Restored original license signing key from backup - key was never
compromised (private repo). Removes unnecessary dual-key complexity:
- Remove legacyPublicKey and SetLegacyPublicKey from license.go
- Simplify signature verification to single key
- Remove EmbeddedLegacyPublicKey from pubkey.go
- Remove PULSE_LICENSE_LEGACY_PUBLIC_KEY from Dockerfile and workflows
- Remove dual-key test
- Simplify mock.env
The staging images in preflight are intentionally amd64-only for speed,
but the publish workflow was just copying them instead of building
multi-arch. Now builds linux/amd64,linux/arm64 from source at publish.
Related to #868
- Remove 'release: published' triggers from publish-docker, promote-floating-tags, and helm-pages workflows
- All these workflows now only run via workflow_dispatch, triggered by create-release.yml in sequence
- Add image availability check in promote-floating-tags to wait for Docker images
- create-release.yml now dispatches: publish-docker, promote-floating-tags, helm-pages, update-demo-server
- This prevents the race condition where workflows triggered by release event run before Docker images are ready
- Update VERSION to 5.0.0-rc.1
- Add prerelease detection to create-release workflow
- Mark RC releases as prereleases on GitHub (not 'latest')
- Update publish-docker workflow to skip :latest tag for RCs
- Support -rc.N, -alpha.N, and -beta.N version suffixes
- Preflight builds multi-arch images to staging tags on GHCR
- Publish workflow just retags staging → final (no rebuild)
- Reduces publish time from ~10min to ~1min
Docker images now build only after release is published, not during
the draft creation phase. This prevents users from getting updates
before the release is reviewed and approved.
