ci: fix release build and nexus upload pipeline after 1.6

[SkrubbySkrubInAShrub]

Summary

Release-pipeline fixes surfaced while cutting v1.6.0 (the first release after
the dev recovery). CI/tooling/metadata only — no runtime or shader code. Typed
ci: so it won't trigger a release bump.

Fixes #2443, #2439.

Changes

• Auto-build releases (bug(ci): artifact build never auto-triggers on release tags ([skip ci] + draftRelease) #2443). Release tags sit on a [skip ci] commit and
  the release is a draft, so nothing triggered release-build — drafts had no
  artifacts until manually built. release-semantic now dispatches the build on
  the new tag (needs actions: write).

• No double build. Build runs once at draft creation; on publish only the
  Nexus dry-run runs, consuming the already-attached release assets instead of
  rebuilding. Also removes the old build-vs-Nexus race.

• Nexus multi-line description crash. The core file-description (a multi-line
  feature-version manifest) broke $GITHUB_OUTPUT with Invalid format '• HDR 1.0.2'. Switched to the heredoc-delimiter form.

• Prerelease tag cleanup (# bug(ci): maint-cleanup-releases.yaml regex never matches dotted rc.N prerelease tags #2439). The cleanup regex rc[0-9]+ never matched
  semantic-release's dotted rc.N tags, so orphaned RCs were never removed. Now
  allows the dot.

• Terrain Helper decoupled. It's activation-only (code lives in the core
  mod), but it auto-uploaded to Nexus with an invalid file-group id and got
  version-bumped on every .ini edit. Set autoupload = false and added a
  reusable AuditVersion = false opt-out (read by feature_version_audit.py).

Summary by CodeRabbit

• Chores
  • Prevented redundant artifact rebuilds during release publish by refining job gating.
  • Improved detection and cleanup of prerelease tags to match more prerelease variants.
  • Adjusted Nexus publication defaults (auto-upload disabled) and ensured multi-line file descriptions are handled.
  • Added workflow dispatch to trigger artifact builds when semantic release publishes a new release.
  • Added per-feature version-audit configuration and skip logic for features opting out.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9309aa02-99ef-4e79-9873-8e43d05ea52e

📥 Commits

Reviewing files that changed from the base of the PR and between 4bb7ee5 and 8ad0692.

📒 Files selected for processing (2)

• .github/workflows/release-semantic.yaml
• tools/feature_version_audit.py

🚧 Files skipped from review as they are similar to previous changes (2)

• tools/feature_version_audit.py
• .github/workflows/release-semantic.yaml

---

📝 Walkthrough

Walkthrough

Refactors release automation to dispatch builds after semantic-release tag creation, gates build/post-release jobs by release action, rewires Nexus dry-run to run on published releases, broadens prerelease cleanup matching, switches Nexus description output to a heredoc, and adds a per-feature INI opt-out for version auditing.

Changes

Release Automation to Address #2443

Layer / File(s)	Summary
Semantic release dispatch trigger .github/workflows/release-semantic.yaml	Workflow permissions expanded to actions: write; new conditional step dispatches release-build.yaml after semantic-release completes, passing the release tag.
Build and deployment job gating .github/workflows/release-build.yaml	build job explicitly skips on release: published; feature-audit and post-release jobs exclude published actions; nexus-dry-run decoupled from build jobs and runs on release: published to consume release assets.
Nexus output and prerelease cleanup .github/workflows/nexus-upload.yaml, .github/workflows/maint-cleanup-releases.yaml	Nexus file description output switched to heredoc (description<<NEXUS_DESC_EOF) to embed multi-line content safely; prerelease orphaned tag regex broadened to match dotted variants (e.g., -rc.1).
Hotfix workflow comment .github/workflows/release-hotfix.yaml	Inline comment updated to state GITHUB_TOKEN is sufficient given declared pull-requests: write permissions.

Feature Audit Opt-Out Control

Layer / File(s)	Summary
Per-feature version audit configuration tools/feature_version_audit.py, features/Terrain Helper/Shaders/Features/TerrainHelper.ini	get_feature_ini_metadata() now defaults audit_version: True and parses AuditVersion/audit_version; analyze_features() skips features with AuditVersion = false; TerrainHelper INI sets AuditVersion = false and disables autoupload.

Sequence Diagram(s)

sequenceDiagram
  participant SemanticRelease as semantic-release
  participant ReleaseSemantic as release-semantic.yaml
  participant GH as GitHub Actions
  participant ReleaseBuild as release-build.yaml
  participant NexusDry as nexus-dry-run

  SemanticRelease->>ReleaseSemantic: produce new_release_published + new_release_git_tag
  ReleaseSemantic->>GH: gh workflow run release-build.yaml --ref refs/tags/TAG
  GH->>ReleaseBuild: start build job (dispatch/tag/draft)
  ReleaseBuild->>GH: attach artifacts to release (draft)
  GH->>NexusDry: nexus-dry-run reads release assets (on published)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• #2443: Implements dispatching the build after semantic-release tag/draft creation so artifacts populate without manual publish.
• #2439: Broadens the orphaned prerelease tag regex to match dotted prerelease suffixes like rc.N.

Possibly related PRs

• community-shaders/skyrim-community-shaders#1323: Related prerelease tag cleanup regex changes addressing similar tag-matching logic.
• ci: fix nexus upload pipeline and release auto-trigger #2252: Related Nexus upload adjustments for multi-line description handling and release asset semantics.
• ci: fix release-to-build-to-nexus workflow chain #2272: Related release-to-Nexus pipeline edits and trigger/wiring changes.

Suggested reviewers

• doodlum
• jiayev
• davo0411

Poem

"I’m a rabbit in the CI glade,
Hopping where the workflows played.
Tags now wake and builds are spun,
Nexus hums beneath the sun.
Audit flags rest — the checks are done."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: CI pipeline fixes for release build and Nexus upload after version 1.6.
Linked Issues check	✅ Passed	The PR implements the recommended fixes from #2443: auto-dispatches release-build from release-semantic, gates jobs properly to prevent double builds, and updates documentation comments.
Out of Scope Changes check	✅ Passed	All changes are scoped to CI workflows, tooling, and configuration metadata directly addressing the issues described in #2443 and #2439.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 actionlint (1.7.12)

.github/workflows/release-semantic.yaml

could not read ".github/workflows/release-semantic.yaml": open .github/workflows/release-semantic.yaml: no such file or directory

🔧 zizmor (1.25.2)

.github/workflows/release-semantic.yaml

INFO zizmor: 🌈 zizmor v1.25.2
fatal: no audit was performed
invalid input: .github/workflows/release-semantic.yaml

🔧 YAMLlint (1.38.0)

.github/workflows/release-semantic.yaml

[Errno 2] No such file or directory: '.github/workflows/release-semantic.yaml'

🔧 OpenGrep (1.22.0)

OpenGrep fatal error (exit code 2): [00.10][ERROR]: Error: exception Unix_error: No such file or directory stat tools/feature_version_audit.py
Raised by primitive operation at UTmp.replace_named_pipe_by_regular_file_if_needed in file "libs/commons/UTmp.ml", line 145, characters 8-27
Called from Scan_CLI.replace_target_roots_by_regular_files_where_needed.(fun) in file "src/osemgrep/cli_scan/Scan_CLI.ml", lines 1086-1087, characters 19-65
Called from List_.fast_map in file "libs/commons/List_.ml", line 81, characters 17-20
Called fr

🔧 Checkov (3.2.529)

.github/workflows/release-semantic.yaml

2026-05-31 11:48:00,140 [MainThread ] [ERROR] Template file not found: .github/workflows/release-semantic.yaml
2026-05-31 11:48:00,144 [MainThread ] [ERROR] Template file not found: .github/workflows/release-semantic.yaml
2026-05-31 11:48:00,159 [MainThread ] [ERROR] Template file not found: .github/workflows/release-semantic.yaml
2026-05-31 11:48:00,160 [MainThread ] [ERROR] Failed to invoke function /usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner. with .github/workflows/release-semantic.yaml
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 88, in func_wrapper
result = original_func(item)
^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/object_runner.py", line 74, in
results = parallel_runner.run_function(lambda f: (f, self._parse_file(f)), files_to_load)

... [truncated 9250 characters] ...

ess file .github/workflows/release-semantic.yaml
2026-05-31 11:48:00,191 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/checkov/common/runners/runner_registry.py", line 177, in run
for result in parallel_runner_results:
File "/usr/local/lib/python3.11/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 118, in _run_function_multiprocess_fork
raise v.internal_exception.with_traceback(v.internal_exception.traceback)
FileNotFoundError: [Errno 2] No such file or directory: '.github/workflows/release-semantic.yaml'

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No actionable suggestions for changed features.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/release-semantic.yaml (1)

1-1: PR metadata polish for merge automation

Suggested title (<=50 chars): ci(release): fix draft tag build dispatch
If not already present in the PR body, add:

• Fixes #2443``
• Fixes #2439``

As per coding guidelines, "Conventional Commit Titles ... Format: type(scope): description ... Length: 50 characters limit for title" and "Issue References ... suggest adding appropriate GitHub keywords".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-semantic.yaml at line 1, Update the PR metadata to
follow the Conventional Commit title and include issue references: change the PR
title to "ci(release): fix draft tag build dispatch" and ensure the PR body
contains the lines "Fixes `#2443`" and "Fixes `#2439`" (add them if missing) so the
merge automation and issue tracking pick up the references per the repo
guidelines.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-semantic.yaml:
- Around line 184-185: Update the stale comment in the
".github/workflows/release-semantic.yaml" block that mentions "publishing the
draft re-runs the build" to reflect current behavior: publishing the draft does
NOT re-run the build because release-build.yaml skips the build on the "release:
published" event; locate the comment near the "draft with .7z artifacts" line
and replace the sentence so it clearly states that publishing the draft
publishes artifacts without triggering a rebuild (reference the "release:
published" event and "release-build.yaml" behavior).

In `@tools/feature_version_audit.py`:
- Around line 199-203: The AuditVersion parsing is inconsistent with AutoUpload
because an empty INI value currently evaluates to True; update the check in the
audit_version assignment (using audit_version_str, metadata['audit_version'],
and the section keys 'auditversion'/'audit_version') to treat empty string as
false like AutoUpload does—i.e., include '' in the false/exclusion tuple (or
explicitly check for empty string) so that AuditVersion = (empty) yields False.

---

Nitpick comments:
In @.github/workflows/release-semantic.yaml:
- Line 1: Update the PR metadata to follow the Conventional Commit title and
include issue references: change the PR title to "ci(release): fix draft tag
build dispatch" and ensure the PR body contains the lines "Fixes `#2443`" and
"Fixes `#2439`" (add them if missing) so the merge automation and issue tracking
pick up the references per the repo guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 51b8602e-10d3-413b-849c-f5739f0ff84c

📥 Commits

Reviewing files that changed from the base of the PR and between a1e53d4 and df5060f.

📒 Files selected for processing (6)

• .github/workflows/maint-cleanup-releases.yaml
• .github/workflows/nexus-upload.yaml
• .github/workflows/release-build.yaml
• .github/workflows/release-semantic.yaml
• features/Terrain Helper/Shaders/Features/TerrainHelper.ini
• tools/feature_version_audit.py