publish: ship 3 stuck posts manually (cron blocked)

.github/workflows/blog-autopublish.yml

@@ -46,9 +46,23 @@ jobs:
       RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
       REPO: ${{ github.repository }}
     steps:
+      # Mint a token from the PulseEngine Actions Helper App so this job
+      # can `gh pr create` despite the org policy that disables PR-creation
+      # for the default GITHUB_TOKEN. The App's installation grants
+      # contents: write + pull-requests: write + metadata: read on this
+      # repo only — strictly narrower than what GITHUB_TOKEN would have
+      # had with the org permission flipped.
+      - name: Mint App token
+        id: app_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.ACTIONS_BOT_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_BOT_PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          token: ${{ steps.app_token.outputs.token }}
 
       - uses: actions/setup-python@v5
         with:
@@ -61,7 +75,7 @@ jobs:
 
       - name: Ensure labels exist
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
         run: |
           # `gh label create --force` upserts (creates or updates), so this
           # step is idempotent and immune to a label being deleted manually.
@@ -91,7 +105,7 @@ jobs:
         id: publish
         if: steps.scan.outputs.ready_count != '0'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
         run: |
           set -euo pipefail
           published='[]'
@@ -146,7 +160,7 @@ jobs:
       - name: Post / update status comment
         if: always()
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
         run: |
           set -euo pipefail
 
@@ -179,7 +193,7 @@ jobs:
       - name: Open failure issue
         if: failure()
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
         run: |
           today=$(date -u +%Y-%m-%d)
           gh issue create \

content/blog/2026-04-22-overdoing-the-verification-chain.md

@@ -2,7 +2,7 @@
 title = "Overdoing the verification chain — and mapping it to six safety domains"
 description = "The prior posts argued for proofs and for traceability. This one shows the full chain, why I chose to overdo rather than undercommit, and where the stack earns credit across six safety domains — with an honest read on what still does not clear the bar."
 date = 2026-04-29
-draft = true
+draft = false
 [taxonomies]
 tags = ["verification", "deep-dive"]
 authors = ["Ralf Anton Beier"]

content/blog/2026-04-24-variant-pruning-rust-mcdc.md

@@ -2,7 +2,7 @@
 title = "MC/DC for AI-authored Rust is tractable — the variant-pruning argument"
 description = "The received wisdom is that Rust's pattern matching makes MC/DC harder than C. Under variant-managed AI-authored code, the opposite is true. Five layers of variant pruning, one oracle per layer, and a certification burden proportional to the single variant you ship — not the combinatorial product."
 date = 2026-04-30
-draft = true
+draft = false
 [taxonomies]
 tags = ["verification", "process", "deep-dive"]
 authors = ["Ralf Anton Beier"]

content/blog/2026-05-01-cross-language-lto-three-quiet-barriers.md

@@ -2,7 +2,7 @@
 title = "Cross-language LTO on Cortex-M: three barriers and a wrong prediction"
 description = "We pushed LLVM cross-language LTO between verified Rust and Zephyr's C kernel. Three barriers nobody documents. Cleared them. Then measured — and the prediction we'd shipped was wrong by a lot. The story of what that taught us, and the framework for picking a regime when the data doesn't dominate."
 date = 2026-05-01
-draft = true
+draft = false
 [taxonomies]
 tags = ["verification", "process", "deep-dive"]
 authors = ["Ralf Anton Beier"]