chore(release): rewrite release workflow with App auth and cosign signing

bmadcode · bmadcode · commit 2633289f30a3 · 2026-04-23T00:28:50.000-05:00
Replaces manual-release.yaml with release.yaml modeled on bmad-method's
publish.yaml. Uses BMAD Release Bot App token for pushes to protected
main, runs full `npm test` validation stack, signs tag SHA with cosign
keyless via GitHub OIDC, and extracts release body from CHANGELOG.md
using keep-a-changelog bracket format.

Drops two broken steps from the old workflow: `npm run validate`
(script does not exist) and `sed tools/installer/package.json` (path
does not exist).

Adds v1.7.0 CHANGELOG entry. First release under the new pipeline.
diff --git a/.github/workflows/manual-release.yaml b/.github/workflows/manual-release.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,130 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: "Version bump type"
+        required: true
+        default: "patch"
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  release:
+    if: github.repository == 'bmad-code-org/bmad-builder' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: "npm"
+
+      - name: Configure git user
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run validation and tests
+        run: npm test
+
+      - name: Bump version
+        run: npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"
+
+      - name: Capture new version
+        id: version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "tag=v${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Push version commit and tag
+        run: git push origin main --follow-tags
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign tag SHA with cosign (keyless)
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          SHA=$(git rev-parse "${TAG}")
+          printf '%s' "${SHA}" > "${TAG}.sha"
+          cosign sign-blob --yes \
+            --output-signature "${TAG}.sig" \
+            --output-certificate "${TAG}.pem" \
+            "${TAG}.sha"
+
+      - name: Create GitHub Release
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+          BODY=$(awk -v ver="$VERSION" '
+            /^## \[/ { if (found) exit; if (index($0, "## [" ver "]")) found=1; next }
+            found { print }
+          ' CHANGELOG.md)
+          if [ -z "$BODY" ]; then
+            echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## [${VERSION}] - YYYY-MM-DD' section before releasing."
+            exit 1
+          fi
+          gh release create "$TAG" \
+            --title "BMad Builder $TAG" \
+            --notes "$BODY" \
+            "${TAG}.sig" \
+            "${TAG}.pem" \
+            "${TAG}.sha"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Notify Discord
+        if: success()
+        continue-on-error: true
+        run: |
+          set -o pipefail
+          source .github/scripts/discord-helpers.sh
+          [ -z "$WEBHOOK" ] && exit 0
+          TAG="${{ steps.version.outputs.tag }}"
+          RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/${TAG}"
+          MSG=$(printf '🛠️ **[BMad Builder %s released](<%s>)**' "$TAG" "$RELEASE_URL" | esc)
+          jq -n --arg content "$MSG" '{content: $content}' | curl -sf --retry 2 -X POST "$WEBHOOK" -H "Content-Type: application/json" -d @-
+        env:
+          WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
+
+      - name: Summary
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          SHA=$(git rev-parse "${TAG}")
+          {
+            echo "## Released ${TAG}"
+            echo ""
+            echo "- **GitHub Release:** https://github.com/${{ github.repository }}/releases/tag/${TAG}"
+            echo "- **Tag SHA (cosign-signed):** \`${SHA}\`"
+            echo "- **Signature artifacts:** \`${TAG}.sig\`, \`${TAG}.pem\`, \`${TAG}.sha\` attached to the release"
+          } >> $GITHUB_STEP_SUMMARY
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [1.7.0] - 2026-04-23
+
+### 📚 Documentation
+
+* **Customization authoring flow awareness** — `explanation/customization-for-authors.md` and `how-to/make-a-skill-customizable.md` now mention `bmad-customize`, the conversational authoring helper that walks users through scope selection, override writing, and merge verification. Guides authors to pick field names and defaults that read well in that flow, while preserving that hand-writing TOML still works for users who prefer it (#78)
+
 ## [1.6.0] - 2026-04-20
 
 ### 🎁 Features
