feat: add full GitHub Actions support with permissions, environment, concurrency, and matrix

Extended schema and models to support GitHub Actions-specific features:
- Added permissions at workflow and job level
- Added environment configuration for deployments
- Added concurrency control
- Added strategy/matrix with dynamic properties
- Added step-level id and if conditionals
- Updated job schema to accept native GitHub Actions step syntax

All .github/workflows are now generated from .cigen/ config, including:
- ci.yml (with job skipping)
- docs.yml (with Pages deployment)
- release.yml (with matrix builds)

This makes cigen fully self-hosting and demonstrates 'write once, run anywhere' philosophy.

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ndbroadbent

.cigen/workflows/docs.yml

@@ -0,0 +1,24 @@
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - ".github/workflows/docs.yml"
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  ci_gate:
+  build:
+    requires:
+      - ci_gate
+  deploy:
+    requires:
+      - build

.cigen/workflows/docs/jobs/build.yml

@@ -0,0 +1,59 @@
+image: ubuntu-latest
+
+steps:
+  - uses: actions/checkout@v4
+
+  - name: Setup Node.js
+    uses: actions/setup-node@v4
+    with:
+      node-version: "20"
+
+  - name: Setup pnpm
+    uses: pnpm/action-setup@v4
+    with:
+      version: 10
+
+  - run:
+      name: Install root deps (if any)
+      command: |
+        pnpm install --frozen-lockfile || pnpm install
+
+  - run:
+      name: Build docs (if present)
+      command: |
+        set -e
+        if [ -f docs/package.json ]; then
+          cd docs
+          pnpm install --frozen-lockfile || pnpm install
+          if pnpm run -s build; then
+            echo "Docs built with pnpm"
+          elif npm run build; then
+            echo "Docs built with npm"
+          else
+            echo "Docs build script not found" >&2
+            exit 1
+          fi
+          if [ ! -d dist ]; then
+            echo "Docs build output not found at dist/" >&2
+            exit 1
+          fi
+        else
+          echo "docs/package.json not found; docs site missing" >&2
+          exit 1
+        fi
+
+  - run:
+      name: Verify docs output exists
+      command: |
+        if [ ! -d docs/dist ]; then
+          echo "Docs build output not found at docs/dist" >&2
+          exit 1
+        fi
+
+  - name: Configure Pages
+    uses: actions/configure-pages@v5
+
+  - name: Upload artifact
+    uses: actions/upload-pages-artifact@v3
+    with:
+      path: docs/dist

.cigen/workflows/docs/jobs/ci_gate.yml

@@ -0,0 +1,10 @@
+image: ubuntu-latest
+
+steps:
+  - uses: actions/checkout@v4
+  - name: Wait for CI checks to complete
+    uses: actions/github-script@v7
+    with:
+      script: |
+        const wait = require('./.github/wait-for-checks.js');
+        await wait({ github, context, core, checks: ["test"] });

.cigen/workflows/docs/jobs/deploy.yml

@@ -0,0 +1,10 @@
+image: ubuntu-latest
+
+environment:
+  name: github-pages
+  url: ${{ steps.deployment.outputs.page_url }}
+
+steps:
+  - name: Deploy to GitHub Pages
+    id: deployment
+    uses: actions/deploy-pages@v4

.cigen/workflows/release.yml

@@ -0,0 +1,17 @@
+on:
+  push:
+    tags:
+      - "v*" # Version tags like v1.2.3
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  release_build:
+  release_create:
+    requires:
+      - release_build
+  docker_image:
+    requires:
+      - release_create

.cigen/workflows/release/jobs/docker_image.yml

@@ -0,0 +1,46 @@
+image: ubuntu-latest
+
+permissions:
+  contents: read
+
+env:
+  DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+  DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@v4
+    with:
+      fetch-depth: 0
+
+  - run:
+      name: Extract version
+      command: |
+        VERSION=$(grep -E '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
+        echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+  - name: Set up QEMU
+    uses: docker/setup-qemu-action@v3
+
+  - name: Set up Docker Buildx
+    uses: docker/setup-buildx-action@v3
+
+  - name: Log in to Docker Hub
+    uses: docker/login-action@v3
+    with:
+      username: ${{ env.DOCKERHUB_USERNAME }}
+      password: ${{ env.DOCKERHUB_TOKEN }}
+
+  - run:
+      name: Build and push multi-arch image
+      command: |
+        set -euo pipefail
+        VERSION="${{ steps.v.outputs.version }}"
+        echo "Building docspringcom/cigen:${VERSION} and :latest"
+        docker buildx build \
+          --platform linux/amd64,linux/arm64 \
+          -f Dockerfile \
+          --build-arg CIGEN_VERSION="${VERSION}" \
+          -t docspringcom/cigen:"${VERSION}" \
+          -t docspringcom/cigen:latest \
+          --push .

.cigen/workflows/release/jobs/release_build.yml

@@ -0,0 +1,70 @@
+# Dynamic runs-on from matrix
+image: ${{ matrix.os }}
+
+strategy:
+  fail-fast: false
+  matrix:
+    include:
+      # macOS builds
+      - os: macos-latest
+        target: x86_64-apple-darwin
+        name: cigen-macos-amd64
+      - os: macos-latest
+        target: aarch64-apple-darwin
+        name: cigen-macos-arm64
+      # Linux builds
+      - os: ubuntu-latest
+        target: x86_64-unknown-linux-gnu
+        name: cigen-linux-amd64
+      - os: ubuntu-latest
+        target: aarch64-unknown-linux-gnu
+        name: cigen-linux-arm64
+        use-cross: true
+
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@v4
+    with:
+      fetch-depth: 0
+      fetch-tags: true
+
+  - name: Wait for required checks
+    uses: actions/github-script@v7
+    with:
+      script: |
+        const script = require('./.github/wait-for-checks.js');
+        await script({ github, context, core });
+
+  - name: Install Rust
+    uses: dtolnay/rust-toolchain@stable
+    with:
+      targets: ${{ matrix.target }}
+
+  - name: Install cross (for cross-compilation)
+    if: matrix.use-cross
+    run: cargo install cross --git https://github.com/cross-rs/cross
+
+  - run:
+      name: Build binary
+      command: |
+        set -e
+        if [ "${{ matrix.use-cross }}" = "true" ]; then
+          cross build --release --target ${{ matrix.target }} --bin cigen
+        else
+          cargo build --release --target ${{ matrix.target }} --bin cigen
+        fi
+
+  - run:
+      name: Create archive
+      command: |
+        set -e
+        cd "target/${{ matrix.target }}/release"
+        tar czf "../../../${{ matrix.name }}.tar.gz" cigen
+        cd ../../../
+        echo "ASSET_PATH=${{ matrix.name }}.tar.gz" >> "$GITHUB_ENV"
+
+  - name: Upload artifact
+    uses: actions/upload-artifact@v4
+    with:
+      name: ${{ matrix.name }}
+      path: ${{ env.ASSET_PATH }}

.cigen/workflows/release/jobs/release_create.yml

@@ -0,0 +1,85 @@
+image: ubuntu-latest
+
+steps:
+  - name: Checkout repository
+    uses: actions/checkout@v4
+    with:
+      fetch-depth: 0
+      fetch-tags: true
+
+  - name: Download artifacts
+    uses: actions/download-artifact@v4
+    with:
+      path: artifacts
+
+  - run:
+      name: Get version from Cargo.toml
+      command: |
+        VERSION=$(grep -E '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
+        {
+          echo "version=$VERSION"
+        } >> "$GITHUB_OUTPUT"
+
+        if [ "${{ github.event_name }}" = "push" ]; then
+          TAG="${GITHUB_REF#refs/tags/}"
+          EXPECTED_TAG="v$VERSION"
+          if [ "$TAG" != "$EXPECTED_TAG" ]; then
+            echo "Error: Tag $TAG doesn't match expected $EXPECTED_TAG from Cargo.toml" >&2
+            exit 1
+          fi
+          {
+            echo "tag=$TAG"
+          } >> "$GITHUB_OUTPUT"
+        else
+          {
+            echo "tag=v$VERSION"
+          } >> "$GITHUB_OUTPUT"
+        fi
+
+  - run:
+      name: Generate checksums
+      command: |
+        set -e
+        cd artifacts
+        for dir in */; do
+          cd "$dir"
+          for file in *; do
+            case "$file" in
+              *.tar.gz|*.zip)
+                if [ -f "$file" ]; then
+                  sha256sum "$file" > "${file}.sha256" || shasum -a 256 "$file" | awk '{print $1}' > "${file}.sha256"
+                fi
+                ;;
+            esac
+          done
+          cd ..
+        done
+        cd ..
+
+  - run:
+      name: Generate changelog
+      command: |
+        cat > changelog.md <<EOF
+        ## Installation
+
+        ### One-liner (Linux/macOS)
+            curl -fsSL https://docspring.github.io/cigen/install.sh | sh
+
+        ### Direct downloads
+        - macOS (Intel): https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/cigen-macos-amd64.tar.gz
+        - macOS (Apple Silicon): https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/cigen-macos-arm64.tar.gz
+        - Linux (x86_64): https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/cigen-linux-amd64.tar.gz
+        - Linux (ARM64): https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.tag }}/cigen-linux-arm64.tar.gz
+        EOF
+
+  - name: Create GitHub Release
+    uses: softprops/action-gh-release@v2
+    with:
+      tag_name: ${{ steps.version.outputs.tag }}
+      name: CIGen v${{ steps.version.outputs.version }}
+      body_path: changelog.md
+      draft: false
+      prerelease: ${{ contains(steps.version.outputs.tag, '-') }}
+      files: |
+        artifacts/**/*.tar.gz
+        artifacts/**/*.sha256