fix(dist): kill the version-shadow + add build provenance (P0)

The stale code a default install/upgrade got was a TAG LEAK: deb.yml/rpm.yml shared
`tags: ['v*']` with the Apple-client release.yml, so the v0.1.0/v0.1.1 tags cut to ship
the macOS app ALSO published host packages versioned 0.1.1 — which outranks every rolling
0.0.1~ciN / 0.0.1-0.ciN build in both registries (dpkg/rpm version compares confirm), so
`apt install`/`rpm-ostree install` silently fetched ~99-commits-stale code while the READMEs
claimed auto-tracking. Two fixes:

- Decouple host publishing from Apple `v*` tags: deb.yml/rpm.yml now trigger on `host-v*`
  only, so a client tag can never poison the host channel again.
- Bump the rolling base 0.0.1 -> 0.2.0 (deb `0.2.0~ciN`, rpm `0.2.0-0.ciN`): sits ABOVE the
  stray 0.1.1 yet BELOW a future 0.2.0 tag, and still climbs monotonically by run number — so
  `apt upgrade`/`rpm-ostree upgrade` genuinely move forward. Spec default + build scripts +
  PKGBUILD pkgver bumped to match.

Build provenance (so a stale/shadowed host is detectable): build.rs stamps PUNKTFUNK_BUILD_VERSION
(set by CI = the full package version, e.g. 0.2.0~ci120.g802e98d; falls back to the crate version
for a plain `cargo build`) into the binary via rustc-env. Surfaced in `punktfunk-host --version`,
the startup log, and the mgmt /health + /host `version` field (was a hardcoded CARGO_PKG_VERSION).
Deliberately env-driven, not git-derived — the RPM builds from a git-archive tarball with no .git.
Version computed BEFORE the build in deb.yml; the spec %build exports it from %{version}-%{release}
(and gains --locked for reproducibility parity with the .deb path). Validated: plain build reports
0.0.1, env-stamped build reports 0.2.0~ci999.gdeadbee.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/deb.yml

@@ -13,7 +13,10 @@ name: deb
 on:
   push:
     branches: [main]
-    tags: ['v*']
+    # HOST-scoped tags only. The Apple client uses `v*` (release.yml); those must NOT trigger a
+    # host publish — a `v0.1.1` client tag previously shipped a host package versioned 0.1.1 that
+    # outranked every rolling build (the version-shadow). Host releases use `host-v*`.
+    tags: ['host-v*']
   workflow_dispatch:
 
 env:
@@ -31,6 +34,20 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Version
+        # host-vX.Y.Z tag -> X.Y.Z (a real host release). A main push -> 0.2.0~ciN.g<sha>: the '~'
+        # sorts it BELOW the eventual 0.2.0 tag, it climbs monotonically by run number, AND it sits
+        # ABOVE the stray 0.1.1, so `apt upgrade` truly moves boxes forward. Computed BEFORE the
+        # build so it's stamped into the binary (PUNKTFUNK_BUILD_VERSION -> build.rs -> --version).
+        run: |
+          SHORT=$(echo "$GITHUB_SHA" | cut -c1-8)
+          case "$GITHUB_REF" in
+            refs/tags/host-v*) V="${GITHUB_REF_NAME#host-v}" ;;
+            *)                 V="0.2.0~ci${GITHUB_RUN_NUMBER}.g${SHORT}" ;;
+          esac
+          echo "VERSION=$V" >> "$GITHUB_ENV"
+          echo "package version $V"
+
       # dpkg-shlibdeps (Depends resolution) + dpkg-deb live in dpkg-dev. The client's link
       # deps are also baked into the rust-ci image, but this job runs against the image
       # from the PREVIOUS push (docker.yml bootstrap note) — keep it green across image
@@ -60,6 +77,8 @@ jobs:
           restore-keys: cargo-target-v2-${{ env.rustc }}-
 
       - name: Build release host + client
+        env:
+          PUNKTFUNK_BUILD_VERSION: ${{ env.VERSION }}   # stamped into the binary (build.rs)
         run: |
           git config --global --add safe.directory "$PWD"
           cargo build --release -p punktfunk-host -p punktfunk-client-linux --locked
@@ -81,19 +100,6 @@ jobs:
           echo "web console smoke: /login -> $code"
           [ "$code" = 200 ] || { echo "ERROR: web console failed to boot under node"; exit 1; }
 
-      - name: Version
-        # Tag v1.2.3 -> 1.2.3 (a real release); a main push -> 0.0.1~ciN.g<sha>, which sorts
-        # BEFORE 0.0.1 (the '~') yet monotonically increases by run number, so `apt upgrade`
-        # always moves the boxes to the newest main build.
-        run: |
-          SHORT=$(echo "$GITHUB_SHA" | cut -c1-8)
-          case "$GITHUB_REF" in
-            refs/tags/v*) V="${GITHUB_REF_NAME#v}" ;;
-            *)            V="0.0.1~ci${GITHUB_RUN_NUMBER}.g${SHORT}" ;;
-          esac
-          echo "VERSION=$V" >> "$GITHUB_ENV"
-          echo "package version $V"
-
       - name: Build .debs
         run: |
           VERSION="$VERSION" bash packaging/debian/build-deb.sh

.gitea/workflows/rpm.yml

@@ -13,7 +13,9 @@ name: rpm
 on:
   push:
     branches: [main]
-    tags: ['v*']
+    # HOST-scoped tags only — the Apple client's `v*` tags (release.yml) must NOT publish a host
+    # RPM (a `v0.1.1` client tag previously shipped a host 0.1.1 that shadowed every rolling build).
+    tags: ['host-v*']
   workflow_dispatch:
 
 env:
@@ -65,14 +67,15 @@ jobs:
           restore-keys: cargo-home-
 
       - name: Version
-        # Tag v1.2.3 -> 1.2.3-1 (release); main push -> 0.0.1-0.ciN.g<sha>, whose release "0."
-        # sorts BEFORE the eventual "1" yet increases by run number, so `rpm-ostree upgrade`
-        # always moves to the newest main build.
+        # host-vX.Y.Z tag -> X.Y.Z-1 (a real host release); main push -> 0.2.0-0.ciN.g<sha>, whose
+        # "0." release sorts BELOW the eventual 0.2.0-1 yet climbs by run number AND outranks the
+        # stray 0.1.1, so `rpm-ostree upgrade` truly moves to the newest build. The spec %build
+        # stamps PUNKTFUNK_BUILD_VERSION from these macros into the binary (--version provenance).
         run: |
           SHORT=$(echo "$GITHUB_SHA" | cut -c1-8)
           case "$GITHUB_REF" in
-            refs/tags/v*) V="${GITHUB_REF_NAME#v}"; R="1" ;;
-            *)            V="0.0.1"; R="0.ci${GITHUB_RUN_NUMBER}.g${SHORT}" ;;
+            refs/tags/host-v*) V="${GITHUB_REF_NAME#host-v}"; R="1" ;;
+            *)                 V="0.2.0"; R="0.ci${GITHUB_RUN_NUMBER}.g${SHORT}" ;;
           esac
           echo "PF_VERSION=$V" >> "$GITHUB_ENV"
           echo "PF_RELEASE=$R" >> "$GITHUB_ENV"