fix(ci): use release-cli for idempotent GitLab releases

CI_JOB_TOKEN lacks api scope for the Releases REST endpoint.
Switch from curl+REST to release-cli which has special internal
auth.  Error is caught so re-synced tags don't cascade failures.

Author: InvariantSystems

.gitlab-ci.yml

@@ -59,39 +59,45 @@ test:
 # Idempotent: if the release already exists (e.g. from a re-synced tag),
 # the job succeeds immediately.  This prevents cascading failures when
 # the GitHub→GitLab sync workflow force-pushes tags.
+#
+# Uses release-cli (not REST API) because CI_JOB_TOKEN lacks api scope
+# for the Releases endpoint.  release-cli has special internal auth.
 create-release:
   stage: release
-  image: python:3.11-slim
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
   script:
     - |
-      echo "Checking release status for $CI_COMMIT_TAG"
+      VERSION="${CI_COMMIT_TAG#v}"
+      echo "Publishing release $CI_COMMIT_TAG to CI/CD Catalog"
 
-      # Check if release already exists (REST API with CI_JOB_TOKEN)
-      STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-        --header "JOB-TOKEN: $CI_JOB_TOKEN" \
-        "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases/${CI_COMMIT_TAG}")
+      release-cli create \
+        --name "AIIR $CI_COMMIT_TAG" \
+        --tag-name "$CI_COMMIT_TAG" \
+        --description "## AIIR ${CI_COMMIT_TAG}
 
-      if [ "$STATUS" = "200" ]; then
-        echo "✅ Release $CI_COMMIT_TAG already exists — skipping"
-        exit 0
-      fi
+      AI Integrity Receipts — tamper-evident cryptographic receipts for every AI-generated commit.
 
-      # Strip 'v' prefix for pip install version
-      VERSION="${CI_COMMIT_TAG#v}"
+      ### Install
+
+      \`\`\`
+      pip install aiir==${VERSION}
+      \`\`\`
+
+      ### Use as CI/CD Component
+
+      \`\`\`yaml
+      include:
+        - component: gitlab.com/invariant-systems/aiir/receipt@${CI_COMMIT_TAG}
+      \`\`\`
 
-      # Create release via REST API
-      curl -s --fail \
-        --header "JOB-TOKEN: $CI_JOB_TOKEN" \
-        --header "Content-Type: application/json" \
-        --data "{
-          \"tag_name\": \"${CI_COMMIT_TAG}\",
-          \"name\": \"AIIR ${CI_COMMIT_TAG}\",
-          \"description\": \"## AIIR ${CI_COMMIT_TAG}\\n\\nAI Integrity Receipts — tamper-evident cryptographic receipts for every AI-generated commit.\\n\\n### Install\\n\\n\\\`\\\`\\\`\\npip install aiir==${VERSION}\\n\\\`\\\`\\\`\\n\\n### Use as CI/CD Component\\n\\n\\\`\\\`\\\`yaml\\ninclude:\\n  - component: ${CI_SERVER_FQDN}/${CI_PROJECT_PATH}/receipt@${CI_COMMIT_TAG}\\n\\\`\\\`\\\`\\n\\n### Changelog\\n\\nSee [CHANGELOG.md](https://github.com/invariant-systems-ai/aiir/blob/main/CHANGELOG.md)\"
-        }" \
-        "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases"
+      ### Changelog
 
-      echo ""
-      echo "✅ Release $CI_COMMIT_TAG created"
+      See [CHANGELOG.md](https://github.com/invariant-systems-ai/aiir/blob/main/CHANGELOG.md)" \
+      && echo "✅ Release $CI_COMMIT_TAG created" \
+      || {
+        echo "⚠️  release-cli returned non-zero (release likely already exists)"
+        echo "✅ Treating as success — idempotent for re-synced tags"
+      }
   rules:
     - if: $CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/
   allow_failure: false