* chore(ci): rebrand and streamline the release pipeline

- CI/CD:
  - replace the old `develop`/`master` pipelines with explicit validation, nightly, preview, and release workflows
  - switch stable releases to `main`, keep `develop` for nightly builds, and make preview image builds manual-only
  - update the reusable migration check so callers pass explicit refs and validation works correctly across PRs, pushes, and release flows

- Packaging:
  - consolidate container packaging onto the root `Dockerfile` and remove `Dockerfile.ci`
  - stop mutating tracked source files during image builds by building frontend and backend assets inside the container pipeline
  - remove vendored `unrar` binaries and build the upstream CLI from source during the image build
  - keep runtime compatibility for existing Booklore deployments by preserving env vars, ports, mount paths, and legacy internal user defaults

- Deploy Surface:
  - move deployment examples under `deploy/` and Docker runtime assets under `packaging/docker`
  - rebrand image, chart, and helper-script references from Booklore to Grimmory on the build and release surfaces only
  - update Compose, Helm, and Podman examples to reflect Grimmory image names and the stable/nightly tag model

- Docs:
  - add the implementation plan under `docs/plans/ci-cd-rebrand-main-nightly.md`
  - refresh README, contributing guidance, PR template, and operational docs to match the new branch, image, and upgrade story
  - document the Booklore-to-Grimmory image swap path so existing self-hosted installs can upgrade by changing only the image reference

- Validation:
  - pass `git diff --check`
  - parse all workflow YAML successfully
  - pass `shellcheck` on the touched shell scripts

* fix(ci): address review feedback and dedupe test workflows

- Workflows:
  - extract backend and frontend test execution into a shared reusable workflow used by validation, nightly, and release pipelines
  - simplify migration ref handling, sanitize manual preview PR inputs, reduce preview cache writes, and update Flyway to the current image tag
  - remove unnecessary duplicated job definitions so the test path has one source of truth

- Packaging:
  - verify the downloaded UnRAR source tarball with SHA256 before extraction
  - remove the unnecessary forced npm install path from the production Docker build
  - harden container startup by failing clearly when APP_USER collides with an unexpected UID or GID

- Versioning and deploy docs:
  - keep app version metadata embedded in the built image instead of asking operators to set APP_VERSION in deploy examples
  - update runtime release links and support links to the Grimmory repository
  - add the Quadlet install section and finish the remaining review-targeted doc fixes and branding cleanup

- Validation:
  - pass git diff --check
  - pass shellcheck on packaging/docker/entrypoint.sh
  - parse all GitHub workflow YAML successfully

* fix: Resolve flyway version

* fix: Resolve some noise in readme

* feat(release): migrate stable releases to semantic-release

- Release automation:
  - replace the manual stable bump flow and Release Drafter with semantic-release on `main`
  - split stable delivery into a semantic-release workflow that computes version, changelog, tag, and draft GitHub release plus a tag-driven workflow that publishes container images
  - add a maintainer-run dry-run workflow to preview the next stable version and release notes before publishing

- Release tooling:
  - add a dedicated `tools/release` package with semantic-release configuration and lockfile
  - encode Grimmory's release policy so `feat` triggers minor releases, `fix`/`perf`/`refactor` trigger patch releases, and `docs`/`ci`/`build`/`chore`/`test`/`style` are changelog-only
  - maintain a committed `CHANGELOG.md` and draft GitHub releases from the same release notes source

- Contributor workflow:
  - enforce conventional PR titles for PRs targeting `develop` and `main`
  - document that feature work is squash-merged into `develop` and that stable releases are computed from the preserved conventional commit history promoted to `main`
  - update README, contributing guidance, and the PR template to match the new release process

- Bootstrap:
  - add the semantic-release migration plan under `docs/plans/semantic-release-migration.md`
  - seed the local release baseline with `v2.2.1` on commit `384512534fe5a2f42d8482a0646337e28ef54e52`
  - configure the stable image publish workflow to ignore the bootstrap tag so the first semantic-release-managed release can be `v2.2.2`

- Validation:
  - pass `git diff --check`
  - parse all workflow YAML successfully
  - verify the semantic-release config loads correctly
  - verify the local bootstrap tag is present as `v2.2.1`

* Add proper concurrency to prevent version collisions

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Tighten the release preview gate to ensure commits are present in origin/head

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Update README.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix(ci): fail migration checks on missing diff base

- Migration checks:
  - remove the implicit fallback that rewrote an all-zero base ref to `head^`
  - fail fast when callers provide the all-zero sentinel instead of a real comparison base so multi-commit pushes and root-history cases do not silently skip migration files

- Validation:
  - pass `git diff --check`
  - parse `.github/workflows/migrations-check.yml` successfully

* fix(packaging): source unrar from linuxserver layer

- Container packaging:
  - replace the custom UnRAR source build stage with the published `linuxserver/unrar` image layer
  - copy the provided `/usr/bin/unrar-alpine` binary into the final runtime image as `/usr/local/bin/unrar`
  - remove the checksum, tarball, and local compile path from the Dockerfile

- Validation:
  - pass `git diff --check`

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

- Workflow callers:
  - grant `contents: read` and `checks: write` when invoking the reusable test suite from CI validation, nightly builds, and main release automation
  - align caller permissions with the nested `backend-tests` and `frontend-tests` jobs so GitHub accepts the workflow graph

- Validation:
  - keep workflow YAML parsing clean after the permission wiring change
  - keep `git diff --check` clean for the touched workflow files

## [2.2.2](v2.2.1...v2.2.2) (2026-03-19)

### Bug Fixes

* **ci:** forward checks permission to reusable test jobs ([e3b3e7c](e3b3e7c))

### Chores

* **ci:** rebrand and streamline the release pipeline ([#66](#66)) ([1bc45da](1bc45da))
* Update README to use new links, and clean up formatting ([6b0c4aa](6b0c4aa))