chore(release): adopt new release pipeline (App auth + CHANGELOG extract)

[bmadcode]

Summary

• Replace manual-release.yaml with release.yaml modeled on the pattern adopted in bmad-builder (see bmad-builder#79)
• Use BMAD Release Bot GitHub App token for pushes (consistent with bmad-method and bmad-builder)
• Extract GitHub Release body from CHANGELOG.md ## vX.Y.Z section at release time
• Fire Discord notification on successful release

Why

Aligns cis release infrastructure with the new pattern being rolled out across all BMad external modules. No functional or content changes; cis's existing npm test script (lint + lint:md + format:check) is intact and used as the pre-release validation step.

This PR is infrastructure only. No fresh release is triggered by this change. Retroactive v0.2.0 tag (matching the existing CHANGELOG entry at commit 14a63b8) will be pushed separately after this merges.

Test plan

• Merge this PR to main
• Confirm quality CI passes
• Push retroactive v0.2.0 tag at 14a63b8 and create GitHub Release from CHANGELOG
• Next real release (whenever there is new content) uses the new workflow end-to-end

Summary by CodeRabbit

• Chores
  • Streamlined the release workflow to use a single, standardized process with required version bump selection (patch/minor/major).
  • Releases now include automated testing verification and automatic GitHub Release creation with optional Discord notifications.

[coderabbitai]

Walkthrough

The manual release workflow is entirely removed and replaced with a new Release workflow. The new workflow triggers via workflow_dispatch with a required bump input (patch/minor/major), runs tests, bumps the package version, creates git tags, generates GitHub Releases with notes extracted from CHANGELOG.md, and optionally sends Discord notifications.

Changes

Cohort / File(s)	Summary
Release Workflow Replacement \.github/workflows/manual-release\.yaml, \.github/workflows/release\.yaml	Removes manual release workflow supporting alpha/beta/prerelease bumps and installer package updates. Introduces streamlined Release workflow with required bump input, CHANGELOG.md-based release notes extraction, and Discord webhook notification support. Repository and branch conditions enforced on new workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A release workflow hops anew,
With tests and bumps and tags so true,
No manual fuss, just dispatch and go,
Changelog notes steal the show,
Discord whispers of versions bright!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(release): adopt new release pipeline (App auth + CHANGELOG extract)' clearly and specifically describes the main change: replacing the manual release workflow with a new pipeline that uses GitHub App authentication and extracts release notes from CHANGELOG.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch versioning-overhaul

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR replaces the legacy manual release workflow with the standardized BMAD release pipeline.

Changes:

• Deletes .github/workflows/manual-release.yaml (old version-bump + tag + release-notes generator).
• Adds .github/workflows/release.yaml with a single workflow_dispatch entrypoint for patch/minor/major bumps.
• Uses a GitHub App installation token for checkout/push so releases can push back to main consistently.
• Runs npm ci and npm test as the pre-release validation gate.
• Bumps version via npm version and pushes the resulting commit + tag.
• Creates the GitHub Release via gh release create, extracting the release body from the matching ## vX.Y.Z section in CHANGELOG.md.
• On success, posts a Discord notification using the shared .github/scripts/discord-helpers.sh helpers.
• Adds workflow concurrency (group: release) and restricts execution to main in the canonical repo.

Why: Align CIS’s release automation with the newer approach already used across other BMAD external modules.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

In .github/workflows/release.yaml:71, git push origin main --follow-tags may fail to push the version tag created by npm version if it is lightweight, leaving the tag only local. That can make the subsequent gh release create "$TAG" operate on a missing/mismatched remote tag and potentially release the wrong commit.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

In .github/workflows/release.yaml:78, the index($0, "## v" ver) check can match version prefixes (e.g., 1.2.3 would also match a ## v1.2.30 ... heading), which could extract the wrong CHANGELOG section. That would publish incorrect release notes for the tag.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

In .github/workflows/release.yaml:11-14, the dispatch bump options only allow patch|minor|major, whereas the removed workflow (and package.json scripts) previously supported prerelease bumps. Confirm this restriction is intentional so you don’t lose the ability to cut alpha/beta-style releases if you still need them.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 77-80: The awk index(...) check is too loose and can match
prefixes like "v0.2.00"; update the header check to a strict anchored regex
instead of index: build a pattern such as "^## v" ver "([[:space:]]|-|$)" and
replace the index($0, "## v" ver) condition with a regex match ($0 ~ pattern or
match($0, pattern)) so only exact semver headers (followed by space, dash, or
EOL) are accepted; adjust the awk snippet that defines BODY accordingly.
- Around line 59-89: The workflow currently pushes the npm version commit/tag in
the "Push version commit and tag" step before validating CHANGELOG.md, causing
orphan tags if validation fails; move the CHANGELOG extraction/validation (the
awk logic that builds BODY and checks for a v${VERSION} section) into a new step
placed after "Capture new version" (steps: "Capture new version" -> new
"Generate release notes" step that sets an output like notes.body) and before
"Push version commit and tag", fail the workflow there if the notes.body is
empty, then update "Create GitHub Release" to consume steps.notes.outputs.body
(instead of re-running awk) and keep the actual git push in "Push version commit
and tag" so no commit/tag is pushed unless CHANGELOG validation succeeded.
- Around line 95-101: The Discord message string is being escaped by the esc
function causing markdown (bold + link) to be rendered as literal text; update
the MSG construction so the printf template '**[Creative Intelligence Suite %s
released](<%s>)**' is not piped through esc — remove the `| esc` usage when
building MSG (the variable and pipeline that calls esc) and leave the rest of
the pipeline (jq ... | curl ...) intact so TAG and RELEASE_URL are inserted raw
and the message renders with bold and a clickable link; reference the MSG
assignment and the esc helper in discord-helpers.sh when making this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f35b5b85-2492-4696-81f8-2f225743f387

📥 Commits

Reviewing files that changed from the base of the PR and between 14a63b8 and 41bfca6.

📒 Files selected for processing (2)

• .github/workflows/manual-release.yaml
• .github/workflows/release.yaml

💤 Files with no reviewable changes (1)

• .github/workflows/manual-release.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

CHANGELOG validation runs after the tag is pushed — failure leaves an orphan tag on main.

The npm version commit + tag are pushed to origin main at line 71, but the CHANGELOG section check (lines 77–84) happens afterward. If ## v<version> - DATE is missing from CHANGELOG.md, the workflow exits 1 after the commit/tag are already on the remote, leaving a version bump commit and vX.Y.Z tag with no corresponding GitHub Release. Recovery requires a manual tag/commit revert.

Validate the CHANGELOG entry before mutating state — ideally before npm version, or at minimum before git push.

🛠️ Suggested reordering

Move the CHANGELOG extraction to run after Capture new version and before Push version commit and tag:

       - name: Capture new version
         id: version
         run: |
           VERSION=$(node -p "require('./package.json').version")
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
           echo "tag=v${VERSION}" >> $GITHUB_OUTPUT

+      - name: Extract release notes from CHANGELOG
+        id: notes
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          TAG="${{ steps.version.outputs.tag }}"
+          BODY=$(awk -v ver="$VERSION" '
+            /^## v/ { if (found) exit; if (index($0, "## v" ver)) found=1; next }
+            found { print }
+          ' CHANGELOG.md)
+          if [ -z "$BODY" ]; then
+            echo "::error::No CHANGELOG.md entry found for $TAG. Add a '## v${VERSION} - DATE' section before releasing."
+            exit 1
+          fi
+          {
+            echo 'body<<EOF_NOTES'
+            printf '%s\n' "$BODY"
+            echo 'EOF_NOTES'
+          } >> $GITHUB_OUTPUT

       - name: Push version commit and tag
         run: git push origin main --follow-tags

Then consume ${{ steps.notes.outputs.body }} in the Create GitHub Release step.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 59 - 89, The workflow currently
pushes the npm version commit/tag in the "Push version commit and tag" step
before validating CHANGELOG.md, causing orphan tags if validation fails; move
the CHANGELOG extraction/validation (the awk logic that builds BODY and checks
for a v${VERSION} section) into a new step placed after "Capture new version"
(steps: "Capture new version" -> new "Generate release notes" step that sets an
output like notes.body) and before "Push version commit and tag", fail the
workflow there if the notes.body is empty, then update "Create GitHub Release"
to consume steps.notes.outputs.body (instead of re-running awk) and keep the
actual git push in "Push version commit and tag" so no commit/tag is pushed
unless CHANGELOG validation succeeded.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

index() match on the version header is a loose substring match.

index($0, "## v" ver) will match any header whose version starts with ver — e.g., with ver=0.2.0 it would also match ## v0.2.00 - ... or ## v0.2.0-rc1 - .... npm version <bump> produces exact semver so this is unlikely to bite today, but a trivial tighter anchor avoids future surprises:

🛠️ Suggested tighter match

-          BODY=$(awk -v ver="$VERSION" '
-            /^## v/ { if (found) exit; if (index($0, "## v" ver)) found=1; next }
-            found { print }
-          ' CHANGELOG.md)
+          BODY=$(awk -v ver="$VERSION" '
+            /^## v/ { if (found) exit; if ($0 ~ "^## v" ver "([^0-9].*)?$") found=1; next }
+            found { print }
+          ' CHANGELOG.md)

This requires the character after the version to be non-numeric (space, dash, end-of-line), preventing v0.2.0 from matching v0.2.00.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 77 - 80, The awk index(...)
check is too loose and can match prefixes like "v0.2.00"; update the header
check to a strict anchored regex instead of index: build a pattern such as "^##
v" ver "([[:space:]]|-|$)" and replace the index($0, "## v" ver) condition with
a regex match ($0 ~ pattern or match($0, pattern)) so only exact semver headers
(followed by space, dash, or EOL) are accepted; adjust the awk snippet that
defines BODY accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the discord-helpers.sh file
cat -n .github/scripts/discord-helpers.sh | head -30

Repository: bmad-code-org/bmad-module-creative-intelligence-suite

Length of output: 1295

---

🏁 Script executed:

# Also look for bmad-builder reference
grep -r "bmad-builder" . --max-count=5

Repository: bmad-code-org/bmad-module-creative-intelligence-suite

Length of output: 528

---

🏁 Script executed:

# Get full context of the release workflow
sed -n '85,110p' .github/workflows/release.yaml

Repository: bmad-code-org/bmad-module-creative-intelligence-suite

Length of output: 1107

---

Discord message markdown is broken by piping the template through esc.

The esc function (line 14 of .github/scripts/discord-helpers.sh) escapes markdown syntax characters including *, [, ], (, ) to safe Discord display — but it skips content inside <URL> wrappers. The template **[Creative Intelligence Suite %s released](<%s>)** has all its markdown syntax outside the <URL> wrapper. After piping through esc, it becomes \*\*\[Creative Intelligence Suite vX.Y.Z released\](<URL>)\*\*, which Discord renders as plain text with visible backslashes instead of bold and a clickable link.

Since $TAG (semantic version) and $RELEASE_URL (GitHub-generated URL) contain no markdown-significant characters, remove the | esc pipe:

🛠️ Proposed fix

-          MSG=$(printf '🎨 **[Creative Intelligence Suite %s released](<%s>)**' "$TAG" "$RELEASE_URL" | esc)
+          MSG=$(printf '🎨 **[Creative Intelligence Suite %s released](<%s>)**' "$TAG" "$RELEASE_URL")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yaml around lines 95 - 101, The Discord message
string is being escaped by the esc function causing markdown (bold + link) to be
rendered as literal text; update the MSG construction so the printf template
'**[Creative Intelligence Suite %s released](<%s>)**' is not piped through esc —
remove the `| esc` usage when building MSG (the variable and pipeline that calls
esc) and leave the rest of the pipeline (jq ... | curl ...) intact so TAG and
RELEASE_URL are inserted raw and the message renders with bold and a clickable
link; reference the MSG assignment and the esc helper in discord-helpers.sh when
making this change.