fix(cli): pin release tags to the built commit’s SHA

What

Two related fixes to the release pipeline, plus the cli/** touch that lets this PR cut a fresh CLI release on merge.

1. Pin release tags to the built commit

Pins target_commitish: ${{ github.sha }} on every softprops/action-gh-release step that creates a component tag through the GitHub API — across cli-release.yml, app-release.yml, and the 12 published components in release.yml (server, cache, skills, noora, helm, capi-scaleway, runners-controller, hetzner-robot-controller, xcresult-processor-image, runner-image, linux-runner-image, kura). Gradle and the fleet-image tags already pre-create their tags locally via git tag (so they’re pinned), and the app’s appcast pointer tag is intentionally left unpinned.

2. Reset the committed CLI version to the x.y.z sentinel

Constants.version was committed as 4.197.1 — stale residue from the old release flow that committed version bumps back to main. Since #11160 stopped committing to main, that value just freezes at whatever shipped last and silently lags real releases. It’s reset to x.y.z, the sentinel InitCommandService already checks for. This is also the deliberate cli/** touch that makes merging this PR fire cli-release.yml, cutting 4.198.2 from the latest main.

Why

Tag pinning

Release tags were created without a target_commitish, so the GitHub API defaulted it to the repository’s default branch. When another push lands on main during a release run’s window between version computation and tag creation, GitHub resolves the default branch to its newer HEAD and stamps the tag there instead of on the commit the run actually built.

Concretely (the CLI 4.198.1 incident):

• Run for #11140 (0058746d701) computed and built CLI 4.198.1.
• While it was running, #11191 (45be052b221) landed on main.
• The publish step created the 4.198.1 release with target_commitish: main, which GitHub resolved to the new HEAD — so the lightweight tag 4.198.1 was stamped onto 45be052b221 instead of 0058746d701.

Result: the 4.198.1 release notes and binaries describe #11140, but the tag points at #11191. Worse, the next run (triggered by #11191) found the latest CLI tag already sitting on its own commit, computed an empty 4.198.1..HEAD range, and skipped — which is why #11191 never produced a release.

Version sentinel

With a real-looking stale version committed, the Constants.version == "x.y.z" branch in InitCommandService never matched, so tuist init from a source build pinned mise to the stale version instead of falling back to tuist@latest. Resetting to the sentinel restores that intended behavior and makes source/dev builds report a clearly-unreleased version. Released binaries are unaffected — the pipeline’s sed still replaces the value with the real version at build time (verified the regex matches x.y.z).

Impact

• Future release tags agree with their notes and artifacts. For a push event github.sha is the triggering commit, which each release job already checks out, builds, and derives its release notes from.
• Merging this PR fires cli-release.yml and cuts 4.198.2 from the current main HEAD, so #11191’s code (and everything else since 4.198.1) ships in that release.
• tuist init from a source build pins mise to latest again.

Validation

• All 14 tag-pin insertions verified to sit inside the correct action-gh-release step (directly above each component’s name:), with appcast confirmed unpinned. actionlint parses all three workflows; the only findings are pre-existing (custom self-hosted runner labels, shellcheck style hints).
• Confirmed x.y.z is the single canonical sentinel (one reference, in InitCommandService), the release sed still matches it, and the InitCommandService tests assert only contains("mise") (not the version arg), so they’re unaffected.

Note on the 4.198.1 tag

The mis-placed 4.198.1 tag is being left as-is. 4.198.2 (cut when this PR merges) is built from the latest main and contains #11191’s fix, so the fix reaches users regardless. The only cosmetic residue is that #11191 has no dedicated changelog line and the 4.198.1 tag points one commit further than its notes — neither worth a public-tag rewrite.