Add secure release workflow (#24)

## Summary
Adds a manual GitHub Actions release workflow that bumps all package
versions, commits and tags `vX.Y.Z`, rebuilds the workspace packages,
and publishes npm packages using trusted publishing with provenance.

## Context
The workflow is started with a configurable `patch`, `minor`, or `major`
bump. It validates package versions are aligned, creates the `release:
vX.Y.Z` commit and matching tag, then publishes from the checked-out
tag. Release actions are pinned to commit SHAs, dependency caching is
not configured, and publish authentication relies on GitHub OIDC via
`id-token: write` instead of npm tokens.

## Backward Compatibility
Existing commands, package scripts, package contents, saved artifacts,
daemon behavior, and default CLI output are unchanged. The new workflow
only adds an opt-in manual release path and does not alter CI defaults.
npm trusted publishers must be configured for each package to accept
this repository/workflow before publishing will succeed.

## Risks
The workflow pushes release commits and tags from GitHub Actions, so
branch protection rules must allow the configured `GITHUB_TOKEN` path or
the prepare job will fail. Publishing depends on npm trusted publishing
configuration matching this workflow. The release job intentionally
avoids caches, so installs may be slower but are less exposed to cache
poisoning.

## Manual testing
From the Actions tab, run the `Release` workflow on the release branch
with a `patch`, `minor`, or `major` input. Verify it creates a commit
named `release: vX.Y.Z`, creates tag `vX.Y.Z`, builds all packages, and
publishes `@agent-cdp/protocol`, `@agent-cdp/sdk`, and `agent-cdp` with
provenance and without npm token secrets.

Author: V3RON

.github/workflows/release.yml

@@ -0,0 +1,248 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: Version bump to apply to all packages
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+permissions:
+  contents: read
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+jobs:
+  prepare:
+    name: Prepare release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      version: ${{ steps.bump-version.outputs.version }}
+      commit-sha: ${{ steps.commit-release.outputs.commit-sha }}
+    steps:
+      - name: Verify release branch
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          RELEASE_BRANCH: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          if [ "$RELEASE_BRANCH" != "$DEFAULT_BRANCH" ]; then
+            printf 'Release workflow must run from default branch %s, got %s\n' "$DEFAULT_BRANCH" "$RELEASE_BRANCH" >&2
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+        with:
+          version: 9.15.3
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 24
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Bump package versions
+        id: bump-version
+        env:
+          RELEASE_BUMP: ${{ inputs.bump }}
+        run: |
+          set -euo pipefail
+
+          case "$RELEASE_BUMP" in
+            patch|minor|major) ;;
+            *)
+              printf 'Invalid release bump: %s\n' "$RELEASE_BUMP" >&2
+              exit 1
+              ;;
+          esac
+
+          next_version=$(node --input-type=module <<'NODE'
+          import { readFileSync, writeFileSync } from 'node:fs';
+
+          const packagePaths = [
+            'packages/protocol/package.json',
+            'packages/sdk/package.json',
+            'packages/agent-cdp/package.json',
+          ];
+
+          const packages = packagePaths.map((path) => ({
+            path,
+            data: JSON.parse(readFileSync(path, 'utf8')),
+          }));
+
+          const versions = new Set(packages.map((pkg) => pkg.data.version));
+          if (versions.size !== 1) {
+            throw new Error(`Package versions must match before release: ${[...versions].join(', ')}`);
+          }
+
+          const [major, minor, patch] = packages[0].data.version.split('.').map(Number);
+          if (![major, minor, patch].every(Number.isInteger)) {
+            throw new Error(`Invalid package version: ${packages[0].data.version}`);
+          }
+
+          const bump = process.env.RELEASE_BUMP;
+          const next = {
+            major: `${major + 1}.0.0`,
+            minor: `${major}.${minor + 1}.0`,
+            patch: `${major}.${minor}.${patch + 1}`,
+          }[bump];
+
+          for (const pkg of packages) {
+            pkg.data.version = next;
+            writeFileSync(pkg.path, `${JSON.stringify(pkg.data, null, 2)}\n`);
+          }
+
+          console.log(next);
+          NODE
+          )
+
+          git fetch --tags --force
+          if git rev-parse --quiet --verify "refs/tags/v${next_version}" >/dev/null; then
+            printf 'Tag v%s already exists\n' "$next_version" >&2
+            exit 1
+          fi
+
+          printf 'version=%s\n' "$next_version" >>"$GITHUB_OUTPUT"
+
+      - name: Build all packages
+        run: pnpm run build
+
+      - name: Commit and tag release
+        id: commit-release
+        env:
+          RELEASE_VERSION: ${{ steps.bump-version.outputs.version }}
+          RELEASE_BRANCH: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          git add packages/*/package.json
+          git commit -m "release: v${RELEASE_VERSION}"
+          git tag "v${RELEASE_VERSION}"
+          printf 'commit-sha=%s\n' "$(git rev-parse HEAD)" >>"$GITHUB_OUTPUT"
+          git push origin "HEAD:${RELEASE_BRANCH}"
+          git push origin "v${RELEASE_VERSION}"
+
+  publish:
+    name: Publish packages
+    runs-on: ubuntu-latest
+    needs: prepare
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout release commit
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ needs.prepare.outputs.commit-sha }}
+          persist-credentials: false
+
+      - name: Verify release tag
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_VERSION: ${{ needs.prepare.outputs.version }}
+          RELEASE_COMMIT_SHA: ${{ needs.prepare.outputs.commit-sha }}
+        run: |
+          set -euo pipefail
+
+          tag_commit_sha=$(gh api "repos/${GITHUB_REPOSITORY}/git/ref/tags/v${RELEASE_VERSION}" --jq '.object.sha')
+          if [ "$tag_commit_sha" != "$RELEASE_COMMIT_SHA" ]; then
+            printf 'Release tag v%s points to %s, expected %s\n' "$RELEASE_VERSION" "$tag_commit_sha" "$RELEASE_COMMIT_SHA" >&2
+            exit 1
+          fi
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+        with:
+          version: 9.15.3
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build all packages
+        run: pnpm run build
+
+      - name: Pack packages
+        env:
+          RELEASE_VERSION: ${{ needs.prepare.outputs.version }}
+        run: |
+          set -euo pipefail
+
+          mkdir -p "$RUNNER_TEMP/packs"
+          pnpm --dir packages/protocol pack --pack-destination "$RUNNER_TEMP/packs"
+          pnpm --dir packages/sdk pack --pack-destination "$RUNNER_TEMP/packs"
+          pnpm --dir packages/agent-cdp pack --pack-destination "$RUNNER_TEMP/packs"
+
+          test -f "$RUNNER_TEMP/packs/agent-cdp-protocol-${RELEASE_VERSION}.tgz"
+          test -f "$RUNNER_TEMP/packs/agent-cdp-sdk-${RELEASE_VERSION}.tgz"
+          test -f "$RUNNER_TEMP/packs/agent-cdp-${RELEASE_VERSION}.tgz"
+
+      - name: Publish packages with provenance
+        env:
+          RELEASE_VERSION: ${{ needs.prepare.outputs.version }}
+        run: |
+          set -euo pipefail
+
+          npm publish "$RUNNER_TEMP/packs/agent-cdp-protocol-${RELEASE_VERSION}.tgz" --provenance --access public
+          npm publish "$RUNNER_TEMP/packs/agent-cdp-sdk-${RELEASE_VERSION}.tgz" --provenance --access public
+          npm publish "$RUNNER_TEMP/packs/agent-cdp-${RELEASE_VERSION}.tgz" --provenance --access public
+
+  github-release:
+    name: Create GitHub release
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+      - publish
+    permissions:
+      contents: write
+    steps:
+      - name: Verify release tag
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_VERSION: ${{ needs.prepare.outputs.version }}
+          RELEASE_COMMIT_SHA: ${{ needs.prepare.outputs.commit-sha }}
+        run: |
+          set -euo pipefail
+
+          tag_commit_sha=$(gh api "repos/${GITHUB_REPOSITORY}/git/ref/tags/v${RELEASE_VERSION}" --jq '.object.sha')
+          if [ "$tag_commit_sha" != "$RELEASE_COMMIT_SHA" ]; then
+            printf 'Release tag v%s points to %s, expected %s\n' "$RELEASE_VERSION" "$tag_commit_sha" "$RELEASE_COMMIT_SHA" >&2
+            exit 1
+          fi
+
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_VERSION: ${{ needs.prepare.outputs.version }}
+        run: |
+          set -euo pipefail
+
+          gh release create "v${RELEASE_VERSION}" \
+            --title "v${RELEASE_VERSION}" \
+            --generate-notes \
+            --verify-tag