* ci: guard latest desktop release
* fix(ci): self-heal a hijacked releases/latest pointer (#2462)
The guard previously only detected a hijacked latest pointer and failed the
run, still requiring a maintainer with delete rights to remove the junk
release by hand.
Add a remediation step that, on scheduled/manual runs, deletes a release
carrying the unambiguous hijack signature -- published, non-prerelease, a
non-semver tag, and zero electron-updater feed assets (latest.yml /
latest-mac.yml / latest-linux.yml) -- along with its tag, so GitHub
re-points latest to the newest real stable release. A real stable release
always has a semver tag and the feed assets, so this can never match one; an
in-progress real release keeps its semver tag, so it is excluded too, and the
step never runs on `release` events to avoid racing an asset upload.
This lets merging the PR resolve#2462 via the Actions token with no manual
admin action, while the verify step stays as the tripwire for anything
outside the auto-remediable signature. Bumps the job permission from
contents:read to contents:write for the delete.
* Revert "fix(ci): self-heal a hijacked releases/latest pointer (#2462)"
This reverts commit 185bc563a9.