release: promote develop to main (billing, landing, CI, CalVer tooling)

.eslintrc.js

@@ -20,7 +20,8 @@ module.exports = {
   },
   plugins: ['@typescript-eslint'],
   rules: {
-    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+    // varsIgnorePattern covers _prefixed destructured variables (e.g. const { _unused, ...rest } = obj)
+    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_', varsIgnorePattern: '^_' }],
     '@typescript-eslint/no-explicit-any': 'warn',
     '@typescript-eslint/explicit-function-return-type': 'off',
     '@typescript-eslint/explicit-module-boundary-types': 'off',

.github/workflows/check-csp-hash.yml

@@ -0,0 +1,32 @@
+name: Check CSP Hash
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+    paths:
+      - 'apps/web/index.html'
+      - 'infra/aws/pr-preview-stack.yml'
+      - 'scripts/check-csp-hash.mjs'
+  pull_request:
+    paths:
+      - 'apps/web/index.html'
+      - 'infra/aws/pr-preview-stack.yml'
+      - 'scripts/check-csp-hash.mjs'
+      - '.github/workflows/check-csp-hash.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  check-csp-hash:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+      - name: Verify CSP inline-script hash
+        run: node scripts/check-csp-hash.mjs

.github/workflows/check-merge-strategy.yml

@@ -2,15 +2,15 @@ name: Check Merge Strategy
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
+    types: [opened, synchronize, reopened, ready_for_review, edited]
 
 permissions:
   pull-requests: write
   issues: write
 
 jobs:
   check-merge-strategy:
-    if: github.base_ref == 'main'
+    if: github.base_ref == 'main' && (github.event.action != 'edited' || github.event.changes.base)
     runs-on: ubuntu-latest
     steps:
       - name: Add merge strategy reminder comment

.github/workflows/deploy-staging.yml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: read
   id-token: write
+  deployments: write
 
 concurrency:
   group: staging-deploy
@@ -146,6 +147,94 @@ jobs:
             --environment staging \
             --region "${AWS_REGION_VALUE}"
 
+      - name: Generate staging signed cookie bootstrap URL
+        id: signed_cookies
+        shell: bash
+        env:
+          CLOUDFRONT_SIGNING_KEY: ${{ secrets.CLOUDFRONT_SIGNING_KEY }}
+          CLOUDFRONT_SIGNING_KEY_ID: ${{ secrets.CLOUDFRONT_SIGNING_KEY_ID }}
+        run: |
+          set -euo pipefail
+          # secrets.* is not allowed in step `if:` — gate here (direct URL access when neither secret is set).
+          if [[ -z "${CLOUDFRONT_SIGNING_KEY:-}" && -z "${CLOUDFRONT_SIGNING_KEY_ID:-}" ]]; then
+            exit 0
+          fi
+          if [[ -z "${CLOUDFRONT_SIGNING_KEY:-}" || -z "${CLOUDFRONT_SIGNING_KEY_ID:-}" ]]; then
+            echo "::error::CLOUDFRONT_SIGNING_KEY and CLOUDFRONT_SIGNING_KEY_ID must both be set. Configure both secrets or neither."
+            exit 1
+          fi
+          STAGING_DOMAIN="staging.${DOMAIN}"
+          RESOURCE="https://${STAGING_DOMAIN}/*"
+          EXPIRY=$(date -u -d "+30 days" +%s)
+
+          POLICY_JSON=$(printf '{"Statement":[{"Resource":"%s","Condition":{"DateLessThan":{"AWS:EpochTime":%s}}}]}' \
+            "${RESOURCE}" "${EXPIRY}")
+
+          # CloudFront URL-safe base64: + → -, / → ~, = → _
+          CF_POLICY=$(printf '%s' "${POLICY_JSON}" | base64 -w0 | tr '+' '-' | tr '/' '~' | tr '=' '_')
+
+          # Sign with RSA-SHA1 (CloudFront signed cookies requirement)
+          KEY_FILE=$(mktemp); chmod 600 "${KEY_FILE}"
+          printf '%s' "${CLOUDFRONT_SIGNING_KEY}" > "${KEY_FILE}"
+          CF_SIGNATURE=$(printf '%s' "${POLICY_JSON}" | \
+            openssl dgst -sha1 -sign "${KEY_FILE}" | base64 -w0 | tr '+' '-' | tr '/' '~' | tr '=' '_')
+          rm -f "${KEY_FILE}"
+
+          BOOTSTRAP_URL="https://${STAGING_DOMAIN}/_preview-auth?policy=${CF_POLICY}&sig=${CF_SIGNATURE}&kid=${CLOUDFRONT_SIGNING_KEY_ID}&dest=/"
+          echo "BOOTSTRAP_URL=${BOOTSTRAP_URL}" >> "${GITHUB_OUTPUT}"
+          echo "STAGING_URL=https://${STAGING_DOMAIN}" >> "${GITHUB_OUTPUT}"
+
+      - name: Create GitHub Deployment (staging)
+        uses: actions/github-script@v7
+        env:
+          BOOTSTRAP_URL: ${{ steps.signed_cookies.outputs.BOOTSTRAP_URL }}
+          STAGING_URL: ${{ steps.signed_cookies.outputs.STAGING_URL || format('https://staging.{0}', env.DOMAIN) }}
+        with:
+          script: |
+            const environmentUrl = process.env.BOOTSTRAP_URL || process.env.STAGING_URL;
+            const deployment = await github.rest.repos.createDeployment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref: context.sha,
+              environment: 'staging',
+              auto_merge: false,
+              required_contexts: [],
+              description: 'Staging deployment',
+            });
+            if (deployment.data.id) {
+              await github.rest.repos.createDeploymentStatus({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                deployment_id: deployment.data.id,
+                state: 'success',
+                environment_url: environmentUrl,
+                description: 'Staging deployed',
+              });
+            }
+
+      - name: Write Actions run summary
+        shell: bash
+        env:
+          BOOTSTRAP_URL: ${{ steps.signed_cookies.outputs.BOOTSTRAP_URL }}
+          STAGING_URL: ${{ steps.signed_cookies.outputs.STAGING_URL || format('https://staging.{0}', env.DOMAIN) }}
+        run: |
+          set -euo pipefail
+          if [[ -n "${BOOTSTRAP_URL}" ]]; then
+            cat >> "${GITHUB_STEP_SUMMARY}" <<SUMMARY
+          ## Staging Deployment
+
+          **Access link (signed cookies):** ${BOOTSTRAP_URL}
+
+          > Click the link to set your access cookie, then browse staging normally. Expires in 30 days.
+          SUMMARY
+          else
+            cat >> "${GITHUB_STEP_SUMMARY}" <<SUMMARY
+          ## Staging Deployment
+
+          **Staging URL:** ${STAGING_URL}
+          SUMMARY
+          fi
+
   deploy-mobile-staging:
     if: vars.MOBILE_ENABLED != 'false'
     needs: [deploy-staging]