ci: automated release tagging via release-pr workflow (#447)

## Summary

- Adds `.github/workflows/release-pr.yml` — triggered on PRs labeled
`release`; validates the PR title, `CHANGELOG.md` entry, and
`package.json` version on every update; pushes the `cli-vX.Y.Z` tag
automatically on merge to kick off the existing `release.yml` pipeline
- Updates `cli/RELEASE.md` — replaces the manual tag-push step with `gh
pr merge --auto --squash` and documents the new workflow
- Adds `gh pr merge --auto --squash` to the artifacts PR creation step
in `release.yml` so the artifacts PR merges itself

## How it works

1. Open release PR with `--label release` and title `release: CLI
vX.Y.Z`
2. Enable auto-merge: `gh pr merge --auto --squash`
3. `release-pr.yml` validates on every push; on merge it pushes
`cli-vX.Y.Z`, triggering `release.yml` as before
4. `release.yml` creates the artifacts PR and immediately enables
auto-merge on it — no manual step needed

## Notable decisions

- **Shell injection hardened**: PR title is passed via `env:` not inline
template interpolation
- **Bot collaborator access needed**: for the artifacts PR auto-merge to
complete, `caffeine-ci-generic-rw[bot]` must be added as a repo
collaborator so its PRs run CI without the approval gate
- **`release` label prerequisite**: must exist in the repo (Settings →
Labels) before the first release run

## Test plan

- [ ] Open a dummy PR with label `release` and title `release: CLI
vX.Y.Z` — verify `validate` job passes
- [ ] Try invalid title / missing changelog entry — verify `validate`
job fails with a clear error
- [ ] Verify `tag-and-release` is SKIPPED on plain close (not merge)

Author: Kamirus

.github/workflows/release-pr.yml

@@ -0,0 +1,92 @@
+name: release-pr
+
+# Triggered on PRs labeled 'release'. Validates changelog and PR title on every
+# update, then pushes the tag on merge to kick off the release pipeline.
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened, labeled, closed]
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    if: contains(github.event.pull_request.labels.*.name, 'release')
+    outputs:
+      version: ${{ steps.get_version.outputs.version }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Extract version from PR title
+        id: get_version
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          VERSION=$(echo "$PR_TITLE" | sed -nE 's/^release: CLI v([0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?)$/\1/p')
+          if [[ -z "$VERSION" ]]; then
+            echo "::error::Could not extract version from PR title. Title must be: 'release: CLI vX.Y.Z'"
+            exit 1
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Detected release version: $VERSION"
+
+      - name: Validate changelog entry exists
+        working-directory: cli
+        env:
+          VERSION: ${{ steps.get_version.outputs.version }}
+        run: |
+          ESCAPED=$(echo "$VERSION" | sed 's/\./\\./g')
+          NOTES=$(awk "/^##? ${ESCAPED}$/{found=1; next} found && /^##? [0-9]/{exit} found && /^##? Next/{exit} found" CHANGELOG.md)
+          if [[ -z "$NOTES" ]]; then
+            echo "::error::No changelog entry found for v${VERSION} in cli/CHANGELOG.md"
+            exit 1
+          fi
+          echo "Changelog entry found for v${VERSION}."
+
+      - name: Validate package.json version matches PR title
+        working-directory: cli
+        env:
+          VERSION: ${{ steps.get_version.outputs.version }}
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [[ "$PKG_VERSION" != "$VERSION" ]]; then
+            echo "::error::package.json version ($PKG_VERSION) does not match PR title version ($VERSION)"
+            exit 1
+          fi
+          echo "package.json version matches: $PKG_VERSION"
+
+  tag-and-release:
+    needs: validate
+    runs-on: ubuntu-latest
+    permissions: {} # all privileged operations use the GitHub App token, not GITHUB_TOKEN
+    # action == 'closed' ensures this only fires on the actual merge event,
+    # not when the 'release' label is retroactively added to an already-merged PR.
+    if: github.event.action == 'closed' && github.event.pull_request.merged == true
+    steps:
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3
+        id: app-token
+        with:
+          app-id: ${{ vars.GENERIC_CI_RW_APP_ID }}
+          private-key: ${{ secrets.GENERIC_CI_RW_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          # Check out the merge commit so the tag points at the right SHA
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Configure git user
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Push tag to trigger release pipeline
+        env:
+          VERSION: ${{ needs.validate.outputs.version }}
+        run: |
+          git tag "cli-v${VERSION}" -m "CLI v${VERSION}"
+          git push origin "cli-v${VERSION}"

.github/workflows/release.yml

@@ -225,3 +225,4 @@ jobs:
             --title "cli-releases: v${VERSION} artifacts" \
             --body "Release artifacts generated by CI for CLI v${VERSION}." \
             --base main
+          gh pr merge --auto --squash

cli/RELEASE.md

@@ -21,33 +21,36 @@ cd cli
 npm version patch --no-git-tag-version  # or: minor / major
 ```
 
-## 3. Create a release PR
+## 3. Create a release PR and enable auto-merge
 
 ```bash
 git checkout -b <username>/release-X.Y.Z
 git add cli/CHANGELOG.md cli/package.json cli/package-lock.json
 git commit -m "release: CLI vX.Y.Z"
 git push -u origin <username>/release-X.Y.Z
-gh pr create --title "release: CLI vX.Y.Z" --body "..."
+gh pr create \
+  --title "release: CLI vX.Y.Z" \
+  --body "Release CLI vX.Y.Z." \
+  --label release
+gh pr merge --auto --squash
 ```
 
-Wait for CI to pass, then merge.
+The [`release-pr.yml`](../.github/workflows/release-pr.yml) workflow runs on every update and validates:
+- PR title matches `release: CLI vX.Y.Z`
+- `cli/CHANGELOG.md` has an entry for the version
+- `cli/package.json` version matches
 
-## 4. Tag and push
+Once all required checks pass the PR merges automatically. On merge, `release-pr.yml` pushes the `cli-vX.Y.Z` tag, which triggers the [`release.yml`](../.github/workflows/release.yml) workflow — it builds, publishes to npm, creates a GitHub Release, and deploys canisters (`cli.mops.one` and `docs.mops.one`).
 
-```bash
-git checkout main && git pull
-git tag cli-vX.Y.Z
-git push origin cli-vX.Y.Z
-```
-
-This triggers the [`release.yml`](../.github/workflows/release.yml) workflow which builds, publishes to npm, creates a GitHub Release, deploys canisters (`cli.mops.one` and `docs.mops.one`), and opens a PR with on-chain release artifacts.
-
-Monitor at [Actions → Release CLI](https://github.com/caffeinelabs/mops/actions/workflows/release.yml).
+> **Note:** This workflow only deploys the `cli` and `docs` canisters. The `main`, `assets`, `blog`, and `play-frontend` canisters require a manual deploy. If a release includes changes to any of those (e.g. `backend/main/` or `frontend/`), upgrade them manually (staging first, then `ic`):
+>
+> ```bash
+> NODE_ENV=production dfx deploy --no-wallet --identity mops --network <staging|ic> <canister>
+> ```
 
-## 5. Merge artifacts PR
+## 5. Artifacts PR
 
-After the workflow completes, merge the `cli-releases: vX.Y.Z artifacts` PR.
+After the release pipeline completes, it creates and auto-merges a `cli-releases: vX.Y.Z artifacts` PR. No action needed unless it fails — monitor at [Actions → Release CLI](https://github.com/caffeinelabs/mops/actions/workflows/release.yml) and merge the artifacts PR manually if needed.
 
 ## Verify build