Merge ci-testing: publish to GJD registry on tag push

commit d6fa2986ec
Author: jutty <j@jutty.dev>
Date:   Sun Mar 1 03:18:50 2026 -0300

    Add tag and push-unsafe recipes to justfile

commit 6a239e1708
Author: jutty <j@jutty.dev>
Date:   Sun Mar 1 03:18:21 2026 -0300

    Update roadmap

commit a3da368573
Author: jutty <j@jutty.dev>
Date:   Thu Feb 26 20:56:48 2026 -0300

    Cleanup CI testing files

commit b56f53bdc2
Author: jutty <j@jutty.dev>
Date:   Thu Feb 26 20:17:10 2026 -0300

    CI: Adjust curl logging, add a job for internal networking tests

commit 435e478b01
Author: jutty <j@jutty.dev>
Date:   Wed Feb 25 02:35:20 2026 -0300

    CI: Move sha256sum calculation before registry upload

commit 727ea16769
Author: jutty <j@jutty.dev>
Date:   Wed Feb 25 01:51:05 2026 -0300

    CI: Add curl -f fail flag to extra tools binary fetching

commit 2ff7a6cf1b
Author: jutty <j@jutty.dev>
Date:   Wed Feb 25 01:48:00 2026 -0300

    CI: Make additional tooling move to /usr/local/bin verbose

commit bf88f86bce
Author: jutty <j@jutty.dev>
Date:   Wed Feb 25 01:40:32 2026 -0300

    CI: Adapt to cargo-audit outlier URL structure

commit 291081359e
Author: jutty <j@jutty.dev>
Date:   Wed Feb 25 01:29:13 2026 -0300

    CI: Deduplicate additional tool fetching

    While this moves the source of truth for CI tooling versions to
    somewhere outside the workflow definitions, it also avoids duplication
    and keeps debug (check.yaml) and production (publish.yaml) verifications
    fully independent.

commit 7d2a234fc3
Author: jutty <j@jutty.dev>
Date:   Wed Feb 25 00:32:51 2026 -0300

    Add cargo-audit security assessment

commit ed30ee7b75
Author: jutty <j@jutty.dev>
Date:   Thu Feb 19 02:06:42 2026 -0300

    CI: Add wildcard branch to check workflow

.justfile

@@ -134,13 +134,43 @@ cover-open:
 
 alias oo := cover-open
 
+# Tag HEAD with version from Cargo.toml
+[script, group: 'assess']
+tag: update && version-assess
+    last_tag=$(git describe --tags --abbrev=0 \
+        $(git rev-list --tags --max-count=1) | tr -d v)
+    manifest_version=$(grep '^version' Cargo.toml | cut -d \" -f 2)
+    lockfile_version=$(grep -A 1 'name = "en"' Cargo.lock |
+        grep version | cut -d '"' -f 2)
+
+    if [ "$last_tag" = "$manifest_version" ]; then
+        echo "Last tag $last_tag and manifest ($manifest_version) already match"
+        exit 1
+    elif [ "$manifest_version" != "$lockfile_version" ]; then
+        echo "Manifest and lockfile versions don't match: update failed?"
+        exit 1
+    fi
+
+    git tag "v$manifest_version" HEAD
+
 # Verify and push
 [group: 'develop']
 push: verify
     git push
+    git push --tags
 
 alias p := push
 
+# Push without verifying
+[group: 'develop']
+push-unsafe:
+    git push --no-verify
+    git push --tags --no-verify
+
+alias pu := push-unsafe
+
+# DOCUMENT
+
 # Generate crate documentation
 [group: 'document']
 doc:
@@ -229,13 +259,14 @@ verify:
         git status
         exit 1
     fi
-    {{ just_cmd }} update version-assess format-assess lint-assess check test cover-assess
+    {{ just_cmd }} update version-assess \
+        security-assess format-assess lint-assess check test cover-assess
 
 alias v := verify
 
 # Check tag-manifest consistency
 [script, group: 'assess']
-version-assess:
+version-assess: update
     last_tag=$(git describe --tags --abbrev=0 \
         $(git rev-list --tags --max-count=1) | tr -d v)
     manifest_version=$(grep '^version' Cargo.toml | cut -d \" -f 2)
@@ -252,6 +283,11 @@ version-assess:
 
 alias va := version-assess
 
+# Audit security advisories
+security-assess:
+    cargo audit --deny warnings
+alias sa := security-assess
+
 # BUILD
 
 # Cleanup build artifacts