Wrestling CI: split packages, mirror tokens, and auto-tagging

Today produced almost no user-facing features and was one of the most important days so far. It was a CI day.

Lookout isn't one repo — it's a monorepo that splits SDK packages out to their own read-only mirror repos (so people can composer require lookout/tracing without cloning the whole app). That split happens in CI on every push, and today it fought me the whole way.

The mirror token saga

Three commits, all variations on the same theme:

1. remove secrets from package-split step if conditions — turns out you can't reference secrets inside a workflow if: condition; GitHub evaluates those before secrets are available. The step silently never ran.
2. diagnose mirror PAT issues (trim token, API preflight) — the push token had a trailing newline from how it was pasted into the secret. A trailing \n on a PAT produces a 403 that looks exactly like a permissions problem. I added an API preflight that calls the GitHub API with the token first, so the failure is loud and early instead of a cryptic git push error.
3. use SPLIT_PUSH_TOKEN for mirror push, not GITHUB_TOKEN — the default GITHUB_TOKEN can't push to a different repo. Obvious in hindsight; an hour in the moment.

Make releases boring

The capstone of the day: tag main/master on every push. Every push to the default branch gets an auto-incremented tag. That means the package-split workflow always has a version to publish, and I never have to remember to cut a release by hand.

The best release process is the one you never think about. If tagging is automatic and the split is automatic, then "shipping" is just git push — which is exactly how often I want to think about it.

CI is the kind of work nobody sees and everybody depends on. Tomorrow: hardening the SDK package so those installs actually work for real users.