.mokogitea/branch-protection.yml

@@ -116,17 +116,18 @@ jobs:
           SKIPPED=0
 
           # ── Rule definitions ──────────────────────────────────────
-          # Each rule: NAME|JSON_BODY
-          # jmiller has override (force push + push whitelist) on all branches
+          # Only the CI bot (jmiller token) can push directly.
+          # All human contributors must use PRs.
+          # Force push disabled on all branches.
 
           RULE_MAIN='{
             "rule_name": "main",
             "enable_push": true,
             "enable_push_whitelist": true,
             "push_whitelist_usernames": ["jmiller"],
-            "enable_force_push": true,
-            "enable_force_push_allowlist": true,
-            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
             "enable_merge_whitelist": false,
             "required_approvals": 0,
             "dismiss_stale_approvals": true,
@@ -138,10 +139,11 @@ jobs:
           RULE_DEV='{
             "rule_name": "dev",
             "enable_push": true,
-            "enable_push_whitelist": false,
-            "enable_force_push": true,
-            "enable_force_push_allowlist": true,
-            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
             "enable_merge_whitelist": false,
             "required_approvals": 0,
             "block_on_rejected_reviews": false,
@@ -151,10 +153,11 @@ jobs:
           RULE_RC='{
             "rule_name": "rc",
             "enable_push": true,
-            "enable_push_whitelist": false,
-            "enable_force_push": true,
-            "enable_force_push_allowlist": true,
-            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
             "enable_merge_whitelist": false,
             "required_approvals": 0,
             "block_on_rejected_reviews": false,
@@ -164,10 +167,11 @@ jobs:
           RULE_BETA='{
             "rule_name": "beta",
             "enable_push": true,
-            "enable_push_whitelist": false,
-            "enable_force_push": true,
-            "enable_force_push_allowlist": true,
-            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
             "enable_merge_whitelist": false,
             "required_approvals": 0,
             "block_on_rejected_reviews": false,
@@ -177,10 +181,11 @@ jobs:
           RULE_ALPHA='{
             "rule_name": "alpha",
             "enable_push": true,
-            "enable_push_whitelist": false,
-            "enable_force_push": true,
-            "enable_force_push_allowlist": true,
-            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": false,
+            "enable_force_push_allowlist": false,
+            "force_push_allowlist_usernames": [],
             "enable_merge_whitelist": false,
             "required_approvals": 0,
             "block_on_rejected_reviews": false,

.mokogitea/workflows/auto-release.yml

@@ -497,13 +497,21 @@ jobs:
             --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --api-base "${API_BASE}" 2>/dev/null || true
 
-      - name: "Step 11: Delete and recreate dev branch from main"
+      - name: "Step 11: Clean up pre-release branches and recreate dev from main"
         if: steps.version.outputs.skip != 'true'
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
+          # Delete ephemeral pre-release branches (rc, alpha, beta)
+          for EPHEMERAL in rc alpha beta; do
+            curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+              "${API_BASE}/branches/${EPHEMERAL}" 2>/dev/null \
+              && echo "Deleted ${EPHEMERAL} branch" \
+              || echo "${EPHEMERAL} branch not found"
+          done
+
           # Delete dev branch
           curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
             "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
@@ -514,7 +522,7 @@ jobs:
             "${API_BASE}/branches" \
             -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
 
-          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
+          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
 
       - name: "Step 12: Create version branch from main"
         if: steps.version.outputs.skip != 'true'

.mokogitea/workflows/branch-cleanup.yml

@@ -26,10 +26,7 @@ jobs:
     if: >-
       github.event.pull_request.merged == true &&
       github.event.pull_request.head.ref != 'dev' &&
-      github.event.pull_request.head.ref != 'main' &&
-      github.event.pull_request.head.ref != 'rc' &&
-      github.event.pull_request.head.ref != 'alpha' &&
-      github.event.pull_request.head.ref != 'beta'
+      github.event.pull_request.head.ref != 'main'
 
     steps:
       - name: Delete source branch

cli/version_auto_bump.php

@@ -62,11 +62,17 @@ if (array_key_exists($branch, $stabilityMap)) {
 $cli = __DIR__;
 $php = PHP_BINARY;
 
-// Step 1: Patch bump
-$bumpOutput = [];
-exec("{$php} {$cli}/version_bump.php --path " . escapeshellarg($path) . " 2>&1", $bumpOutput, $bumpRc);
-foreach ($bumpOutput as $line) {
-    echo "{$line}\n";
+// Step 1: Patch bump (skip on alpha/beta/rc — those only change the suffix)
+$shouldBump = !in_array($branch, ['alpha', 'beta', 'rc'], true);
+
+if ($shouldBump) {
+    $bumpOutput = [];
+    exec("{$php} {$cli}/version_bump.php --path " . escapeshellarg($path) . " 2>&1", $bumpOutput, $bumpRc);
+    foreach ($bumpOutput as $line) {
+        echo "{$line}\n";
+    }
+} else {
+    echo "Skipping patch bump on {$branch} branch (suffix change only)\n";
 }
 
 // Step 2: Read version
@@ -126,7 +132,9 @@ if (!empty($repoUrl)) {
 }
 
 @shell_exec("cd " . escapeshellarg($root) . " && git add -A");
-$commitMsg = "chore(version): auto-bump patch {$displayVersion} [skip ci]";
+$commitMsg = $shouldBump
+    ? "chore(version): auto-bump patch {$displayVersion} [skip ci]"
+    : "chore(version): set {$stability} suffix {$displayVersion} [skip ci]";
 @shell_exec("cd " . escapeshellarg($root) . " && git commit -m " . escapeshellarg($commitMsg)
     . " --author=\"gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>\"");