From bbc3cbae4e00579be1ed2a17f7a5d22021166e34 Mon Sep 17 00:00:00 2001
From: smueller <smueller+vm@hexahost.de>
Date: Fri, 29 May 2026 10:42:08 +0200
Subject: [PATCH] Update README and workflows for release process: Clarified
 branch usage and workflow steps in README.md, emphasizing the new `ci` branch
 for integration. Adjusted Gitea and GitHub workflows to reflect the change
 from `dev` to `ci` for triggering release builds, ensuring a streamlined and
 consistent obfuscation process for production assets.

---
 .gitea/workflows/obfuscate-main.yml  | 39 ++++++++++++----------------
 .github/workflows/obfuscate-main.yml | 39 ++++++++++++----------------
 README.md                            | 31 +++++++++++++++++-----
 3 files changed, 56 insertions(+), 53 deletions(-)

diff --git a/.gitea/workflows/obfuscate-main.yml b/.gitea/workflows/obfuscate-main.yml
index fe15351..bdb9c15 100644
--- a/.gitea/workflows/obfuscate-main.yml
+++ b/.gitea/workflows/obfuscate-main.yml
@@ -1,9 +1,9 @@
-name: Release Build (dev → main)
+name: Release Build (ci → main)
 
 on:
   push:
     branches:
-      - dev
+      - ci
   workflow_dispatch:
 
 env:
@@ -16,29 +16,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout (volle History)
+      - name: Checkout ci (Integration)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
-          ref: dev
-
-      - name: Merge dev in CI-Workspace (Basis main)
-        env:
-          GITEA_TOKEN: ${{ github.token }}
-        run: |
-          git config user.name "gitea-actions"
-          git config user.email "actions@local"
-          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
-          git fetch origin main dev
-
-          if git show-ref --verify --quiet refs/remotes/origin/main; then
-            git checkout -B main origin/main
-            git merge origin/dev -X theirs --no-edit -m "ci: merge dev for release build"
-          else
-            echo "main branch missing, initializing from dev"
-            git checkout -B main origin/dev
-          fi
+          ref: ci
 
       - name: Setup Python
         uses: actions/setup-python@v5
@@ -60,10 +43,20 @@ jobs:
           git config user.name "gitea-actions"
           git config user.email "actions@local"
           git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main ci
+
           git add -A
           if git diff --cached --quiet; then
             echo "No release changes to publish."
             exit 0
           fi
-          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
-          git push origin main
+
+          TREE=$(git write-tree)
+          MSG="chore(release): obfuscate and hash production assets [skip ci]"
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            PARENT=$(git rev-parse origin/main)
+            COMMIT=$(git commit-tree "$TREE" -p "$PARENT" -m "$MSG")
+          else
+            COMMIT=$(git commit-tree "$TREE" -m "$MSG")
+          fi
+          git push origin "${COMMIT}:refs/heads/main"
diff --git a/.github/workflows/obfuscate-main.yml b/.github/workflows/obfuscate-main.yml
index 1b87e0d..5ac6a20 100644
--- a/.github/workflows/obfuscate-main.yml
+++ b/.github/workflows/obfuscate-main.yml
@@ -1,10 +1,10 @@
 # Hinweis: Gitea nutzt .gitea/workflows/obfuscate-main.yml (identischer Ablauf).
-name: Release Build (dev → main)
+name: Release Build (ci → main)
 
 on:
   push:
     branches:
-      - dev
+      - ci
   workflow_dispatch:
 
 env:
@@ -17,29 +17,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout (volle History)
+      - name: Checkout ci (Integration)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
-          ref: dev
-
-      - name: Merge dev in CI-Workspace (Basis main)
-        env:
-          GITEA_TOKEN: ${{ github.token }}
-        run: |
-          git config user.name "gitea-actions"
-          git config user.email "actions@local"
-          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
-          git fetch origin main dev
-
-          if git show-ref --verify --quiet refs/remotes/origin/main; then
-            git checkout -B main origin/main
-            git merge origin/dev -X theirs --no-edit -m "ci: merge dev for release build"
-          else
-            echo "main branch missing, initializing from dev"
-            git checkout -B main origin/dev
-          fi
+          ref: ci
 
       - name: Setup Python
         uses: actions/setup-python@v5
@@ -61,10 +44,20 @@ jobs:
           git config user.name "gitea-actions"
           git config user.email "actions@local"
           git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main ci
+
           git add -A
           if git diff --cached --quiet; then
             echo "No release changes to publish."
             exit 0
           fi
-          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
-          git push origin main
+
+          TREE=$(git write-tree)
+          MSG="chore(release): obfuscate and hash production assets [skip ci]"
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            PARENT=$(git rev-parse origin/main)
+            COMMIT=$(git commit-tree "$TREE" -p "$PARENT" -m "$MSG")
+          else
+            COMMIT=$(git commit-tree "$TREE" -m "$MSG")
+          fi
+          git push origin "${COMMIT}:refs/heads/main"
diff --git a/README.md b/README.md
index 0c497f1..44c690f 100644
--- a/README.md
+++ b/README.md
@@ -169,16 +169,33 @@ Für den Produktivbetrieb `public/` als Webroot konfigurieren.
 | Branch | Zweck |
 |--------|--------|
 | **`dev`** | Entwicklung (lesbarer Code, Kommentare) |
-| **`main`** | Release/Produktion (obfuskiert, gehashte Assets) |
+| **`ci`** | Integration (du mergst `dev` hierher) |
+| **`main`** | Release/Produktion (obfuskiert, gehashte Assets — nur per Pipeline) |
 
-**Workflow:** Nur auf `dev` entwickeln und pushen — **nicht** `dev` manuell nach `main` mergen.
+**Ablauf: `dev` → `ci` → `main`**
 
-Bei jedem Push auf `dev` startet `.gitea/workflows/obfuscate-main.yml`:
+1. Auf **`dev`** entwickeln und pushen
+2. **`dev` nach `ci` mergen** (manuell, z. B. in Gitea oder lokal)
+3. **`ci` pushen** → startet `.gitea/workflows/obfuscate-main.yml`
+4. Pipeline obfuskiert im Runner-Workspace und publiziert nach **`main`**
 
-1. Checkout in temporärem Runner-Workspace
-2. `dev` in CI mit `main` mergen (`-X theirs`, dev-Inhalte bei Konflikten)
-3. Obfuscation-Build (`scripts/obfuscate_release.py --hash-assets`)
-4. Ergebnis nach `main` pushen (Bot-Commit mit `[skip ci]`)
+```powershell
+# Nach fertigen Änderungen auf dev:
+git checkout ci
+git pull origin ci
+git merge dev
+git push origin ci
+```
+
+Bei jedem Push auf **`ci`**:
+
+1. Checkout von `ci` im temporären Runner-Workspace
+2. Obfuscation-Build (`scripts/obfuscate_release.py --hash-assets`)
+3. Ergebnis nach `main` pushen (Bot-Commit mit `[skip ci]`)
+
+**Nicht** `dev` oder `ci` direkt nach `main` mergen. Der Branch **`ci` bleibt lesbar** — Obfuscation wird nur nach `main` publiziert.
+
+`ci`-Branch einmalig anlegen (falls noch nicht vorhanden): `git checkout -b ci dev && git push -u origin ci`
 
 Der Build führt aus: