ci: keep npm publish and GitHub releases coupled, self-heal release gaps

GitHub releases are created only by the changesets/action step, and that step
has not completed cleanly on any release-triggering run since mid-June (last
release: @tanstack/ai-react@0.15.5 on 2026-06-15; npm is now at 0.15.12).

The "Version Packages" merge runs (#773, #778, #787, #792, #808, #813) passed
the test gate and then FAILED at the "Run Changesets" step: CI ran
`changeset publish` and npm advanced, but the step died before the tag-push /
GitHub-release phase, so no tags (0.15.6-0.15.12 don't exist) and no releases
were created. More recent runs (#814, #825) now fail even earlier, at the test
gate (test:kiira), so the changesets step is never reached. Either way npm and
GitHub drift apart. (The exact in-step error is no longer recoverable - those
runs' logs have expired.)

Changes:
- Split into a `test` gate job and a `release` job (needs: test) so a flaky run
  blocks BOTH npm and GitHub releases together, never one without the other.
- Add a self-heal step that enforces "published to npm => GitHub release exists":
  for any package version on npm without a release it creates the tag + release
  from the CHANGELOG. Runs even when the changesets step fails mid-way, so gaps
  self-heal on the next release run - directly covering the failure mode above.
- Set GITHUB_TOKEN explicitly on the changesets step and tighten permissions
  (top-level contents:read; write scoped to the release job).

Author: AlemTuzlak

.github/workflows/release.yml

@@ -12,25 +12,41 @@ env:
   NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
 
 permissions:
-  contents: write
-  id-token: write
-  pull-requests: write
+  contents: read
 
 jobs:
-  release:
-    name: Release
+  test:
+    name: Test
     if: github.repository_owner == 'TanStack'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-          persist-credentials: true # release job pushes version/docs changes
+          persist-credentials: false
       - name: Setup Tools
         uses: TanStack/config/.github/setup@190f659075ff0845850e330883eb26d7ffd0671f # main
       - name: Run Tests
         run: pnpm run test:ci
+
+  release:
+    name: Release
+    needs: test
+    if: github.repository_owner == 'TanStack'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+      - name: Setup Tools
+        uses: TanStack/config/.github/setup@190f659075ff0845850e330883eb26d7ffd0671f # main
       - name: Run Changesets (version or publish)
         id: changesets
         uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
@@ -39,6 +55,42 @@ jobs:
           publish: pnpm run changeset:publish
           commit: 'ci: Version Packages'
           title: 'ci: Version Packages'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Ensure GitHub releases for published versions
+        if: ${{ !cancelled() && (steps.changesets.outputs.published == 'true' || steps.changesets.outcome == 'failure') }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          for pkg in packages/*/package.json; do
+            [ "$(jq -r '.private // false' "$pkg")" = "true" ] && continue
+            name=$(jq -r '.name' "$pkg")
+            version=$(jq -r '.version' "$pkg")
+            tag="${name}@${version}"
+
+            if gh release view "$tag" >/dev/null 2>&1; then
+              continue
+            fi
+            if ! npm view "${name}@${version}" version >/dev/null 2>&1; then
+              continue
+            fi
+
+            echo "Backfilling GitHub release for $tag"
+            if ! git rev-parse -q --verify "refs/tags/${tag}" >/dev/null; then
+              git tag "$tag" "$GITHUB_SHA"
+              git push origin "refs/tags/${tag}"
+            fi
+
+            notes=$(mktemp)
+            changelog="$(dirname "$pkg")/CHANGELOG.md"
+            if [ -f "$changelog" ]; then
+              awk '/^## /{n++} n==1{print} n==2{exit}' "$changelog" > "$notes" || true
+            fi
+            [ -s "$notes" ] || echo "Release ${tag}" > "$notes"
+            gh release create "$tag" --title "$tag" --notes-file "$notes"
+            rm -f "$notes"
+          done
       - name: Generate Docs
         if: steps.changesets.outputs.published == 'true'
         run: pnpm generate-docs