feat(ci): tag-triggered npm release workflow

Adds .github/workflows/release.yml: pushes of `v*` tags build, test,
smoke-test, then `npm publish --provenance` via OIDC + Trusted
Publishers (no NPM_TOKEN). Dist-tag auto-derives from the version
suffix (alpha/beta/next/latest); a GitHub Release is opened with
notes extracted from CHANGELOG.md. README gains a "Releasing"
section documenting the flow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ynamite

.github/workflows/release.yml

@@ -0,0 +1,95 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v3
+        with:
+          version: 9
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+          registry-url: https://registry.npmjs.org
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Verify tag matches package.json
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "::error::Tag $GITHUB_REF_NAME does not match package.json version $PKG_VERSION"
+            exit 1
+          fi
+
+      - name: Determine dist-tag
+        id: disttag
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          case "$VERSION" in
+            *-alpha*) TAG=alpha ;;
+            *-beta*)  TAG=beta ;;
+            *-rc*)    TAG=next ;;
+            *)        TAG=latest ;;
+          esac
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          if [ "$TAG" = "latest" ]; then
+            echo "prerelease=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "prerelease=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build
+        run: pnpm build
+
+      - name: Unit tests
+        run: pnpm test
+
+      - name: Dry-run smoke tests
+        run: bash scripts/test-run.sh
+
+      - name: Publish to npm
+        run: npm publish --provenance --access public --tag ${{ steps.disttag.outputs.tag }}
+
+      - name: Extract release notes from CHANGELOG
+        id: notes
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          awk -v ver="$VERSION" '
+            $0 ~ "^## \\[" ver "\\]" { capture=1; next }
+            capture && /^## \[/ { exit }
+            capture { print }
+          ' CHANGELOG.md > /tmp/notes.md
+          {
+            echo 'body<<NOTES_EOF'
+            cat /tmp/notes.md
+            echo 'NOTES_EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: ${{ github.ref_name }}
+          body: ${{ steps.notes.outputs.body }}
+          prerelease: ${{ steps.disttag.outputs.prerelease }}

CLAUDE.md

@@ -53,6 +53,8 @@ pnpm test             # vitest
 
 Published usage: `npx create-viterex [project-name] [--flags]`
 
+Releases are tag-triggered: push a `v*` tag and `.github/workflows/release.yml` builds, tests, publishes to npm with provenance (via Trusted Publishers / OIDC — no `NPM_TOKEN`), and opens a GitHub Release. Pre-release versions (`-alpha.N` / `-beta.N` / `-rc.N`) auto-publish under the matching dist-tag; stable goes to `latest`. See the README "Releasing" section.
+
 ## CLI flags
 
 - `--skip-db` — skip database creation
@@ -80,7 +82,7 @@ Shipped work has moved to `CHANGELOG.md`. Remaining open items are grouped by th
 
 ### Product / roadmap
 
-- [ ] Publish to npm as `create-viterex`
+- [x] Publish to npm as `create-viterex`
 - [x] Publish `viterex_addon` to the Redaxo installer (separate repo)
 - [x] Swap `install-submodule-addons.ts` for a Redaxo-installer install once `viterex_addon` is published — it's the shared frontend logic and should be installed by default
 - [x] Ship default `templates/base/package.json.tpl` with Vite + Tailwind deps and scripts (token replacement for project name) – Update: ships with `viterex_addon` stubs instead.

README.md

@@ -324,6 +324,27 @@ node dist/index.js    # run locally
 ./scripts/test-run.sh # smoke tests (--dry-run scenarios)
 ```
 
+## Releasing
+
+Releases publish to npm via the `Release` GitHub Action (`.github/workflows/release.yml`), which fires on every `v*` tag. To cut a release:
+
+1. Move items from `## [Unreleased]` in `CHANGELOG.md` into a new dated section: `## [X.Y.Z] - YYYY-MM-DD`.
+2. Bump the version and create the tag:
+   ```bash
+   pnpm version patch                       # 3.0.1
+   pnpm version minor                       # 3.1.0
+   pnpm version major                       # 4.0.0
+   pnpm version prerelease --preid=alpha    # 3.0.0-alpha.2
+   ```
+3. Push commits and tags:
+   ```bash
+   git push --follow-tags
+   ```
+
+The workflow verifies the tag matches `package.json`, builds, runs tests + smoke tests, publishes to npm with [provenance](https://docs.npmjs.com/generating-provenance-statements), and opens a GitHub Release. Pre-release versions (`-alpha.N`, `-beta.N`, `-rc.N`) publish under the `alpha` / `beta` / `next` dist-tags; stable versions go to `latest`.
+
+Auth is handled via npm [Trusted Publishers](https://docs.npmjs.com/trusted-publishers) — no `NPM_TOKEN` secret required. One-time setup on npmjs.com: package page → Settings → Publishing access → "Add trusted publisher" → GitHub Actions, repository `ynamite/create-viterex`, workflow `release.yml`.
+
 ## License
 
 MIT