Update DEV_WORKFLOW.md with Gitea token docs and release tag checking

Bunker Admin

DEV_WORKFLOW.md

@@ -262,7 +262,8 @@ docker compose exec api npx prisma migrate dev        # Create migration
 # ── Build & Publish ──
 ./scripts/build-and-push.sh                           # Build + push 4 images
 ./scripts/mirror-images.sh                            # Mirror 36 third-party images
-./scripts/build-release.sh --tag v2.2.0 --upload      # Package + upload release
+git tag --sort=-v:refname | head -3                   # Check latest version tags
+./scripts/build-release.sh --tag vX.Y.Z --upload      # Package + upload release
 
 # ── Deploy ──
 curl -fsSL .../install.sh | bash                      # New install (release)
@@ -276,13 +277,46 @@ docker compose ps                                     # Container status
 
 ---
 
+## Gitea API Tokens
+
+There are **two separate Gitea tokens** with different purposes. Using the wrong one is a common mistake:
+
+| Variable | Target | Used by | Create at |
+|----------|--------|---------|-----------|
+| `GITEA_REGISTRY_API_TOKEN` | Remote registry (`gitea.bnkops.com`) | `build-release.sh --upload`, release API calls | `https://gitea.bnkops.com/user/settings/applications` |
+| `GITEA_API_TOKEN` | Local Gitea instance | Docs comments, user provisioning, SSO | `http://localhost:3030/user/settings/applications` |
+
+**Key:** Release uploads and the Gitea Releases API require `GITEA_REGISTRY_API_TOKEN`. If you get `"user does not exist"` from the API, you're using the wrong token.
+
+---
+
 ## Checklist: Cutting a New Release
 
-1. [ ] All code changes committed and pushed to `v2` branch
+1. [ ] All code changes committed and pushed to `main` branch
 2. [ ] `docker compose up -d` works locally (smoke test)
-3. [ ] `./scripts/build-and-push.sh` — builds and pushes 4 production images
-4. [ ] `./scripts/mirror-images.sh` — only if third-party versions changed
-5. [ ] `./scripts/build-release.sh --tag vX.Y.Z --upload` — packages and uploads tarball
-6. [ ] Test clean install: `tar xzf ... && cd changemaker-lite && bash config.sh && docker compose up -d`
-7. [ ] Test upgrade: `./scripts/upgrade.sh` on an existing installation
-8. [ ] Verify: `curl http://localhost:4000/api/health` returns `{"status":"ok"}`
+3. [ ] **Determine version tag:**
+   ```bash
+   # Check the latest existing tag to pick the next version
+   git tag --sort=-v:refname | head -5
+   # Check commits since the last tag
+   git log $(git tag --sort=-v:refname | head -1)..HEAD --oneline
+   ```
+4. [ ] `./scripts/build-and-push.sh` — builds and pushes 4 production images
+5. [ ] `./scripts/mirror-images.sh` — only if third-party versions changed
+6. [ ] `./scripts/build-release.sh --tag vX.Y.Z --upload` — packages and uploads tarball
+7. [ ] **Add release notes** (via Gitea web UI or API):
+   ```bash
+   # Update release body via API (use GITEA_REGISTRY_API_TOKEN, not GITEA_API_TOKEN)
+   GITEA_TOKEN=$(grep -oP 'GITEA_REGISTRY_API_TOKEN=\K.*' .env)
+   # Find release ID
+   curl -s "https://gitea.bnkops.com/api/v1/repos/admin/changemaker.lite/releases?limit=1" \
+     -H "Authorization: token $GITEA_TOKEN" | python3 -c "import sys,json; r=json.load(sys.stdin)[0]; print(f'ID: {r[\"id\"]}, Tag: {r[\"tag_name\"]}')"
+   # Update with release notes (write JSON body to /tmp/release-notes.json first)
+   curl -s -X PATCH "https://gitea.bnkops.com/api/v1/repos/admin/changemaker.lite/releases/RELEASE_ID" \
+     -H "Authorization: token $GITEA_TOKEN" \
+     -H "Content-Type: application/json" \
+     -d @/tmp/release-notes.json
+   ```
+8. [ ] Test clean install: `tar xzf ... && cd changemaker-lite && bash config.sh && docker compose up -d`
+9. [ ] Test upgrade: `./scripts/upgrade.sh` on an existing installation
+10. [ ] Verify: `curl http://localhost:4000/api/health` returns `{"status":"ok"}`