chore(release): adopt new release pipeline (App auth + CHANGELOG extract)

[bmadcode]

Summary

• Replace manual-release.yaml with release.yaml modeled on the pattern adopted in bmad-builder
• Use BMAD Release Bot GitHub App token for pushes
• Extract GitHub Release body from CHANGELOG.md ## vX.Y.Z section at release time
• Fire Discord notification on successful release

Why

Aligns gds release infrastructure with the new pattern being rolled out across all BMad external modules. No functional or content changes; gds's existing npm test script (lint + lint:md + format:check) is intact and used as the pre-release validation step.

This PR is infrastructure only. No fresh release is triggered. Retroactive v0.4.0 tag (matching the existing CHANGELOG entry at commit 07ef779) will be pushed separately after this merges, resolving the current package.json/tag drift (package.json at 0.4.0, latest tag v0.3.0).

Test plan

• Merge this PR to main
• Confirm quality CI passes
• Push retroactive v0.4.0 tag at 07ef779 and create GitHub Release from CHANGELOG
• Next real release uses the new workflow end-to-end

[coderabbitai]

Warning

Rate limit exceeded

@bmadcode has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 18 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 58 minutes and 18 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7c1a22c2-27db-4574-b9e4-6be360855904

📥 Commits

Reviewing files that changed from the base of the PR and between 07ef779 and 7e5bae5.

📒 Files selected for processing (2)

• .github/workflows/manual-release.yaml
• .github/workflows/release.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch versioning-overhaul

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the repository’s release automation to a new standardized pipeline using GitHub App authentication and CHANGELOG-driven release notes.

Changes:

• Removed the legacy manual-release.yaml workflow and its bespoke release-notes generation.
• Added a new .github/workflows/release.yaml workflow with a single workflow_dispatch entry point.
• Introduced release concurrency control to prevent overlapping releases.
• Uses actions/create-github-app-token for checkout and pushing the version bump commit + tag.
• Runs npm ci and npm test as the pre-release validation gate.
• Bumps semver via npm version and pushes tags with --follow-tags.
• Creates the GitHub Release by extracting the ## vX.Y.Z section from CHANGELOG.md.
• Sends a best-effort Discord notification on successful release using the shared helper script.

Technical Notes: This PR is workflow/infrastructure-only; the module code and existing validation scripts remain unchanged.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

.github/workflows/release.yaml:21 id-token: write enables OIDC token minting, but this workflow doesn’t appear to use any OIDC-based auth. Keeping it increases the available token surface area unnecessarily.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

.github/workflows/release.yaml:78 The index($0, "## v" ver) match can also match headings like ## v1.2.3-rc.1 when releasing 1.2.3, which could extract the wrong CHANGELOG section. This would make the GitHub Release notes incorrect even though a correct ## v1.2.3 - ... section exists.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

.github/workflows/release.yaml:89 gh release create authenticates with secrets.GITHUB_TOKEN; if the repo/org config makes that token read-only, this step will fail even though a GitHub App token was already generated earlier. That mismatch can make releases flaky depending on repository settings.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}