release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish

.github/workflows/release-on-version.yml

@@ -55,17 +55,45 @@ jobs:
             echo "exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Build zip artifact
+      - name: Build zip artifact (stamped)
         if: steps.tagcheck.outputs.exists == 'false'
         shell: bash
         run: |
           set -euo pipefail
-          ZIP="FileRise-${{ steps.ver.outputs.version }}.zip"
-          zip -r "$ZIP" . \
-            -x "./.git/*" "./.github/*" \
-               "./resources/*" "./resources/**" \
-               "./.dockerignore" "./.gitattributes" "./.gitignore" \
-               "$ZIP" "${ZIP}.sha256" >/dev/null
+          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.12
+          ZIP="FileRise-${VER}.zip"
+
+          # Clean staging copy (exclude dotfiles you don’t want)
+          rm -rf staging
+          rsync -a \
+            --exclude '.git' --exclude '.github' \
+            --exclude 'resources' \
+            --exclude '.dockerignore' --exclude '.gitattributes' --exclude '.gitignore' \
+            ./ staging/
+
+          # Stamp IN THE STAGING COPY
+          ./scripts/stamp-assets.sh "${VER}" "$(pwd)/staging"
+
+      - name: Verify placeholders are gone (staging)
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          ROOT="$(pwd)/staging"
+          if grep -R -n "{{APP_QVER}}\|{{APP_VER}}" "$ROOT" --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
+            echo "ERROR: Found unreplaced placeholders above in staging."
+            exit 1
+          fi
+          echo "OK: No unreplaced placeholders in staging."
+
+      - name: Zip stamped staging
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER="${{ steps.ver.outputs.version }}"
+          ZIP="FileRise-${VER}.zip"
+          (cd staging && zip -r "../$ZIP" . >/dev/null)
 
       - name: Compute SHA-256 checksum
         if: steps.tagcheck.outputs.exists == 'false'
@@ -127,12 +155,12 @@ jobs:
           SHA="${{ steps.sum.outputs.sha }}"
 
           {
-            echo "## ${VER}"
             echo
             if [[ -s CHANGELOG_SNIPPET.md ]]; then
               cat CHANGELOG_SNIPPET.md
               echo
             fi
+            echo "## ${VER}"
             echo "### Full Changelog"
             echo "[${PREV} → ${VER}](${COMPARE_URL})"
             echo

.github/workflows/sync-changelog.yml

@@ -32,7 +32,7 @@ jobs:
             echo "No release(vX.Y.Z) tag in commit message; skipping bump."
           fi
 
-      - name: Update public/js/version.js
+      - name: Update public/js/version.js (source of truth)
         if: steps.ver.outputs.version != ''
         shell: bash
         run: |
@@ -42,43 +42,20 @@ jobs:
           window.APP_VERSION = '${{ steps.ver.outputs.version }}';
           EOF
 
-      - name: Stamp asset cache-busters (?v=...) in HTML/CSS and {{APP_VER}} everywhere
-        if: steps.ver.outputs.version != ''
-        shell: bash
-        run: |
-          set -euo pipefail
-          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.9
-          QVER="${VER#v}"                         # e.g. 1.6.9
-          echo "Stamping ?v=${QVER} and {{APP_VER}}=${VER}"
+      # ✂️ REMOVED: repo stamping of HTML/CSS/JS
 
-          # 1) Only stamp ?v= in HTML/CSS (avoid JS concatenation issues)
-          mapfile -t html_css < <(git ls-files -- 'public/*.html' 'public/**/*.html' 'public/*.php' 'public/**/*.css')
-          for f in "${html_css[@]}"; do
-            sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
-            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
-          done
-
-          # 2) For JS, only replace the {{APP_VER}} placeholder (do NOT touch ?v=)
-          mapfile -t jsfiles < <(git ls-files -- 'public/*.js' 'public/**/*.js')
-          for f in "${jsfiles[@]}"; do
-            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
-          done
-
-          echo "Changed files:"
-          git status --porcelain | awk '{print $2}' | sed 's/^/  - /'
-
-      - name: Commit version bump + stamped assets
+      - name: Commit version.js only
         if: steps.ver.outputs.version != ''
         shell: bash
         run: |
           set -euo pipefail
           git config user.name  "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add public/js/version.js public
+          git add public/js/version.js
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
-            git commit -m "chore(release): set APP_VERSION and stamp assets to ${{ steps.ver.outputs.version }} [skip ci]"
+            git commit -m "chore(release): set APP_VERSION to ${{ steps.ver.outputs.version }} [skip ci]"
             git push
           fi
 
@@ -110,6 +87,6 @@ jobs:
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
-            git commit -m "chore: sync CHANGELOG.md and VERSION (${{ steps.ver.outputs.version }}) from FileRise"
+            git commit -m "chore: sync CHANGELOG.md + VERSION (${{ steps.ver.outputs.version }}) from FileRise"
             git push origin main
           fi