fix: simplify release to workflow_dispatch (no bot commits) (#48)

* fix: simplify release to workflow_dispatch (no bot commits needed)

Replace the two-workflow PR-based release flow with a single
workflow_dispatch trigger, matching the socket-cli pattern.

Changes:
- Remove release-prep.yml (automated version bump + PR creation)
- Make release.yml a manual workflow_dispatch that reads the version
  from Cargo.toml, tags, builds, and publishes
- Add dry-run option to build without publishing
- Use NPM_TOKEN secret for npm publish (fixes ENEEDAUTH on new packages)
- Add registry-url to setup-node for proper auth

Release flow after this change:
1. Bump version in a PR: run scripts/version-sync.sh, commit, merge
2. Click "Run workflow" on Release
3. Done - tags, builds, and publishes automatically

This avoids the signed commit requirement that blocked github-actions[bot]
from pushing to protected branches.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: remove NPM_TOKEN, use OIDC trusted publishing like socket-cli

The original ENEEDAUTH failure was caused by missing registry-url in
setup-node, not missing NPM_TOKEN. With registry-url set, OIDC
trusted publishing works for both existing and new packages.

Also fixes zizmor secrets-outside-env warnings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: restore NPM_TOKEN with environment for new package publishing

OIDC trusted publishing doesn't work for brand new packages that
don't exist on the npm registry yet. The new -gnu/-musl packages
need NPM_TOKEN for their first publish.

Added `environment: npm-publish` to satisfy zizmor's
secrets-outside-env audit. The environment needs to be created
in the repo settings with the NPM_TOKEN secret.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use pure OIDC trusted publishing, matching socket-cli/socket-mcp

Remove NPM_TOKEN and environment — use the same OIDC pattern as
socket-cli and socket-mcp. The registry-url in setup-node enables
the OIDC token exchange.

Note: new packages that don't exist on npm yet must be pre-created
manually before the first publish.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Wenxin-Jiang

.github/workflows/release-prep.yml

@@ -1,55 +1,60 @@
 name: Release
 
 on:
-  pull_request:
-    types: [closed]
-    branches: [main]
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: 'Dry run (build only, skip publish)'
+        type: boolean
+        default: false
 
 permissions: {}
 
 jobs:
-  check-release:
-    if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/v')
+  version:
     runs-on: ubuntu-latest
     outputs:
-      version: ${{ steps.extract.outputs.VERSION }}
+      version: ${{ steps.read.outputs.VERSION }}
     steps:
-      - name: Extract version from branch name
-        id: extract
-        env:
-          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Read version from Cargo.toml
+        id: read
         run: |
-          VERSION="${HEAD_REF#release/v}"
+          VERSION=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
           echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Detected release version: $VERSION"
+          echo "Release version: $VERSION"
+
+      - name: Check tag does not exist
+        run: |
+          VERSION="${{ steps.read.outputs.VERSION }}"
+          if git rev-parse "v${VERSION}" >/dev/null 2>&1; then
+            echo "::error::Tag v${VERSION} already exists. Bump the version in a PR first."
+            exit 1
+          fi
 
   tag:
-    needs: check-release
+    needs: version
+    if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
       - name: Create and push tag
         run: |
-          VERSION="${{ needs.check-release.outputs.version }}"
-          TAG="v${VERSION}"
-          if git rev-parse "$TAG" >/dev/null 2>&1; then
-            echo "::error::Tag $TAG already exists."
-            exit 1
-          fi
+          TAG="v${{ needs.version.outputs.version }}"
           git tag "$TAG"
           git push origin "$TAG"
 
   build:
-    needs: [check-release, tag]
+    needs: [version, tag]
+    if: ${{ always() && needs.version.result == 'success' && (needs.tag.result == 'success' || needs.tag.result == 'skipped') }}
     strategy:
       matrix:
         include:
@@ -116,7 +121,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: v${{ needs.check-release.outputs.version }}
           persist-credentials: false
 
       - name: Install Rust
@@ -165,7 +169,8 @@ jobs:
           path: socket-patch-${{ matrix.target }}.zip
 
   github-release:
-    needs: [check-release, build]
+    needs: [version, build]
+    if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -180,14 +185,15 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          TAG="v${{ needs.check-release.outputs.version }}"
+          TAG="v${{ needs.version.outputs.version }}"
           gh release create "$TAG" \
             --repo "$GITHUB_REPOSITORY" \
             --generate-notes \
             artifacts/*
 
   cargo-publish:
-    needs: [check-release, build]
+    needs: [version, build]
+    if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -196,7 +202,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: v${{ needs.check-release.outputs.version }}
           persist-credentials: false
 
       - name: Install Rust
@@ -225,7 +230,8 @@ jobs:
           CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }}
 
   npm-publish:
-    needs: [check-release, build]
+    needs: [version, build]
+    if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -234,7 +240,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: v${{ needs.check-release.outputs.version }}
           persist-credentials: false
 
       - name: Configure git for HTTPS
@@ -250,6 +255,7 @@ jobs:
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Update npm for trusted publishing
         run: npm install -g npm@latest
@@ -301,7 +307,8 @@ jobs:
         run: npm publish ./npm/socket-patch --provenance --access public
 
   pypi-publish:
-    needs: [check-release, build]
+    needs: [version, build]
+    if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -310,7 +317,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: v${{ needs.check-release.outputs.version }}
           persist-credentials: false
 
       - name: Download all artifacts
@@ -329,7 +335,7 @@ jobs:
 
       - name: Build platform wheels
         run: |
-          VERSION="${{ needs.check-release.outputs.version }}"
+          VERSION="${{ needs.version.outputs.version }}"
           python scripts/build-pypi-wheels.py --version "$VERSION" --artifacts artifacts --dist dist
 
       - name: Publish to PyPI