haydenk · haydenk · Mar 7, 2026 · Mar 1, 2026 · Mar 7, 2026 · Mar 7, 2026
diff --git a/.github/workflows/branch-policy.yml b/.github/workflows/branch-policy.yml
@@ -0,0 +1,33 @@
+name: Branch Policy
+
+on:
+  pull_request:
+    branches:
+      - master
+      - develop
+
+jobs:
+  validate-branch:
+    name: Validate Branch Policy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch naming policy
+        run: |
+          TARGET="${{ github.base_ref }}"
+          SOURCE="${{ github.head_ref }}"
+
+          if [ "$TARGET" = "master" ]; then
+            if [[ "$SOURCE" != release/* && "$SOURCE" != hotfix/* ]]; then
+              echo "PRs to master must come from release/* or hotfix/* branches (got: $SOURCE)"
+              exit 1
+            fi
+          fi
+
+          if [ "$TARGET" = "develop" ]; then
+            if [[ "$SOURCE" != feature/* && "$SOURCE" != bugfix/* && "$SOURCE" != chore/* && "$SOURCE" != "master" ]]; then
+              echo "PRs to develop must come from feature/*, bugfix/*, chore/*, or master branches (got: $SOURCE)"
+              exit 1
+            fi
+          fi
+
+          echo "Branch policy check passed ($SOURCE -> $TARGET)"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,15 +2,17 @@ name: CI
 
 on:
   push:
-    branches:
-      - master
-      - develop
-      - "release/**"
-      - "hotfix/**"
+    branches: [master, develop, 'release/**', 'hotfix/**']
+    paths-ignore:
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - 'LICENSE'
   pull_request:
-    branches:
-      - master
-      - develop
+    branches: [master, develop]
+    paths-ignore:
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - 'LICENSE'
 
 permissions:
   contents: read
@@ -20,17 +22,17 @@ defaults:
     shell: bash
 
 jobs:
-  build:
-    name: Build
+  test:
+    name: Build & Test
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
 
-      - name: Setup dependencies
-        uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3
+      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
 
-      - name: Build and test
+      - name: Build
         env:
           HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache
         run: mise run test

diff --git a/.github/workflows/gitflow-release.yml b/.github/workflows/gitflow-release.yml
@@ -0,0 +1,66 @@
+name: GitFlow Release
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - master
+
+jobs:
+  tag-and-backmerge:
+    if: |
+      github.event.pull_request.merged == true &&
+      (startsWith(github.event.pull_request.head.ref, 'release/') ||
+       startsWith(github.event.pull_request.head.ref, 'hotfix/'))
+    name: Tag & Back-merge
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          ref: master
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from branch name
+        id: version
+        run: |
+          branch="${{ github.event.pull_request.head.ref }}"
+          version="${branch#release/}"
+          version="${version#hotfix/}"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Create and push tag
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          if git rev-parse "v${{ steps.version.outputs.version }}" >/dev/null 2>&1; then
+            echo "Tag v${{ steps.version.outputs.version }} already exists, skipping."
+          else
+            git tag "v${{ steps.version.outputs.version }}"
+            git push origin "v${{ steps.version.outputs.version }}"
+          fi
+
+      - name: Create back-merge branch
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "chore/back-merge-${{ steps.version.outputs.version }}"
+          git push origin "chore/back-merge-${{ steps.version.outputs.version }}"
+
+      - name: Open back-merge PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create \
+            --base develop \
+            --head "chore/back-merge-${{ steps.version.outputs.version }}" \
+            --title "chore: back-merge master into develop after v${{ steps.version.outputs.version }}" \
+            --body "Automated back-merge of \`master\` into \`develop\` following the \`${{ github.event.pull_request.head.ref }}\` release." \
+            --label "chore" || true
+          gh pr merge "chore/back-merge-${{ steps.version.outputs.version }}" \
+            --auto \
+            --merge \
+            --delete-branch
diff --git a/.github/workflows/label-issues.yml b/.github/workflows/label-issues.yml
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -1,21 +1,52 @@
-name: Label PRs
+name: Labeler
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened]
+  issues:
+    types: [opened, edited]
 
 permissions:
   contents: read
+  issues: write
   pull-requests: write
 
 jobs:
-  label:
-    name: Label by changed files
+  # ── Label PRs by changed files ───────────────────────────────────────────────
+  label-pr:
+    name: Label PR
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - name: Apply labels
-        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           configuration-path: .github/labeler.yml
-          sync-labels: true
+          sync-labels: false
+
+  # ── Label issues by title prefix ─────────────────────────────────────────────
+  label-issue:
+    name: Label Issue
+    if: github.event_name == 'issues'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Apply label from title prefix
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NUMBER: ${{ github.event.issue.number }}
+          TITLE: ${{ github.event.issue.title }}
+        run: |
+          title=$(echo "$TITLE" | tr '[:upper:]' '[:lower:]')
+          label=""
+
+          case "$title" in
+            bug:*|fix:*)            label="bug" ;;
+            feat:*|feature:*)       label="enhancement" ;;
+            question:*)             label="question" ;;
+            docs:*)                 label="docs" ;;
+            chore:*|ci:*)           label="ci" ;;
+          esac
+
+          if [ -n "$label" ]; then
+            gh issue edit "$NUMBER" --repo "${{ github.repository }}" --add-label "$label"
+          fi