fix(ci): address PR review feedback

- download-github-releases.mjs: tighten release tag regex to
  `_v\d+\.\d+\.\d+` (require a patch component) and explicitly
  exclude `deployed/<tag>` marker tags before applying it, so
  markers aren't re-treated as undeployed releases.
- download-github-releases.mjs: clear `publish_artifacts_stage/`
  before each iteration and delete unknown-type files after
  warning, so leftovers from a previous tag don't trigger
  repeated warnings or incorrect moves on subsequent tags.
- azure-pipelines-cd.yml: make the Mark-deployed step idempotent
  by checking for the marker tag via `git rev-parse --verify`
  before creating + pushing. Previously, a re-run after partial
  success would have aborted with `set -e` on the first
  pre-existing tag.
- .github/workflows/README.md: update the release-job description
  to reflect the atomic `gh release create --target <sha>` flow
  (the earlier docs still claimed the workflow pushed an annotated
  tag before creating the release).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: janechu

.github/workflows/README.md

@@ -17,7 +17,7 @@ Nightly publishing is split into two coordinated jobs so that npm credentials ne
 
 - **`cd-github-releases.yml`** (GitHub Actions) triggers on **`push` to `main`** and on `workflow_dispatch`. It does **not** bump versions or push source changes to `main` — version bumps land on `main` through ordinary human-authored pull requests (for example, by running `npm run bump` locally and opening a PR). The workflow has two jobs:
   1. **`detect`** — checks out `main` with `fetch-depth: 0` and runs [`build/scripts/create-github-releases.mjs --check-only`](../../build/scripts/create-github-releases.mjs). The script walks the workspaces tree (no `npm ci` required), computes `${name}_v${version}` for every non-private workspace, and emits `hasMissingReleases=true` if any of those git tags do not yet exist.
-  2. **`release`** runs only when missing releases exist. Installs Node, the Rust toolchain (for `cargo package`), and the npm workspace dependencies, builds the repo, then runs the script in default mode. For every missing release the script: packs the npm tarball into `publish_artifacts_npm/`, packs the paired Rust crate (if `crates/<crate-name>/Cargo.toml` exists) into `publish_artifacts_crates/`, pushes an annotated `${name}_v${version}` git tag, and creates the GitHub release with both assets attached (via `gh release create --verify-tag`). The script errors if a paired crate's version does not match the npm package's version — but this is purely a safety net: the [`postbump` hook in `beachball.config.js`](../../beachball.config.js) rewrites the crate's `Cargo.toml` (and the matching entry in `Cargo.lock`) automatically whenever `npm run bump` bumps the paired npm package, so the two stay in sync from the same commit.
+  2. **`release`** runs only when missing releases exist. Installs Node, the Rust toolchain (for `cargo package`), and the npm workspace dependencies, builds the repo, then runs the script in default mode. For every missing release the script: packs the npm tarball into `publish_artifacts_npm/`, packs the paired Rust crate (if `crates/<crate-name>/Cargo.toml` exists) into `publish_artifacts_crates/`, and creates the GitHub release with both assets attached via `gh release create --target <sha>`. The `gh` CLI creates the git tag atomically with the release, so "tag exists" and "release exists" are always the same fact — a failed release is safely retried on the next workflow run, with no orphan tag stranded behind. The script errors if a paired crate's version does not match the npm package's version — but this is purely a safety net: the [`postbump` hook in `beachball.config.js`](../../beachball.config.js) rewrites the crate's `Cargo.toml` (and the matching entry in `Cargo.lock`) automatically whenever `npm run bump` bumps the paired npm package, so the two stay in sync from the same commit.
 - **`azure-pipelines-cd.yml`** (Azure Pipelines) runs every night at **1am PST (`0 9 * * *` UTC)** with `always: true` so it still runs on no-op nights (it is checking external GitHub state, not repo commits). It is split into two stages so the heavy publish work is skipped on no-op nights:
   1. **`Check`** — runs [`build/scripts/download-github-releases.mjs --check-only`](../../build/scripts/download-github-releases.mjs). The script lists every git tag matching the beachball-style `${name}_v${version}` pattern that does **not** also have a `deployed/<tag>` counterpart and emits the comma-separated list via Azure Pipelines `setvariable` output variables (`needsDeployment`, `undeployedTags`). No network calls to npm or crates.io.
   2. **`Package`** — depends on `Check` and runs only when `needsDeployment == 'true'`. Downloads every undeployed release's assets via `gh release download`, sorts them into `publish_artifacts_npm/` (`.tgz`) and `publish_artifacts_crates/` (`.crate`), hands off to `FAST.Release.PipelineTemplate.yml@fastPipelines` for the actual `npm publish` / `cargo publish`, and on success pushes a `deployed/<tag>` git marker tag for each release that was just published. The next nightly run will see those markers and skip the corresponding releases.

azure-pipelines-cd.yml

@@ -122,6 +122,8 @@ extends:
           # Push a `deployed/<tag>` marker tag for each release that was just
           # published so that the next nightly Check stage sees it and skips
           # the release. Reads the list of tags written by the download script.
+          # Idempotent: a marker tag that already exists locally (i.e. fetched
+          # from origin via `fetchTags: true`) is left alone instead of failing.
           - script: |
               set -euo pipefail
               META_FILE=publish_artifacts_meta/undeployed-tags.txt
@@ -132,6 +134,10 @@ extends:
               while IFS= read -r tag; do
                 [ -z "$tag" ] && continue
                 DEPLOY_TAG="deployed/${tag}"
+                if git rev-parse --verify --quiet "refs/tags/${DEPLOY_TAG}" >/dev/null; then
+                  echo "Already marked deployed: ${DEPLOY_TAG} (skipping)"
+                  continue
+                fi
                 echo "Marking deployed: ${DEPLOY_TAG}"
                 git tag "${DEPLOY_TAG}"
                 git push origin "${DEPLOY_TAG}"

build/scripts/download-github-releases.mjs

@@ -39,7 +39,14 @@
  */
 
 import { execFileSync } from "node:child_process";
-import { mkdirSync, readdirSync, renameSync, writeFileSync } from "node:fs";
+import {
+    mkdirSync,
+    readdirSync,
+    renameSync,
+    rmSync,
+    unlinkSync,
+    writeFileSync,
+} from "node:fs";
 import { join } from "node:path";
 
 const NPM_DIR = "publish_artifacts_npm";
@@ -75,7 +82,14 @@ const allTags = listGitTags();
 const deployed = new Set(
     allTags.filter(t => t.startsWith("deployed/")).map(t => t.slice("deployed/".length)),
 );
-const releaseTags = allTags.filter(t => /_v\d+\.\d+/.test(t));
+// Match beachball's release tag format: `${name}_v${major}.${minor}.${patch}`,
+// where the version is the publishable portion (`1.0.0` or `1.0.0-alpha.3`).
+// `deployed/` marker tags are excluded explicitly so they aren't re-processed
+// as if they were releases.
+const RELEASE_TAG_RE = /_v\d+\.\d+\.\d+/;
+const releaseTags = allTags.filter(
+    t => !t.startsWith("deployed/") && RELEASE_TAG_RE.test(t),
+);
 const undeployed = releaseTags.filter(t => !deployed.has(t)).sort();
 
 console.log(`Release tags total:        ${releaseTags.length}`);
@@ -106,6 +120,10 @@ const processed = [];
 for (const tag of undeployed) {
     try {
         console.log(`\nDownloading assets for ${tag}...`);
+        // Clear the stage dir before each iteration so leftover unknown-type
+        // files from a previous release are not reprocessed (or warned about
+        // repeatedly).
+        rmSync(STAGE_DIR, { recursive: true, force: true });
         mkdirSync(STAGE_DIR, { recursive: true });
         run(
             "gh",
@@ -121,6 +139,7 @@ for (const tag of undeployed) {
                 renameSync(src, join(CRATES_DIR, file));
             } else {
                 console.warn(`  Ignoring unknown asset type: ${file}`);
+                unlinkSync(src);
             }
         }