feat: Set up Craft-based release workflow for npm and GitHub Releases (#28)

## Summary

Sets up a complete release pipeline using Craft for publishing to npm
and GitHub Releases. Flattens the monorepo structure (moves
`packages/cli/*` to root) and consolidates CI workflows into a single
`ci.yml` with lint, test, and multi-platform builds.

**npm package**: Single-file ESM bundle (~165KB) that works standalone
without dependencies. Replaced `fast-glob` with `tinyglobby` for ESM
compatibility and fixed the bundle to inline all npm packages
(`external: ["node:*"]`). **GitHub Releases**: Native Bun-compiled
binaries for darwin-arm64, darwin-x64, linux-arm64, linux-x64, and
windows-x64. Cross-compilation enabled for platforms without available
CI runners.

**CI improvements**: Consolidated test workflows (removed duplicate
`test.yml`), added coverage reporting, proper `node_modules` caching,
and cross-compilation support via `--target` flag for unavailable
runners (macOS-13 retired, ARM runners not available for private repos).

Author: BYK

.craft.yml

@@ -0,0 +1,15 @@
+minVersion: '2.14.0'
+changelog:
+  policy: auto
+preReleaseCommand: npm --no-git-tag-version version ${CRAFT_NEW_VERSION}
+postReleaseCommand: >-
+  npm --no-git-tag-version version preminor --preid=dev &&
+  git diff --quiet || (git commit -anm "meta: Bump new development version
+
+  #skip-changelog" && git pull --rebase && git push)
+requireNames:
+  - /^sentry-.+$/
+  - /^sentry-.*\.tgz$/
+targets:
+  - name: npm
+  - name: github

.github/workflows/changelog-preview.yml

@@ -0,0 +1,13 @@
+name: Changelog Preview
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, edited, labeled, unlabeled]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  changelog-preview:
+    uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
+    secrets: inherit

.github/workflows/ci.yml

@@ -1,40 +1,168 @@
 name: CI
 
 on:
+  push:
+    branches: [main, release/**]
+    paths:
+      - 'src/**'
+      - 'test/**'
+      - 'script/**'
+      - 'package.json'
+      - 'bun.lock'
+      - '.github/workflows/ci.yml'
   pull_request:
     paths:
-      - 'packages/cli/**'
+      - 'src/**'
+      - 'test/**'
+      - 'script/**'
+      - 'package.json'
+      - 'bun.lock'
       - '.github/workflows/ci.yml'
+  workflow_call:
 
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
-defaults:
-  run:
-    working-directory: packages/cli
-
 jobs:
-  build:
-    name: Build
+  lint:
+    name: Lint & Typecheck
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@v2
+      - uses: actions/cache@v4
+        id: cache
         with:
-          bun-version: latest
+          path: node_modules
+          key: node-modules-${{ hashFiles('bun.lock') }}
+      - if: steps.cache.outputs.cache-hit != 'true'
+        run: bun install --frozen-lockfile
+      - run: bun run lint
+      - run: bun run typecheck
 
-      - name: Install dependencies
-        run: bun install
-
-      - name: Build (current platform only)
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - uses: actions/cache@v4
+        id: cache
+        with:
+          path: node_modules
+          key: node-modules-${{ hashFiles('bun.lock') }}
+      - if: steps.cache.outputs.cache-hit != 'true'
+        run: bun install --frozen-lockfile
+      - name: Test
         env:
-          SENTRY_CLIENT_ID: ${{ secrets.SENTRY_CLIENT_ID }}
-        run: bun run build
+          SENTRY_TEST_AUTH_TOKEN: ${{ secrets.SENTRY_TEST_AUTH_TOKEN }}
+          SENTRY_TEST_ORG: ${{ secrets.SENTRY_TEST_ORG }}
+          SENTRY_TEST_PROJECT: ${{ secrets.SENTRY_TEST_PROJECT }}
+        run: bun test --coverage --coverage-reporter=lcov
+      - name: Upload Coverage
+        uses: getsentry/codecov-action@main
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          post-pr-comment: true
 
+  build-binary:
+    name: Build Binary (${{ matrix.target }})
+    needs: [lint, test]
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # Native builds (can run smoke test)
+          - target: darwin-arm64
+            os: macos-latest
+            can-test: true
+          - target: linux-x64
+            os: ubuntu-latest
+            can-test: true
+          - target: windows-x64
+            os: windows-latest
+            can-test: true
+          # Cross-compiled builds (cannot run smoke test)
+          - target: darwin-x64
+            os: macos-latest
+            can-test: false
+          - target: linux-arm64
+            os: ubuntu-latest
+            can-test: false
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - uses: actions/cache@v4
+        id: cache
+        with:
+          path: node_modules
+          key: node-modules-${{ matrix.os }}-${{ hashFiles('bun.lock') }}
+      - if: steps.cache.outputs.cache-hit != 'true'
+        run: bun install --frozen-lockfile
+      - name: Build
+        env:
+          SENTRY_CLIENT_ID: ${{ vars.SENTRY_CLIENT_ID }}
+        run: bun run build --target ${{ matrix.target }}
       - name: Smoke test
+        if: matrix.can-test
+        shell: bash
         run: |
-          ./dist/sentry-linux-x64/bin/sentry --help
-          echo "Build successful!"
+          if [[ "${{ matrix.target }}" == "windows-x64" ]]; then
+            ./dist/sentry-windows-x64/bin/sentry.exe --help
+          else
+            ./dist/sentry-${{ matrix.target }}/bin/sentry --help
+          fi
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sentry-${{ matrix.target }}
+          path: dist/sentry-*/bin/sentry*
+
+  build-npm:
+    name: Build npm Package
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      - uses: actions/cache@v4
+        id: cache
+        with:
+          path: node_modules
+          key: node-modules-${{ hashFiles('bun.lock') }}
+      - if: steps.cache.outputs.cache-hit != 'true'
+        run: bun install --frozen-lockfile
+      - name: Bundle
+        env:
+          SENTRY_CLIENT_ID: ${{ vars.SENTRY_CLIENT_ID }}
+        run: bun run bundle
+      - name: Smoke test (Node.js)
+        run: node dist/bin.mjs --help
+      - run: npm pack
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-package
+          path: '*.tgz'
+
+  merge-artifacts:
+    name: Merge Artifacts
+    needs: [build-binary, build-npm]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v4
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ github.sha }}
+          path: |
+            sentry-*/
+            npm-package/*.tgz

.github/workflows/publish.yml

@@ -0,0 +1,29 @@
+name: Release
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version to release (semver, bump type, or "auto")
+        required: true
+        default: 'auto'
+      force:
+        description: Force release even with blockers
+        required: false
+
+jobs:
+  ci:
+    uses: ./.github/workflows/ci.yml
+    permissions:
+      contents: read
+    secrets: inherit
+
+  release:
+    needs: [ci]
+    uses: getsentry/craft/.github/workflows/release.yml@v2
+    with:
+      version: ${{ inputs.version }}
+      force: ${{ inputs.force }}
+      publish_repo: getsentry/publish
+    secrets: inherit
+    permissions:
+      contents: write