ci: gh CLI automation doc, release script, cargo-deny advisories

- docs/gh-automation.md: gh cheat sheet (issues, PRs, workflow run, release)
- scripts/gh-release.sh: trigger Prepare release from CLI (e.g. ./scripts/gh-release.sh 0.5.28)
- deny.toml + CI job: cargo-deny check advisories (complements cargo-audit)
- release-process.md + README: link gh-automation and gh-release.sh

Made-with: Cursor

Author: haasonsaas

.github/workflows/ci.yml

@@ -50,6 +50,18 @@ jobs:
       - name: Audit dependencies
         run: cargo audit
 
+  cargo-deny:
+    name: cargo-deny (advisories)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: dtolnay/rust-toolchain@1.88.0
+      - uses: Swatinem/rust-cache@v2
+      - name: Install cargo-deny
+        run: cargo install cargo-deny --locked
+      - name: Check advisories
+        run: cargo deny check advisories
+
   test:
     runs-on: ${{ matrix.os }}
     strategy:

README.md

@@ -1002,7 +1002,7 @@ The summary includes:
 
 Contributions are welcome! Please open an issue first to discuss what you would like to change. Enhancement backlog and triage: see [docs/ROADMAP.md](docs/ROADMAP.md) and `gh issue list --label "priority: high"`.
 
-**PR workflow:** Open a PR → ensure CI is green (version, lint, security, test, mutation, review) → merge when ready. Use a short test plan in the PR description. Small, focused PRs are preferred. Use the PR template (Summary, Test plan, **Closes #N**). **Release process:** [docs/release-process.md](docs/release-process.md) (version bump, RELEASE_NOTES, Prepare release workflow).
+**PR workflow:** Open a PR → ensure CI is green (version, lint, security, test, mutation, review) → merge when ready. Use a short test plan in the PR description. Small, focused PRs are preferred. Use the PR template (Summary, Test plan, **Closes #N**). **Release process:** [docs/release-process.md](docs/release-process.md) (version bump, RELEASE_NOTES, Prepare release workflow). **gh CLI:** [docs/gh-automation.md](docs/gh-automation.md) (issues, PRs, workflow run, release from terminal).
 
 ### Local Development Checks
 

deny.toml

@@ -0,0 +1,7 @@
+# cargo-deny: https://embarkstudios.github.io/cargo-deny/
+# CI runs: cargo deny check advisories (licenses optional; expand allow list to enable).
+
+[advisories]
+version = 2
+unmaintained = "workspace"
+yanked = "warn"

docs/gh-automation.md

@@ -0,0 +1,96 @@
+# GitHub CLI (gh) automation
+
+Use `gh` from the terminal for issues, PRs, releases, and CI. See also [ROADMAP.md](ROADMAP.md) (issue labels, filters) and [release-process.md](release-process.md) (release steps).
+
+## Prerequisites
+
+- Install: <https://cli.github.com/>
+- Auth: `gh auth login`
+
+## Issues
+
+```bash
+# List (default: open, 30)
+gh issue list
+
+# By label
+gh issue list --label "priority: high"
+gh issue list --label "area: review-pipeline"
+
+# Search
+gh issue list --search "verification OR RAG"
+gh issue list --search "no:assignee sort:created-asc"
+
+# View / edit
+gh issue view 32
+gh issue edit 32 --add-label "priority: medium"
+gh issue edit 32 --remove-label "help wanted"
+gh issue close 32 --comment "Fixed in #44"
+```
+
+## Pull requests
+
+```bash
+# List
+gh pr list
+gh pr list --state merged --limit 10
+
+# Create (uses PR template)
+gh pr create --base main --title "feat: something" --body "Summary here. Closes #28"
+
+# Status and merge
+gh pr view 46
+gh pr checks 46              # CI status
+gh pr checks 46 --watch      # Watch until done
+gh pr merge 46 --squash
+gh pr merge 46 --merge
+```
+
+## Releases and workflows
+
+```bash
+# Trigger Prepare release (creates tag, runs Release workflow)
+gh workflow run "Prepare release" -f version=0.5.28
+
+# List workflow runs
+gh run list
+gh run list --workflow "Release"
+
+# Watch latest run
+gh run watch
+
+# View run details and logs
+gh run view
+gh run view 12345 --log
+```
+
+## One-line release from terminal
+
+After version and RELEASE_NOTES are merged to main:
+
+```bash
+./scripts/gh-release.sh 0.5.28
+# or
+gh workflow run "Prepare release" -f version=0.5.28
+```
+
+## CI and runs
+
+```bash
+# Download artifacts from latest run
+gh run download
+
+# Re-run failed jobs
+gh run rerun <run-id> --failed
+```
+
+## Quick reference
+
+| Task              | Command |
+|-------------------|--------|
+| Open issues by label | `gh issue list -l "priority: high"` |
+| Create PR         | `gh pr create -B main -t "title" -b "body"` |
+| Merge PR           | `gh pr merge <number> --squash` |
+| Close issue with comment | `gh issue close <number> --comment "Done in #44"` |
+| Run Prepare release | `gh workflow run "Prepare release" -f version=0.5.28` |
+| Watch CI           | `gh pr checks <number> --watch` |

docs/release-process.md

@@ -42,7 +42,7 @@ This doc and GitHub Actions make releases repeatable with minimal manual steps.
 | Step | Automation |
 |------|------------|
 | Version sync (CI) | `check_version_sync.py` fails if `Cargo.toml` is behind latest tag. |
-| Tag and trigger release | **Prepare release** workflow (manual run with version input). |
+| Tag and trigger release | **Prepare release** workflow (manual run with version input). From CLI: `./scripts/gh-release.sh 0.5.28` or `gh workflow run "Prepare release" -f version=0.5.28`. See [gh-automation.md](gh-automation.md). |
 | Release body | **Release** workflow reads `RELEASE_NOTES.md` for the tagged version. |
 | Binaries + Docker | **Release** workflow builds and uploads. |
 | Issue close | Add “Closes #N” in PR body. |

scripts/gh-release.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Trigger the "Prepare release" workflow from the CLI.
+# Usage: ./scripts/gh-release.sh 0.5.28
+# Prerequisites: Cargo.toml and charts/diffscope/Chart.yaml must already be at this version on main.
+
+set -euo pipefail
+
+VERSION="${1:-}"
+if [ -z "$VERSION" ]; then
+  echo "Usage: $0 <version>" >&2
+  echo "Example: $0 0.5.28" >&2
+  exit 1
+fi
+
+# Strip leading 'v' if present
+VERSION="${VERSION#v}"
+
+echo "Triggering Prepare release for v$VERSION..."
+gh workflow run "Prepare release" -f version="$VERSION"
+echo "Run 'gh run watch' to follow the run."