fix: pass SHA-256 checksum to updates.xml in both release workflows

- release_package.php now outputs sha256_zip= to GITHUB_OUTPUT
- auto-release.yml: moved updates.xml write after package build so SHA is available
- pre-release.yml: passes --sha from zip step to updates_xml_build.php
- updates.xml now includes <sha256> tag for Joomla update integrity verification

Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.mokogitea/workflows/auto-release.yml

@@ -249,25 +249,7 @@ jobs:
           php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
           php /tmp/moko-platform-api/cli/version_check.php --path . --fix 2>/dev/null || true
 
-      - name: "Step 5: Write update stream"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-
-          # Fetch latest updates.xml from main so preserve logic has all channels
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          curl -sf -H "Authorization: token ${GA_TOKEN}" \
-            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
-            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
-            > updates.xml 2>/dev/null || true
-
-          php /tmp/moko-platform-api/cli/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability stable \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            --github-output
+      # Step 5 (updates.xml) moved after Step 8 to include SHA-256 checksum
 
       - name: Commit release changes
         if: >-
@@ -336,6 +318,7 @@ jobs:
 
       # -- STEP 8: Build packages and upload to release ----------------------------
       - name: "Step 8: Build package and upload"
+        id: package
         if: >-
           steps.version.outputs.skip != 'true' &&
           steps.rc.outputs.promote != 'true'
@@ -348,6 +331,40 @@ jobs:
             --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
+      # -- STEP 5: Write update stream (after build so SHA-256 is available) -----
+      - name: "Step 5: Write update stream"
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          SHA256="${{ steps.package.outputs.sha256_zip }}"
+
+          # Fetch latest updates.xml from main so preserve logic has all channels
+          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          curl -sf -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
+            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
+            > updates.xml 2>/dev/null || true
+
+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
+          php /tmp/moko-platform-api/cli/updates_xml_build.php \
+            --path . --version "${VERSION}" --stability stable \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG} --github-output
+
+          # Commit updates.xml if changed
+          if ! git diff --quiet updates.xml 2>/dev/null; then
+            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+            git config --local user.name "gitea-actions[bot]"
+            git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+            git add updates.xml
+            git commit -m "chore: update stable channel ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+            git push origin HEAD 2>&1 || true
+          fi
+
       # -- STEP 8b: Update release description with changelog ----------------------
       - name: "Step 8b: Update release body"
         if: steps.version.outputs.skip != 'true'

.mokogitea/workflows/pre-release.yml

@@ -245,15 +245,20 @@ jobs:
         run: |
           VERSION="${{ steps.meta.outputs.version }}"
           STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.zip.outputs.sha256 }}"
 
           if [ ! -f "updates.xml" ]; then
             echo "No updates.xml -- skipping"
             exit 0
           fi
 
+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
           php ${MOKO_CLI}/updates_xml_build.php \
             --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}"
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG}
 
           # Commit and push
           if ! git diff --quiet updates.xml 2>/dev/null; then

cli/release_package.php

@@ -485,6 +485,14 @@ file_put_contents($tarSha, "{$tarHash}  {$baseName}.tar.gz\n");
 
 echo "SHA-256 (ZIP): {$zipHash}\n";
 echo "SHA-256 (TAR): {$tarHash}\n";
+echo "sha256_zip={$zipHash}\n";
+echo "zip_name={$baseName}.zip\n";
+
+// Write to GITHUB_OUTPUT if available
+$ghOutput = getenv('GITHUB_OUTPUT');
+if ($ghOutput) {
+    file_put_contents($ghOutput, "sha256_zip={$zipHash}\nzip_name={$baseName}.zip\n", FILE_APPEND);
+}
 
 // ── Get release ID from tag ──────────────────────────────────────────────────