ci(release) use maintainer app committer

[St0rmz1]

Swaps the publish workflow's git identity to the kilo-maintainer GitHub App via a new setup-git-committer composite action. main's branch ruleset bypass can now be scoped to the dedicated release App instead of granting push-to-main to every workflow in the repo.

Security hardening enabled by the switch:

• publish.yml permissions drops contents:write → contents:read; GITHUB_TOKEN no longer needs write access since pushes use the App token. Forces loud failure if a future step silently falls back to GITHUB_TOKEN for a write.
• setup-git-committer now scopes the minted installation token to the current repo only (repositories: ), so it can't be used to push to other repos where the App is installed.

RELEASING.md and AGENTS.md updated to reflect the new flow. Also ignores local release/bootstrap scripts (release.sh, publish-local.sh) that may contain npm classic tokens.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

No unresolved issues remain on the incremental diff. The previously reported warnings in .github/actions/setup-git-committer/action.yml:38 and .github/workflows/publish.yml:39 are resolved in the latest commit.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
RELEASING.md	158	The recovery section still documents a verify-npm-auth step and NPM_TOKEN failures even though the publish workflow is now OIDC-based and no longer has those paths.

Files Reviewed (5 files)

• .github/actions/setup-git-committer/action.yml - 0 issues
• .github/workflows/publish.yml - 0 issues
• .gitignore - 0 issues
• AGENTS.md - 0 issues
• RELEASING.md - 1 issue

---

_{Reviewed by gpt-5.4-2026-03-05 · 401,246 tokens}