ci(workflow): adopt unified tailor sentinel gate pattern and consolidate release mechanism

[flexiondotorg]

• Replace separate build.yml and release.yml with unified builder.yml workflow
• Implement sentinel gate pattern: lint-code, lint-actions, coverage, test matrix, security
• Preserve native four-runner build matrix with CGO and ffmpeg-statigo
• Retain existing softprops/action-gh-release mechanism
• Add actionlint-matcher.json for improved error reporting

Checklist

• I have performed a self-review of my code
• I have tested my changes and confirmed there are no regressions

[cubic-dev-ai]

3 issues found across 4 files

Confidence score: 2/5

• High-confidence CI regression in .github/workflows/builder.yml: the ffmpeg-statigo submodule is not initialized before Go linters, so go vet can fail on the ./third_party/ffmpeg-statigo replace target and block the sentinel gate.
• Given the severity (8/10) and strong confidence (9/10), this is a likely merge blocker rather than a cosmetic issue, which drives the lower score.
• There are also smaller workflow-quality issues: .github/actionlint-matcher.json may miss ANSI diagnostics with semicolon-delimited SGR codes, and .github/workflows/builder.yml release notes currently claim SHA256 assets that are not produced.
• Pay close attention to .github/workflows/builder.yml, .github/actionlint-matcher.json - fix submodule setup first to restore CI reliability, then align matcher/release-note behavior.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/actionlint-matcher.json">

<violation number="1" location=".github/actionlint-matcher.json:7">
P2: Broaden the ANSI matcher to handle semicolon-delimited SGR codes, otherwise colored diagnostics with combined attributes can stop matching.</violation>
</file>

<file name=".github/workflows/builder.yml">

<violation number="1" location=".github/workflows/builder.yml:30">
P1: Initialize the ffmpeg-statigo submodule before running Go linters. This checkout omits the local module that `go.mod` replaces into `./third_party/ffmpeg-statigo`, so `go vet` fails in CI and blocks the sentinel gate.</violation>

<violation number="2" location=".github/workflows/builder.yml:253">
P3: Either generate checksum assets or remove this sentence. As written, every release note claims SHA256 checksums are included even though the workflow never creates them.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}