Push release assets to a separate branch for CORS

[puddly]

Due to https://github.com/orgs/community/discussions/45446, we cannot use the GitHub API from the browser context to download release assets (even though all other API requests are permitted). To work around this until a more permanent solution is found, we will upload release assets as files to a separate releases branch that can paradoxically be fetched.

[Copilot]

Pull request overview

Adds a GitHub Actions job to mirror GitHub Release assets into a dedicated releases branch, enabling browser-based fetching of assets despite GitHub API CORS restrictions.

Changes:

• Introduces a sync-releases-branch job that downloads release assets via gh release download.
• Copies downloaded assets into a tag-named directory on the releases branch and pushes the update.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Consider serializing this job with a concurrency group (e.g., per releases branch) to avoid push/rebase conflicts if multiple release workflows (or reruns) run at the same time and try to update the same branch.

[Copilot]

git add "${{ github.event.release.tag_name }}" can misbehave if a tag name ever begins with - (it may be parsed as an option). Use a variable and pass paths with -- (e.g., git add -- "$tag") to make option-parsing unambiguous.

Suggested change

	git add "${{ github.event.release.tag_name }}"
	tag="${{ github.event.release.tag_name }}"
	git add -- "$tag"

[Copilot]

git commit --allow-empty will create empty commits on reruns even when the downloaded assets are unchanged, which can unnecessarily bloat the releases branch history. Consider only committing/pushing when there are staged changes (skip the commit when the working tree is clean).

Suggested change

	git commit --allow-empty -m "Sync release assets for ${{ github.event.release.tag_name }}"
	if ! git diff --cached --quiet; then
	git commit -m "Sync release assets for ${{ github.event.release.tag_name }}"
	else
	echo "No changes to commit for ${{ github.event.release.tag_name }}; skipping commit."
	fi

[Copilot]

actions/checkout defaults to a shallow clone. Because this job later runs git pull --rebase, a shallow history can cause rebase/pull failures when the remote branch has advanced beyond the fetched depth. Set fetch-depth: 0 (or a sufficiently large depth) on this checkout to make the subsequent rebase reliable.

Suggested change

	path: releases_branch
	path: releases_branch
	fetch-depth: 0

[Copilot]

Using a fixed sleep 10 to wait for release assets is brittle; release asset availability can take longer and cause intermittent failures. Replace the sleep with a small retry loop/backoff around gh release download (and fail with a clear message after N attempts).

Suggested change

	sleep 10
	gh release download "${{ github.event.release.tag_name }}" \
	--repo "${{ github.repository }}" \
	--dir artifacts_release \
	--clobber
	max_attempts=5
	delay=10
	attempt=1
	while [ "$attempt" -le "$max_attempts" ]; do
	echo "Attempt $attempt/$max_attempts: downloading release assets for tag '${{ github.event.release.tag_name }}'..."
	if gh release download "${{ github.event.release.tag_name }}" \
	--repo "${{ github.repository }}" \
	--dir artifacts_release \
	--clobber; then
	echo "Successfully downloaded release assets."
	break
	fi
	if [ "$attempt" -eq "$max_attempts" ]; then
	echo "Failed to download release assets for tag '${{ github.event.release.tag_name }}' after $max_attempts attempts." >&2
	exit 1
	fi
	echo "Download failed; retrying in ${delay}s..."
	sleep "$delay"
	attempt=$((attempt + 1))
	delay=$((delay * 2))
	done