ci: add release-please workflow with .vsix packaging

.github/workflows/release.yml

@@ -0,0 +1,58 @@
+name: Release
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch: {}
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+
+jobs:
+  release-please:
+    name: Release Please
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+      pull-requests: write
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89f4291f2343e4d2504e0 # v4.2.0
+        id: release
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
+
+  release:
+    name: Package and Upload
+    needs: [release-please]
+    if: needs.release-please.outputs.release_created == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: write
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+          ref: ${{ needs.release-please.outputs.tag_name }}
+      - uses: ./.github/actions/setup-node
+      - run: npm run check
+      - run: npx @vscode/vsce package --out patchloom.vsix
+      - name: Upload .vsix to GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release upload "${{ needs.release-please.outputs.tag_name }}" patchloom.vsix

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.0.1"
+}

AGENTS.md

@@ -77,7 +77,10 @@ scripts/
     dependabot-auto-merge.yml  Auto-merge minor/patch Dependabot PRs
     post-merge.yml             Trigger CI/security/scorecard on main after auto-merge
     scorecard.yml              OpenSSF Scorecard analysis (weekly + on push)
+    release.yml                Release: release-please + .vsix packaging and upload
     security.yml               Security: npm audit, Trivy fs scan, Gitleaks (weekly + on push/PR)
+release-please-config.json   Release-please configuration (node release type)
+.release-please-manifest.json  Current version tracking for release-please
 ```
 
 ## Architecture conventions

release-please-config.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "packages": {
+    ".": {
+      "release-type": "node",
+      "changelog-path": "CHANGELOG.md",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true
+    }
+  }
+}