Prepare 0.5.0-dev release and harden CI

.github/workflows/ci.yml

@@ -5,39 +5,82 @@ on:
     branches: ["dev"]
   pull_request:
     branches: ["dev"]
+  workflow_dispatch:
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
-  test:
+  lint-and-test:
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: "3.11"
-
-      - name: Cache pip
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/pip
-          key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
-          restore-keys: |
-            ${{ runner.os }}-pip-
+          python-version: "3.13"
+          cache: "pip"
 
       - name: Install deps
         run: |
           python -m pip install --upgrade pip
           pip install -e ".[dev]"
 
-      - name: Run tests with coverage gate (85%)
+      - name: Verify vendored frontend assets
+        run: |
+          test -f app/static/vendor/js-yaml.js
+          test -f app/static/vendor/profiles_tailwind.css
+          test -f app/static/vendor/profiles_monaco.js
+          test -f app/static/vendor/profiles_monaco.css
+          test -f app/static/vendor/monaco-editor.worker.js
+          test -f app/static/vendor/monaco-json.worker.js
+          test -f app/static/vendor/monaco.LICENSE
+
+      - name: Ruff
+        run: |
+          ruff check .
+
+      - name: Guard legacy schema refs
+        run: |
+          if grep -RInE \
+            --exclude='20260330_upgrade_profiles_to_firefox149.py' \
+            --exclude='ci.yml' \
+            --exclude='test_migrations.py' \
+            --exclude='test_no_legacy_schema_refs.py' \
+            'release-148|esr-140\.8|firefox-release-148\.json|firefox-esr-140\.8\.json|firefox-esr140\.json|mozilla-policy-templates-v7\.8|release148' \
+            app tests tools .github README.md; then
+            echo "Legacy schema references found"
+            exit 1
+          fi
+
+      - name: Mypy
+        run: |
+          mypy app
+
+      - name: Pytest with coverage gate
         run: |
-          pytest
+          pytest \
+            --cov=app \
+            --cov-branch \
+            --cov-report=term-missing \
+            --cov-report=xml \
+            --cov-report=html \
+            --cov-fail-under=85 \
+            -W error::ResourceWarning
 
-      - name: Upload HTML coverage
+      - name: Upload coverage artifacts
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
-          name: htmlcov
-          path: htmlcov/
+          name: coverage-artifacts
+          path: |
+            coverage.xml
+            htmlcov/
+          if-no-files-found: warn

.github/workflows/firefox-live-amo.yml

@@ -0,0 +1,43 @@
+name: Firefox Live AMO Canary
+
+on:
+  schedule:
+    - cron: "30 2 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  firefox-live-amo:
+    name: Firefox Live AMO (${{ matrix.channel }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        channel:
+          - release
+          - esr
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+          cache: "pip"
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Setup isolated Firefox sandbox
+        run: |
+          bash tools/setup_firefox_live_browsers.sh "${{ matrix.channel }}"
+
+      - name: Run Firefox AMO canary tests
+        run: |
+          pytest -q tests/live_firefox/test_extension_settings_amo.py -m firefox_live_amo -rs

.github/workflows/firefox-live.yml

@@ -0,0 +1,42 @@
+name: Firefox Live Policy Tests
+
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  firefox-live:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        channel:
+          - release
+          - esr
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+          cache: "pip"
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Setup isolated Firefox sandbox
+        run: |
+          bash tools/setup_firefox_live_browsers.sh "${{ matrix.channel }}"
+
+      - name: Run Firefox live tests
+        run: |
+          pytest -q tests/live_firefox/test_policy_activation.py tests/live_firefox/test_policy_behavior.py -m firefox_live -rs

.github/workflows/gist-snapshot.yml

@@ -1,61 +1,47 @@
-name: gist-snapshot
+name: Gist Snapshot
 
 on:
-    push:
-        branches: ["dev"]
-    workflow_dispatch:
+  workflow_dispatch:
 
 permissions:
-    contents: read
+  contents: read
+
+concurrency:
+  group: gist-snapshot-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-    test-and-publish-gist:
-        runs-on: ubuntu-latest
-
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v4
-              with:
-                  fetch-depth: 0
-
-            - name: Set up Python
-              uses: actions/setup-python@v5
-              with:
-                  python-version: "3.13"
-
-            - name: Install project (dev)
-              run: |
-                  python -m pip install --upgrade pip
-                  pip install -e .[dev]
-                  # ensure requests for gist script
-                  pip install requests
-
-            - name: Ruff + mypy (do not fail job)
-              continue-on-error: true
-              run: |
-                  ruff check .
-                  mypy app || true
-
-            - name: Run tests with coverage (do not fail job)
-              continue-on-error: true
-              run: |
-                  set -o pipefail
-                  pytest -q --maxfail=1 --disable-warnings \
-                    --cov=app --cov-report=term-missing:skip-covered \
-                    --cov-report=xml \
-                    | tee pytest-report.txt
-
-            - name: Publish snapshot to Secret Gist
-              env:
-                  GIST_TOKEN: ${{ secrets.GIST_TOKEN }}
-              run: |
-                  python tools/publish_to_gist.py
-
-            - name: Upload gist info artifact
-              uses: actions/upload-artifact@v4
-              with:
-                  name: gist-info
-                  path: |
-                      gist_url.txt
-                      coverage.xml
-                      pytest-report.txt
+  publish-gist:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+          cache: "pip"
+
+      - name: Install gist publishing dependency
+        run: |
+          python -m pip install --upgrade pip
+          pip install requests
+
+      - name: Check GIST token
+        env:
+          GIST_TOKEN: ${{ secrets.GIST_TOKEN }}
+        run: |
+          if [ -z "${GIST_TOKEN}" ]; then
+            echo "GIST_TOKEN secret is not configured."
+            exit 1
+          fi
+
+      - name: Publish snapshot to Secret Gist
+        env:
+          GIST_TOKEN: ${{ secrets.GIST_TOKEN }}
+        run: |
+          python tools/publish_to_gist.py