls/${PR_URL}/merge" \
-                      -d '{"Do":"merge","merge_message_field":"chore: update updates.xml for '"${VERSION}"' [skip ci]"}' > /dev/null 2>&1 \
-                      && echo "updates.xml synced to main via PR #${PR_URL}" \
-                      || echo "PR #${PR_URL} created but auto-merge failed — merge manually"
-
-                    # Cleanup: delete PR branch
-                    curl -sf -X DELETE -H "Authorization: token ${GA_TOKEN}" \
-                      "${API}/branches/${PR_BRANCH}" > /dev/null 2>&1 || true
-                  else
-                    echo "WARNING: failed to create PR for updates.xml sync"
-                  fi
-                fi
+                  "${API}/pulls/${PR_NUM}/merge" \
+                  -d '{"Do":"merge","merge_message_field":"chore: sync updates.xml '"${VERSION}"' [skip ci]"}' > /dev/null 2>&1 \
+                  && echo "updates.xml synced to main via PR #${PR_NUM}" \
+                  || echo "PR #${PR_NUM} created — merge manually"
+                # Cleanup
+                curl -sf -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+                  "${API}/branches/${PR_BRANCH}" > /dev/null 2>&1 || true
+              else
+                echo "WARNING: PR creation failed"
               fi
+            else
+              echo "WARNING: could not get updates.xml SHA from PR branch"
             fi
           fi