ci: auto-dispatch bridge asset publishes

[leehack]

Summary

• Adds a guarded CI follow-up job that dispatches publish_assets.yml after successful main pushes only when llama_cpp.version changed.
• Extends publish_assets.yml with assets_tag=auto and source_ref so CI-dispatched publishes build the exact source SHA that already passed main CI and resolve the next patch assets tag inside serialized publish concurrency.
• Updates maintainer/user docs and the CI reliability contract for the new auto-publish handoff.

Safety / behavior notes

• PR CI never publishes assets; the dispatch job is gated to push on refs/heads/main and has job-scoped actions: write.
• Automatic publishes pass source_ref=${GITHUB_SHA} and require a full source SHA for assets_tag=auto.
• Publish runs are serialized with publish-bridge-assets concurrency so manual and CI-dispatched publishes do not race tag allocation.
• llama_cpp_tag remains unset for auto-publish, so the publish reads the merged llama_cpp.version from the validated source checkout.

Test Plan

• python3 -m py_compile scripts/verify_ci_reliability.py
• python3 scripts/verify_ci_reliability.py
• npm run check:js
• go run github.com/rhysd/actionlint/cmd/actionlint@latest -color=false .github/workflows/ci.yml .github/workflows/publish_assets.yml .github/workflows/auto_llama_cpp_update.yml
• git diff --check
• Bash syntax extraction for the updated workflow shell blocks
• Local resolve-parameters simulation for assets_tag=auto (resolved current latest assets release v0.1.16 to v0.1.17)
• Independent review completed; blocker findings were fixed and re-reviewed cleanly

[Copilot]

Pull request overview

Adds an automated handoff from CI to the asset publishing workflow on successful main pushes, guarded so it only triggers when llama_cpp.version changes and so the publish workflow builds the exact already-validated source SHA.

Changes:

• Added a dispatch-publish-assets job in .github/workflows/ci.yml that dispatches publish_assets.yml only for successful main pushes where llama_cpp.version changed.
• Extended .github/workflows/publish_assets.yml to accept source_ref, support assets_tag=auto, resolve the next patch tag, and serialize publishes via workflow concurrency while propagating resolved values across jobs.
• Updated reliability-contract checks and maintainer/user docs to reflect the new CI→publish flow.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
scripts/verify_ci_reliability.py	Extends the CI reliability contract to assert the new dispatch job behavior, source_ref support, auto tag resolution, and publish concurrency.
.github/workflows/ci.yml	Adds a guarded post-CI dispatch job (job-scoped actions: write) that triggers asset publishing only when llama_cpp.version changed on main push.
.github/workflows/publish_assets.yml	Adds source_ref, implements assets_tag=auto resolution, propagates resolved outputs, and serializes publishes via concurrency.
README.md	Documents the new automatic publish path after merging a llama_cpp.version change.
CONTRIBUTING.md	Documents CI-dispatched publishing behavior and reinforces that PR CI must never publish assets.
AGENTS.md	Updates maintainer/agent docs to describe the new CI gate and publish serialization/inputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.