fix(ci): robuste artefakt- und release-stabilisierung gegen flakes

[tomtastisch]

Ziel & Scope

Dieses PR haertet die CI/Release-Stabilitaet gegen externe Plattform-Flakes (Artifact-403, API-Transienten) und reduziert False-Negatives bei der NuGet-Postpublish-Konvergenz, ohne Fail-Closed-Prinzip aufzugeben.

Umgesetzte Aufgaben (abhaken)

• Neuer Retry-Downloader fuer CI-Artefakte implementiert: tools/ci/bin/download_artifacts_with_retry.sh.
• summary-Job in /.github/workflows/ci.yml von 13 Einzel-download-artifact Schritten auf robusten Retry-Download umgestellt.
• Least-Privilege erweitert: actions: read in CI-Workflow fuer gh run download.
• Release-Workflow gegen nicht-kritische Artifact-Upload-Flakes gehaertet (continue-on-error fuer Evidence-Uploads).
• GitHub-Release-Upsert mit Retry+Backoff+Reason-Codes robust gemacht (tools/ci/release/upsert_github_release.sh).
• Gate4-NuGet-Verifikation um stabilen V2-Download-Check erweitert (tools/ci/verify_nuget_release.sh).
• Gate4-Wrapper auf weniger labiles Default-Signal umgestellt (Registration/Flatcontainer optional, V2-Download blocker).

Nachbesserungen aus Review (iterativ)

• Kommentar und Verhalten im Gate4 auf Betriebsrealitaet (eventual consistency / False-Negatives) dokumentiert.
• Alle Aenderungen fail-closed bewertet (kein stilles Bypass fuer blocker-relevante Fachpruefungen).
• Script-Syntax fuer alle betroffenen Shell-Skripte verifiziert.

Security- und Merge-Gates

• Required Checks werden vor Merge vollstaendig gruen abgewartet.
• Live-API-Aufruf im Release-Upsert hat jetzt deterministische Retry-/Reason-Logik.
• security/code-scanning/tools: Pflichtziel fuer Merge bleibt 0 offene Alerts.

Evidence (auditierbar)

• bash -n tools/ci/bin/download_artifacts_with_retry.sh
• bash -n tools/ci/release/upsert_github_release.sh
• bash -n tools/ci/release/gate4_verify_postpublish.sh
• bash -n tools/ci/verify_nuget_release.sh
• GITHUB_REPOSITORY=tomtastisch/FileClassifier bash tools/ci/bin/download_artifacts_with_retry.sh 22144970647 "ci-build=<tmp>" "ci-pack=<tmp>"
• EXPECTED_VERSION=5.2.1 PKG_ID=Tomtastisch.FileClassifier PKG_VER=5.2.1 VERIFY_ONLINE=1 REQUIRE_SEARCH=0 REQUIRE_REGISTRATION=0 REQUIRE_FLATCONTAINER=0 REQUIRE_V2_DOWNLOAD=1 RETRY_COUNT=2 RETRY_SLEEP_SECONDS=1 bash tools/ci/verify_nuget_release.sh
• Diff-Dateien: /.github/workflows/ci.yml, /.github/workflows/release.yml, /tools/ci/release/upsert_github_release.sh, /tools/ci/release/gate4_verify_postpublish.sh, /tools/ci/verify_nuget_release.sh, /tools/ci/bin/download_artifacts_with_retry.sh

DoD (mindestens 2 pro Punkt)

Punkt	DoD A	DoD B	Status
Artifact-Download-Robustheit in CI	summary nutzt Retry-Downloader statt Einzel-Downloads	Retry-Skript lokal gegen echte Run-Artefakte erfolgreich ausgefuehrt	[x]
Release-API-Robustheit	Upsert-Skript enthaelt Retry/Backoff/Reason-Codes (`auth	rate-limit	network
NuGet-Konvergenz-Stabilitaet	verify_nuget_release.sh unterstuetzt REQUIRE_V2_DOWNLOAD	V2-Download-Check fuer 5.2.1 erfolgreich nachgewiesen	[x]

• Review-Nachbesserung: require_v2_download in JSON-Summary aufgenommen.
• Review-Nachbesserung: V2-Download-URL auf lowercase package id umgestellt.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4aa27593b6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR enhances CI/Release pipeline stability by adding retry mechanisms and adjusting verification strategies to handle transient platform failures ("flakes") while maintaining fail-closed behavior.

Changes:

• Introduces robust artifact download mechanism with exponential backoff retry for CI summary job
• Implements GitHub Release API retry logic with reason classification (auth/rate-limit/network/5xx)
• Shifts NuGet post-publish verification from slower registration endpoint to more reliable V2 download endpoint

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tools/ci/bin/download_artifacts_with_retry.sh	New retry-enabled artifact downloader with exponential backoff (6 attempts by default)
.github/workflows/ci.yml	Refactors summary job from 13 individual download-artifact actions to single retry script; adds actions: read permission
.github/workflows/release.yml	Makes evidence artifact uploads non-blocking with continue-on-error: true
tools/ci/release/upsert_github_release.sh	Adds retry/backoff with reason classification; fails fast on auth errors
tools/ci/release/gate4_verify_postpublish.sh	Changes defaults: registration=0, flatcontainer=0, v2_download=1 to use more stable endpoint
tools/ci/verify_nuget_release.sh	Implements V2 download check via /api/v2/package endpoint with retry support

Comments suppressed due to low confidence (1)

.github/workflows/release.yml:40

• Incomplete artifact upload configuration: The tag-gate artifact upload has continue-on-error: true added on line 40, but the if-no-files-found parameter on line 43 (visible in context, not shown in diff) still uses error. This is inconsistent with the attestation verification artifact upload (lines 223-228) which correctly changes both settings. When making an artifact upload non-blocking with continue-on-error: true, the if-no-files-found should also be changed to warn to ensure the step doesn't fail if no files are found. Otherwise, the combination could still cause the step to fail, which contradicts the intent of making it non-blocking for flake resilience.

        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4