ci(linear): wire Linear release pipeline to CI

.circleci/config.yml

@@ -70,6 +70,19 @@ commands:
           role_arn: ${AWS_ROLE_ARN}
           role_session_name: app-frontend-${CIRCLE_BUILD_NUM}
 
+  download-linear-release:
+    steps:
+      - run:
+          name: Download Linear Release CLI
+          command: |
+            set -euo pipefail
+            linear_release_version="v0.7.0"
+            linear_release_sha256="c82e10e79ac54bfa5efff69124add2aa793d91b0d5e32c1ed56ab856eb2a7e79"
+            linear_release_url="https://github.com/linear/linear-release/releases/download/${linear_release_version}/linear-release-linux-x64"
+            curl -fsSL "$linear_release_url" -o /tmp/linear-release
+            echo "${linear_release_sha256}  /tmp/linear-release" | sha256sum -c -
+            chmod +x /tmp/linear-release
+
 # ------------------------------------------------------------
 # EXECUTOR  –  Node 22 LTS image with Chrome 137, FF 139, Edge 137
 # ------------------------------------------------------------
@@ -274,6 +287,18 @@ jobs:
           command: |
             set -euo pipefail
             circleci run release update "release-<< pipeline.git.tag >>" --status=FAILED
+      - download-linear-release
+      - run:
+          name: Sync Linear release
+          when: on_success
+          command: |
+            set -euo pipefail
+            git fetch --force --tags origin
+            /tmp/linear-release sync \
+              --release-version="<< pipeline.git.tag >>"
+            /tmp/linear-release update \
+              --release-version="<< pipeline.git.tag >>" \
+              --stage="Started"
 
 # ------------------------------------------------------------
 # WORKFLOWS
@@ -428,6 +453,8 @@ workflows:
       - publish-build-artifact:
           <<: *tag-filter
           name: publish release artifact
-          context: aws-dev
+          context:
+            - aws-dev
+            - linear-secrets
           requires:
             - build

.circleci/deploy.yml

@@ -58,6 +58,19 @@ commands:
           role_arn: ${AWS_ROLE_ARN}
           role_session_name: app-frontend-${CIRCLE_BUILD_NUM}
 
+  download-linear-release:
+    steps:
+      - run:
+          name: Download Linear Release CLI
+          command: |
+            set -euo pipefail
+            linear_release_version="v0.7.0"
+            linear_release_sha256="c82e10e79ac54bfa5efff69124add2aa793d91b0d5e32c1ed56ab856eb2a7e79"
+            linear_release_url="https://github.com/linear/linear-release/releases/download/${linear_release_version}/linear-release-linux-x64"
+            curl -fsSL "$linear_release_url" -o /tmp/linear-release
+            echo "${linear_release_sha256}  /tmp/linear-release" | sha256sum -c -
+            chmod +x /tmp/linear-release
+
 jobs:
   deploy-from-artifact:
     docker:
@@ -205,6 +218,36 @@ jobs:
               --status-file="$DEPLOY_MARKER_STATUS_FILE" \
               --target-environment="$DEPLOY_TARGET_ENV" \
               --target-version="$DEPLOY_TARGET_VERSION"
+      - download-linear-release
+      - run:
+          name: Update Linear release stage
+          when: on_success
+          command: |
+            set -euo pipefail
+
+            case "$DEPLOY_STAGE" in
+              qa)      linear_stage="QA" ;;
+              sandbox) linear_stage="Sandbox" ;;
+              prod)
+                if [ "$DEPLOY_ORGANIZATION" = "demonstration" ]; then
+                  echo "Skipping Linear release update for prod:demonstration"
+                  exit 0
+                fi
+                linear_stage="Released"
+                ;;
+              *)       exit 0 ;;
+            esac
+
+            git fetch --force --tags origin
+
+            /tmp/linear-release update \
+              --release-version="$DEPLOY_TARGET_VERSION" \
+              --stage="$linear_stage"
+
+            if [ "$DEPLOY_STAGE" = "prod" ]; then
+              /tmp/linear-release complete \
+                --release-version="$DEPLOY_TARGET_VERSION"
+            fi
       - run:
           name: Notify QA2 E2E repo
           when: on_success
@@ -265,6 +308,7 @@ workflows:
           context:
             - aws-dev
             - slack-secrets
+            - linear-secrets
 
   deploy-prod:
     when:
@@ -276,3 +320,4 @@ workflows:
           context:
             - aws-prod
             - slack-secrets
+            - linear-secrets

docs/deploy.md

@@ -140,6 +140,12 @@ npm run deploy -- --stage=<stage> [--organization=<organization>]
    - stage-wide deploys continue through every resolved environment and fail the job at the end if any targets fail
    - if a stage-wide deploy partially succeeds, concrete environment markers reflect the per-environment outcomes while the wildcard marker reflects the overall deploy result
 6. For QA deploys that include `qa2` (`qa:qa2` and `qa:*`), posts `qa2_deploy_succeeded` to `RoundingWell/app-tests`
+7. Updates the Linear release stage by running the pinned `linear/linear-release` CLI:
+   - `qa` deploys → `update --stage=QA`
+   - `sandbox` deploys → `update --stage=Sandbox`
+   - `prod` deploys → `update --stage=Released`, then `complete`
+   - `prod:demonstration` deploys are skipped (demo org, not a real release event)
+   - `dev` deploys are skipped
 
 Supported deploy environments:
 - `dev:<organization>`
@@ -167,6 +173,11 @@ Additional CircleCI secrets for the QA2 E2E dispatch step:
 - `GH_APP_PRIVATE_KEY`
 - `GH_APP_INSTALLATION_ID`
 
+CircleCI context for the Linear release steps:
+- `linear-secrets` context, providing `LINEAR_ACCESS_KEY` (Linear release pipeline access key)
+- attached to the `release-artifact` workflow in [`.circleci/config.yml`](../.circleci/config.yml) (sync + `Started` stage on tag build) and to both deploy workflows in [`.circleci/deploy.yml`](../.circleci/deploy.yml) (per-stage `update` and final `complete`)
+- the Linear release pipeline is configured as **scheduled**; stages used: built-in `Started`, custom `QA` (frozen) and `Sandbox`, and built-in terminal `Released`. CI also calls `complete` after a successful prod deploy.
+
 For QA deploys that include `qa2`, [`.circleci/deploy.yml`](../.circleci/deploy.yml) resolves the release SHA, passes the release tag, SHA, and a CircleCI run URL to [`scripts/dispatch-qa2-e2e.js`](../scripts/dispatch-qa2-e2e.js), and that script uses the GitHub App credentials above plus the `app-tests` installation id to mint a short-lived installation token before posting `repository_dispatch` with this payload:
 
 ```json