feat: add update command, bump to 0.2.0, doc version check

- add secrets update: incremental merge for tags/metadata/encrypted
- AGENTS.md: 提交前检查增加版本号与 git tag 说明
- README/AGENTS: update 命令文档与示例
- Cargo.toml 0.1.0 -> 0.2.0 (secrets-0.1.0 已存在)

Made-with: Cursor

.gitea/workflows/secrets.yml

@@ -107,7 +107,7 @@ jobs:
             --arg tag "$tag" \
             --arg name "${{ env.BINARY_NAME }} ${version}" \
             --arg body "$body" \
-            '{tag_name: $tag, name: $name, body: $body}')
+            '{tag_name: $tag, name: $name, body: $body, draft: true}')
 
           http_code=$(curl -sS -o /tmp/create-release.json -w '%{http_code}' \
             -H "Authorization: token $RELEASE_TOKEN" \
@@ -120,7 +120,7 @@ jobs:
           fi
 
           if [ -n "$release_id" ]; then
-            echo "已创建 Release: ${release_id}"
+            echo "已创建草稿 Release: ${release_id}"
             echo "release_id=${release_id}" >> "$GITHUB_OUTPUT"
           else
             echo "⚠ 创建 Release 失败 (HTTP ${http_code})，跳过产物上传"
@@ -169,12 +169,15 @@ jobs:
               (.runners // .data // . // [])
               | any(
                   (
-                    (.status // (if (.online // false) then "online" else "offline" end))
-                    | ascii_downcase
-                  ) == "online"
+                    (.online == true)
+                    or (
+                      ((.status // "") | ascii_downcase)
+                      | IN("online", "idle", "busy", "active")
+                    )
+                  )
                   and (
                     (.labels // [])
-                    | map(if type == "object" then (.name // .label // "") else tostring end)
+                    | map(if type == "object" then (.name // .label // "") else tostring end | ascii_downcase)
                     | index($label)
                   ) != null
                 )
@@ -182,7 +185,7 @@ jobs:
           }
 
           for pair in "debian:has_linux" "darwin-arm64:has_macos" "windows:has_windows"; do
-            label="${pair%%:*}"; key="${pair##*:}"
+            label="$(printf '%s' "${pair%%:*}" | tr '[:upper:]' '[:lower:]')"; key="${pair##*:}"
             if has_runner "$label"; then
               echo "${key}=true" >> "$GITHUB_OUTPUT"
             else
@@ -228,7 +231,6 @@ jobs:
     if: needs.probe-runners.outputs.has_linux == 'true'
     runs-on: debian
     timeout-minutes: 1
-    continue-on-error: true
     steps:
       - name: 安装依赖
         run: |
@@ -278,7 +280,6 @@ jobs:
     if: needs.probe-runners.outputs.has_macos == 'true'
     runs-on: darwin-arm64
     timeout-minutes: 1
-    continue-on-error: true
     steps:
       - name: 安装依赖
         run: |
@@ -326,7 +327,6 @@ jobs:
     if: needs.probe-runners.outputs.has_windows == 'true'
     runs-on: windows
     timeout-minutes: 1
-    continue-on-error: true
     steps:
       - name: 安装依赖
         shell: pwsh
@@ -372,9 +372,51 @@ jobs:
             -Headers @{ "Authorization" = "token $env:RELEASE_TOKEN" } `
             -Form @{ attachment = Get-Item $archive }
 
+  publish-release:
+    name: 发布草稿 Release
+    needs: [version, check, build-linux, build-macos, build-windows]
+    if: always() && needs.version.outputs.release_id != ''
+    runs-on: debian
+    timeout-minutes: 2
+    steps:
+      - name: 发布草稿
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          [ -z "$RELEASE_TOKEN" ] && exit 0
+
+          version_r="${{ needs.version.result }}"
+          check_r="${{ needs.check.result }}"
+          linux_r="${{ needs.build-linux.result }}"
+          macos_r="${{ needs.build-macos.result }}"
+          windows_r="${{ needs.build-windows.result }}"
+
+          for result in "$version_r" "$check_r" "$linux_r" "$macos_r" "$windows_r"; do
+            case "$result" in
+              success|skipped) ;;
+              *)
+                echo "存在失败或取消的 job，保留草稿 Release"
+                exit 0
+                ;;
+            esac
+          done
+
+          release_api="${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/${{ needs.version.outputs.release_id }}"
+          http_code=$(curl -sS -o /tmp/publish-release.json -w '%{http_code}' \
+            -H "Authorization: token $RELEASE_TOKEN" \
+            -H "Content-Type: application/json" \
+            -X PATCH "$release_api" \
+            -d '{"draft":false}')
+
+          if [ "$http_code" != "200" ]; then
+            echo "发布草稿 Release 失败 (HTTP ${http_code})"
+            cat /tmp/publish-release.json 2>/dev/null || true
+            exit 1
+          fi
+
   notify:
     name: 通知
-    needs: [version, probe-runners, check, build-linux, build-macos, build-windows]
+    needs: [version, probe-runners, check, build-linux, build-macos, build-windows, publish-release]
     if: always() && github.event_name == 'push'
     runs-on: debian
     timeout-minutes: 1
@@ -399,8 +441,13 @@ jobs:
           linux_r="${{ needs.build-linux.result }}"
           macos_r="${{ needs.build-macos.result }}"
           windows_r="${{ needs.build-windows.result }}"
+          publish_r="${{ needs.publish-release.result }}"
 
-          if [ "$version_r" = "success" ] && [ "$check_r" = "success" ]; then
+          if [ "$version_r" = "success" ] && [ "$check_r" = "success" ] \
+            && [ "$linux_r" != "failure" ] && [ "$linux_r" != "cancelled" ] \
+            && [ "$macos_r" != "failure" ] && [ "$macos_r" != "cancelled" ] \
+            && [ "$windows_r" != "failure" ] && [ "$windows_r" != "cancelled" ] \
+            && [ "$publish_r" != "failure" ] && [ "$publish_r" != "cancelled" ]; then
             status="构建成功 ✅"
           else
             status="构建失败 ❌"
@@ -425,6 +472,7 @@ jobs:
 
           msg="${msg}
           构建结果：linux$(icon "$linux_r") macOS$(icon "$macos_r") windows$(icon "$windows_r")
+          Release：$(icon "$publish_r")
           提交：${commit}
           作者：${{ github.actor }}
           详情：${url}"