Fix Eva release branch asset publishing

[100yenadmin]

Closes #178.

TL;DR

Release branches should produce complete Eva release artifacts, not just create a source tag. This PR fixes the release workflow so release/eva-v* branch pushes create or reuse the matching tag, then build and upload gbrain-darwin-arm64, gbrain-linux-x64, and SHA256SUMS in the same workflow run.

Why

The .8 rollout candidate exposed a release-channel gap: release/eva-v0.42.47.8 created the tag, but GitHub did not run the tag-triggered build afterward because tag pushes made by GITHUB_TOKEN do not recursively trigger workflows. The result was a visible source-only release, which is not good enough for a fleet rollout gate.

flowchart LR
  A[release/eva-v* branch] --> B[validate package version]
  B --> C[create matching tag if missing]
  C --> D[build macOS + Linux binaries]
  D --> E[upload binaries + SHA256SUMS]

Loading

What Changed

• Allows the build and release jobs to run on release/eva-v* branch events.
• Keeps tag events and manual workflow_dispatch working.
• Resolves RELEASE_TAG safely for branch, tag, and manual-dispatch events.
• Keeps the existing version/tag validation intact.

Validation

• Local focused check: git diff --check passed.
• GitHub CI/release workflow will validate the actual branch behavior after merge by re-running release/eva-v0.42.47.8.

Fleet Impact

No runtime code changes. This is release plumbing only; fleet rollout remains pinned to eva-v0.42.47.8 after the release assets are published.

Summary by CodeRabbit

• Chores
  • Updated CI/CD release workflow configuration to improve job orchestration and release tag resolution logic.

---

Note: This release contains only internal infrastructure updates with no user-facing changes.

[coderabbitai]

Warning

Review limit reached

@100yenadmin, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 54 minutes and 46 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7ebd666b-1681-40dc-85e5-7961fe25cc9f

📥 Commits

Reviewing files that changed from the base of the PR and between 0d6918b and 58c2fba.

📒 Files selected for processing (1)

• .github/workflows/release.yml

📝 Walkthrough

Walkthrough

The release workflow's build and release jobs are updated to depend on the create-tag job, accept release/eva-v* branch triggers, and replace the top-level env: RELEASE_TAG derivation with a per-job "Resolve Eva release tag" step that computes, validates, and exports RELEASE_TAG via GITHUB_ENV.

Changes

Release Workflow Gating and Tag Resolution

Layer / File(s)	Summary
build job: create-tag dependency and expanded trigger condition .github/workflows/release.yml	jobs.build gains needs: create-tag and its if: condition is updated to run when create-tag is success or skipped, covering eva-v tags, release/eva-v* branches, and workflow_dispatch.
"Resolve Eva release tag" step in build and release jobs .github/workflows/release.yml	Both jobs replace the old env:-based RELEASE_TAG derivation with a new shell step that resolves the tag from workflow_dispatch input, release/eva-v* branch naming, or the current ref name, validates it against the eva-v* pattern, and writes RELEASE_TAG to GITHUB_ENV. jobs.release also expands its if: to include refs/heads/release/eva-v*.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Release branch workflow creates source-only Eva tags without binary assets #178 — This PR directly implements the acceptance criteria: release/eva-v* branch events now trigger binary build and release asset jobs (via the expanded if: conditions and create-tag dependency), while tag events and manual dispatch continue to function.

Possibly related PRs

• electricsheephq/eva-brain#173: Directly related — both PRs modify .github/workflows/release.yml to expand gating logic and tag resolution around the create-tag job and release/eva-v* branch triggers.

Poem

🐇 Hippity-hop through the pipeline I go,
Tags on branches now trigger the show!
create-tag runs first, then build takes the baton,
RELEASE_TAG resolved before the release is drawn.
No more empty pages, the binaries appear —
The fleet gets its assets, the rabbit cheers! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main fix: enabling Eva release branch asset publishing for the release workflow.
Linked Issues check	✅ Passed	The PR addresses all acceptance criteria from #178: enables release/eva-v* branch events for build and release jobs, preserves tag and manual dispatch support, and maintains version validation logic.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the release workflow automation. No unrelated modifications to runtime code or other systems are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 104-118: In the "Resolve Eva release tag" step, the template
expression ${{ inputs.tag_name }} is being directly interpolated into the bash
script, creating a template injection vulnerability. Fix this by defining
inputs.tag_name as an environment variable in the step's env section, then
reference that environment variable (such as $TAG_NAME) within the bash script
instead of using the direct template interpolation for the release_tag
assignment.
- Around line 61-75: The "Resolve Eva release tag" step has a template injection
vulnerability where ${{ inputs.tag_name }} is directly interpolated into the
shell script. To fix this, add an env section to the step that passes the input
as an environment variable (e.g., env: INPUT_TAG: ${{ inputs.tag_name }}), then
reference the environment variable in the shell script
(release_tag="$INPUT_TAG") instead of using the direct template interpolation.
This prevents arbitrary shell command injection through a malicious tag name
input.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9cf1a649-2263-49b9-8643-c91f1275c0ad

📥 Commits

Reviewing files that changed from the base of the PR and between ca749ef and 0d6918b.

📒 Files selected for processing (1)

• .github/workflows/release.yml