Supply Chain: Automated release pipeline (npm publish + GitHub Releases)

[OneStepAt4time]

Problem

There is no release workflow. Publishing to npm and creating GitHub releases is entirely manual, which is error-prone and inconsistent.

Current State

• No .github/workflows/release.yml exists
• No automated tag-based release process
• Manual npm publish required
• No GitHub Release auto-creation with changelog

Requirements

1. Create .github/workflows/release.yml

Trigger on version tag push:

name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write
  id-token: write

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
      - run: npx tsc --noEmit
      - run: npm run build
      - run: npm test

  publish-npm:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
          registry-url: 'https://registry.npmjs.org'
      - run: npm ci
      - run: npm run build
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

  github-release:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Extract version from tag
        id: version
        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
      - name: Generate changelog
        id: changelog
        run: |
          # Get changelog section for this version
          sed -n "/## \[${{ steps.version.outputs.VERSION }}\]/,/## \[/p" CHANGELOG.md | head -n -1 > release_notes.md
      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          body_path: release_notes.md
          generate_release_notes: false

2. Required GitHub Secrets

• NPM_TOKEN — npm access token with publish permissions for aegis-bridge

3. Release Process

After this is set up, the release flow becomes:

# 1. Bump version
npm version patch  # or minor, major

# 2. Push tag
git push --follow-tags

# 3. CI handles the rest:
#    - Runs full test suite
#    - Publishes to npm with provenance
#    - Creates GitHub Release from CHANGELOG.md

4. npm Provenance

Use --provenance flag on npm publish for supply chain transparency. This links the npm package to the exact CI build and source commit, which npm displays as a "Provenance" badge on the package page.

Acceptance Criteria

• .github/workflows/release.yml created
• Workflow triggers on v* tag push
• Full test suite runs before publishing
• Publishes to npm with provenance
• Creates GitHub Release with changelog excerpt
• NPM_TOKEN secret configured in repo settings
• README documents the release process

[OneStepAt4time]

Status update (Issue #470 context)

This issue was closed when release.yml was created, but NPM_TOKEN was never configured. The publish-npm job will fail on any tag push.

Action needed by @OneStepAt4time:

1. Create an npm automation token: https://www.npmjs.com → Access Tokens → Generate New Token → Classic Token → Automation
2. Add as NPM_TOKEN secret: https://github.com/OneStepAt4time/aegis/settings/secrets/actions

This is now tracked as a blocker for #470 (release automation).