Azure · britaniar · Jun 22, 2026 · Jun 24, 2026 · Jun 25, 2026 · Jun 25, 2026
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,41 @@
+# Configures GitHub auto-generated release notes.
+# https://docs.github.com/repositories/releasing-projects-on-github/automatically-generated-release-notes
+#
+# Categorization is label-based. Contributors should add a single release-note/*
+# label to each PR; the label should match the PR title prefix
+# (e.g. feat: -> release-note/feature, fix: -> release-note/fix).
+# PRs with no release-note label fall into "Other Changes".
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+      - release-note/none
+  categories:
+    - title: Breaking Changes
+      labels:
+        - release-note/breaking
+    - title: Security
+      labels:
+        - release-note/security
+    - title: New Features
+      labels:
+        - release-note/feature
+    - title: Bug Fixes
+      labels:
+        - release-note/fix
+    - title: Documentation
+      labels:
+        - release-note/docs
+    - title: Tests
+      labels:
+        - release-note/test
+    - title: Refactors
+      labels:
+        - release-note/refactor
+    - title: Maintenance and Dependencies
+      labels:
+        - release-note/chore
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"
diff --git a/.github/workflows/chart.yml b/.github/workflows/chart.yml
@@ -2,8 +2,13 @@ name: Helm Chart Publisher
 
 on:
   push:
+    # Pre-release tags (e.g. v0.4.0-rc.1) build images via release.yml but
+    # must not land in the public Helm index. The negative pattern below
+    # filters them out; workflow_dispatch can still publish a specific
+    # tag manually if ever needed.
     tags:
       - "v*.*.*"
+      - "!v*-rc.*"
   workflow_dispatch:
     inputs:
       tag:
@@ -26,8 +31,15 @@ jobs:
   publish-github-pages:
     needs: export-registry
     runs-on: ubuntu-latest
+    # Only the gh-pages publish needs serialization: helm-gh-pages always
+    # rewrites the gh-pages branch, so concurrent runs for different tags
+    # would race. The OCI publish below pushes immutable per-tag blobs and
+    # is safe to run in parallel across tags, so it stays unguarded.
+    concurrency:
+      group: helm-chart-publish-gh-pages
+      cancel-in-progress: false
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           submodules: true
           fetch-depth: 0
@@ -44,7 +56,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,11 +41,11 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Ginkgo CLI
         run: |
-          go install github.com/onsi/ginkgo/v2/ginkgo@v2.19.1
+          go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4
 
       - name: Prepare necessary environment variables
         run: |
@@ -116,7 +116,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Move Docker data directory to /mnt
         # The default storage device on GitHub-hosted runners is running low during e2e tests.

diff --git a/.github/workflows/code-lint.yml b/.github/workflows/code-lint.yml
@@ -42,7 +42,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           submodules: true
 
@@ -63,7 +63,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: golangci-lint
         run: make lint
@@ -76,7 +76,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -38,7 +38,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -16,7 +16,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4.1.7
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.1.7
       - uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # master
         with:
           check_filenames: true

diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml
@@ -10,7 +10,7 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
     - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1
       with:
         # this will only show errors in the output

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,6 +15,14 @@ permissions:
   contents: read
   packages: write
 
+# Serialize releases per ref so concurrent tag pushes can't race on image
+# pushes to the same ${REGISTRY}/${IMAGE}:${TAG}. Different tags can still
+# run in parallel. We never want cancel-in-progress here: aborting a
+# half-pushed image is worse than letting it finish.
+concurrency:
+  group: release-images-${{ github.ref }}
+  cancel-in-progress: false
+
 env:
   REGISTRY: ghcr.io
   HUB_AGENT_IMAGE_NAME: hub-agent
@@ -41,7 +49,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ needs.export-registry.outputs.tag }}
 
@@ -56,10 +64,18 @@ jobs:
         run: |
           make push
 
+      # The short-tag (e.g. ":0.4.0") aliases the long form for stable releases
+      # only. RC images are published under the long form (":v0.4.0-rc.1") for
+      # testers, but we deliberately do NOT alias them to a short tag - the
+      # short-tag namespace is reserved for stable releases that consumers can
+      # safely pin to (and "imagetools create" with an RC alias would publish
+      # "0.4.0-rc.1" into that namespace, muddying it).
       - name: Tag and push images without v prefix
+        if: ${{ !contains(needs.export-registry.outputs.tag, '-rc.') }}
         env:
           VERSION: ${{ needs.export-registry.outputs.version }}
         run: |
+          set -euo pipefail
           for IMAGE in ${{ env.HUB_AGENT_IMAGE_NAME }} ${{ env.MEMBER_AGENT_IMAGE_NAME }} ${{ env.REFRESH_TOKEN_IMAGE_NAME }}; do
             docker buildx imagetools create \
               --tag "${{ env.REGISTRY }}/${IMAGE}:${VERSION}" \
@@ -70,10 +86,11 @@ jobs:
         env:
           VERSION: ${{ needs.export-registry.outputs.version }}
         run: |
+          set -euo pipefail
           echo "✅ Published images:"
-          echo "  - ${{ env.REGISTRY }}/${{ env.HUB_AGENT_IMAGE_NAME }}:${{ env.TAG }}"
-          echo "  - ${{ env.REGISTRY }}/${{ env.HUB_AGENT_IMAGE_NAME }}:${VERSION}"
-          echo "  - ${{ env.REGISTRY }}/${{ env.MEMBER_AGENT_IMAGE_NAME }}:${{ env.TAG }}"
-          echo "  - ${{ env.REGISTRY }}/${{ env.MEMBER_AGENT_IMAGE_NAME }}:${VERSION}"
-          echo "  - ${{ env.REGISTRY }}/${{ env.REFRESH_TOKEN_IMAGE_NAME }}:${{ env.TAG }}"
-          echo "  - ${{ env.REGISTRY }}/${{ env.REFRESH_TOKEN_IMAGE_NAME }}:${VERSION}"
+          for IMAGE in ${{ env.HUB_AGENT_IMAGE_NAME }} ${{ env.MEMBER_AGENT_IMAGE_NAME }} ${{ env.REFRESH_TOKEN_IMAGE_NAME }}; do
+            echo "  - ${{ env.REGISTRY }}/${IMAGE}:${{ env.TAG }}"
+            if [[ "${{ env.TAG }}" != *-rc.* ]]; then
+              echo "  - ${{ env.REGISTRY }}/${IMAGE}:${VERSION}"
+            fi
+          done
diff --git a/.github/workflows/setup-release.yml b/.github/workflows/setup-release.yml
@@ -32,8 +32,8 @@ jobs:
             - id: setup
               run: |
                   TAG="${{ inputs.tag }}"
-                  if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
-                    echo "Error: Invalid release tag '${TAG}'. Expected format: v*.*.*"
+                  if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$ ]]; then
+                    echo "Error: Invalid release tag '${TAG}'. Expected format: vMAJOR.MINOR.PATCH or vMAJOR.MINOR.PATCH-rc.N"
                     exit 1
                   fi
 

diff --git a/.github/workflows/squad-ci.yml b/.github/workflows/squad-ci.yml
@@ -0,0 +1,28 @@
+name: Squad CI
+# go project — configure build/test commands below
+
+on:
+  pull_request:
+    branches: [dev, preview, main, insider]
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [dev, insider]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Build and test
+        run: |
+          # TODO: Add your go build/test commands here
+          # Go:            go test ./...
+          # Python:        pip install -r requirements.txt && pytest
+          # .NET:          dotnet test
+          # Java (Maven):  mvn test
+          # Java (Gradle): ./gradlew test
+          echo "No build commands configured — update squad-ci.yml"
diff --git a/.github/workflows/squad-docs.yml b/.github/workflows/squad-docs.yml
@@ -0,0 +1,27 @@
+name: Squad Docs — Build & Deploy
+# go project — configure documentation build commands below
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [preview]
+    paths:
+      - 'docs/**'
+      - '.github/workflows/squad-docs.yml'
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Build docs
+        run: |
+          # TODO: Add your documentation build commands here
+          # This workflow is optional — remove or customize it for your project
+          echo "No docs build commands configured — update or remove squad-docs.yml"