chore: production-ready CI/CD

Apply the production-ready CI/CD plan:
- Phase 1: cross-cutting workflow fixes (action version pins,
  book-build path fix, video-build dynamic version + guards,
  permissions+concurrency blocks)
- Phase 2: per-repo CI hardening (drop continue-on-error,
  add OS/compiler matrices, fix repo-specific bugs)
- Phase 3: complete release matrix (Linux/Windows/macOS/embedded
  binaries, real CycloneDX + SPDX SBOMs via anchore/sbom-action,
  cosign keyless signing, conditional Apple notarization /
  Authenticode / GPG signing gated on secrets)

All workflow files pass actionlint clean.

Author: srpatcha

.github/workflows/book-build.yml

@@ -42,20 +42,20 @@ jobs:
       - name: Check book source
         id: check
         run: |
-          if [ ! -f book.md ]; then
+          if [ ! -f docs/book/book.md ]; then
             echo "has_book=false" >> $GITHUB_OUTPUT
             echo "lines=0" >> $GITHUB_OUTPUT
             echo "images=0" >> $GITHUB_OUTPUT
             echo "tables=0" >> $GITHUB_OUTPUT
-            echo "WARNING: book.md not found"
+            echo "WARNING: docs/book/book.md not found"
             exit 0
           fi
           echo "has_book=true" >> $GITHUB_OUTPUT
-          LINES=$(wc -l < book.md)
-          IMAGES=$(grep -c '!\[' book.md || echo 0)
-          TABLES=$(grep -c '^|' book.md || echo 0)
-          CODE=$(grep -c '```' book.md || echo 0)
-          CHAPTERS=$(grep -c '^## ' book.md || echo 0)
+          LINES=$(wc -l < docs/book/book.md)
+          IMAGES=$(grep -c '!\[' docs/book/book.md || echo 0)
+          TABLES=$(grep -c '^|' docs/book/book.md || echo 0)
+          CODE=$(grep -c '```' docs/book/book.md || echo 0)
+          CHAPTERS=$(grep -c '^## ' docs/book/book.md || echo 0)
           echo "lines=$LINES" >> $GITHUB_OUTPUT
           echo "images=$IMAGES" >> $GITHUB_OUTPUT
           echo "tables=$TABLES" >> $GITHUB_OUTPUT
@@ -104,7 +104,7 @@ jobs:
 
       - name: Clean source
         run: |
-          sed -i 's/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]//g' book.md
+          sed -i 's/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]//g' docs/book/book.md
           echo "Control characters cleaned"
 
       - name: Extract metadata
@@ -114,9 +114,9 @@ jobs:
           echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
           echo "pdf_name=${REPO_NAME}-guide.pdf" >> $GITHUB_OUTPUT
           # Extract title from frontmatter or first heading
-          TITLE=$(grep -m1 '^title:' book.md | sed 's/^title: *"*//;s/"*$//' || echo "")
+          TITLE=$(grep -m1 '^title:' docs/book/book.md | sed 's/^title: *"*//;s/"*$//' || echo "")
           if [ -z "$TITLE" ]; then
-            TITLE=$(head -10 book.md | grep "^# " | head -1 | sed 's/^# //')
+            TITLE=$(head -10 docs/book/book.md | grep "^# " | head -1 | sed 's/^# //')
           fi
           if [ -z "$TITLE" ]; then TITLE="$REPO_NAME — Official Guide"; fi
           echo "title=$TITLE" >> $GITHUB_OUTPUT

.github/workflows/ci.yml

@@ -1,39 +1,54 @@
-name: ebuild CI
-
-on:
-  push:
-    branches: [master, main]
-  pull_request:
-    branches: [master, main]
-
-jobs:
-  test:
-    name: Python Tests
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ["3.10", "3.11", "3.12"]
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Install
-        run: pip install -e . 2>/dev/null || pip install -e ".[dev]" 2>/dev/null || true
-
-      - name: Install test tools
-        run: pip install pytest flake8
-
-      - name: Lint
-        run: flake8 ebuild/ --max-line-length=120 --ignore=E501,W503,E402 || true
-
-      - name: Run tests
-        run: pytest tests/ -v --tb=short 2>/dev/null || echo "No pytest tests yet"
-
-      - name: CLI smoke test
-        run: |
-          python -m ebuild --version
-          python -m ebuild list-packages 2>/dev/null || echo "OK (no build.yaml)"
+name: ebuild CI
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Python Tests (${{ matrix.os }} / ${{ matrix.python-version }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        python-version: ["3.10", "3.11", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install
+        shell: bash
+        run: |
+          set -e
+          pip install -e ".[dev]" || pip install -e .
+
+      - name: Install test tools
+        run: pip install pytest flake8
+
+      - name: Lint
+        shell: bash
+        run: flake8 ebuild/ --max-line-length=120 --ignore=E501,W503,E402
+
+      - name: Run tests
+        shell: bash
+        run: pytest tests/ -v --tb=short
+
+      - name: CLI smoke test
+        shell: bash
+        run: |
+          python -m ebuild --version
+          python -m ebuild list-packages

.github/workflows/eosim-sanity.yml

@@ -8,6 +8,13 @@ on:
 env:
   EOSIM_VERSION: "0.1.0"
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   install-validate:
     name: Install & Validate (${{ matrix.os }}, Python ${{ matrix.python-version }})

.github/workflows/nightly.yml

@@ -5,6 +5,13 @@ on:
     - cron: "0 3 * * *"  # 3 AM UTC daily
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   full-test-suite:
     name: Full Test Suite