fix: use client-id for create-github-app-token (#17)

actions/create-github-app-token@v3 deprecated app-id in favor of
client-id. Switch to the new org-level secret WORKFLOWS_CLIENT_ID
(Client ID of the Geolonia Workflows GitHub App).

fix(release): mark latest release by semver instead of creation date (#…

…16)

* fix(release): use --latest=legacy so highest semver wins

gh release create without --latest defaults to marking the newly
created release as "Latest", which meant v1.49.3 got flagged as
latest even though v2.2.1 is a higher semver.

--latest=legacy tells GitHub to pick the highest semver instead.

* fix: set make_latest via REST API, not gh release create --latest

gh release create's --latest flag only accepts booleans. Use the
REST API's make_latest=legacy parameter to tell GitHub to pick the
highest semver as the "Latest" release.

Skip the PATCH for prereleases (GitHub already handles that).

* fix: PATCH releases by numeric ID, not tag path

The /releases/tags/{tag} endpoint is GET-only. The documented update
endpoint requires the numeric release ID.

fix: use client-id for create-github-app-token (#17)

actions/create-github-app-token@v3 deprecated app-id in favor of
client-id. Switch to the new org-level secret WORKFLOWS_CLIENT_ID
(Client ID of the Geolonia Workflows GitHub App).

fix: use client-id for create-github-app-token (#17)

actions/create-github-app-token@v3 deprecated app-id in favor of
client-id. Switch to the new org-level secret WORKFLOWS_CLIENT_ID
(Client ID of the Geolonia Workflows GitHub App).

feat: add CODEOWNERS template for enrolled repos

CODEOWNERS cannot be inherited from the org .github repo -- it must
exist in each repo individually. This template is fetched by the
Backstage enroll-existing-repo scaffolder into new PRs.

Protects catalog-info.yaml and itself from changes without operations
team review.

fix: use client-id instead of deprecated app-id

actions/create-github-app-token@v3 deprecated app-id in favor of
client-id. Update the secret reference to OPS_DISPATCH_CLIENT_ID.

fix: send client_payload as JSON object in repository_dispatch

The gh api -f flag was serializing client_payload as a string instead
of a JSON object, causing HTTP 422 from the GitHub API. Build the
entire request body with jq and pipe via --input instead.

feat: add reusable team access sync workflow

Add a reusable workflow that reads spec.owner and spec.accessGrants from
catalog-info.yaml and dispatches a sync request to geolonia-operations.
The centralized processor in geolonia-operations applies the actual
team-repo permissions, keeping org-level credentials out of individual
repos.

Includes a workflow template and properties file so repos can adopt it
via the GitHub UI or Backstage scaffolder templates.

fix: use client-id instead of deprecated app-id

actions/create-github-app-token@v3 deprecated app-id in favor of
client-id. Update the secret reference to OPS_DISPATCH_CLIENT_ID.

fix: teach AI that ECS health check silence is normal during rolling …

…deploys

The AI was cancelling valid ECS deployments after only a few minutes
because it interpreted health check failures on newly started tasks as
stuck deployments. Added explicit rules: silence during rolling deploy
startup is expected, transient health check failures are not a cancel
signal, and CANCEL should only fire when elapsed time clearly exceeds
the operator hang threshold or there is a definitive unrecoverable error.