Pin cagent version

[derekmisler]

Summary

Replace the tag-triggered release workflow with a workflow_dispatch release that computes the version, pins internal @latest refs to the release tag, and publishes to Docker Hub — all without pushing commits to main.

• Automated versioning: Choose patch/minor/major from the Actions UI; the workflow calculates the next semver tag with collision avoidance
• Version pinning at release time: Creates a detached commit (via git write-tree/git commit-tree) where @latest refs in review-pr/action.yml and review-pr.yml are replaced with @vX.Y.Z, then tags that commit as both vX.Y.Z and latest — main is never modified
• Single source of truth for cagent version: New CAGENT_VERSION file replaces the cagent-version input that was hardcoded in 5 places; action.yml reads it at runtime, release workflow reads it at publish time

Changes

File	What changed
CAGENT_VERSION	New file — single source of truth for cagent binary version
.github/workflows/release.yml	Full rewrite — workflow_dispatch with version calc, ref pinning via detached commit, and Docker Hub publish
action.yml	Removed cagent-version input; reads from CAGENT_VERSION file instead
review-pr/action.yml	Removed cagent-version input and pass-through
.github/workflows/review-pr.yml	Removed cagent-version input and pass-through
README.md, review-pr/README.md	Removed cagent-version from docs

How the release works

main:    A ── B ── C ── D  (always has @latest refs, untouched)
                          \
tags:                     R  ← vX.Y.Z, latest (pinned @vX.Y.Z refs)
                              (detached commit, parent = D)

1. Dispatch with version bump type → calculates vX.Y.Z
2. Pins @latest → @vX.Y.Z in working tree, creates detached commit via git plumbing
3. Tags that commit as vX.Y.Z and latest, pushes tags only
4. Creates GitHub Release with auto-generated changelog
5. Publishes agent to Docker Hub (checks out the tagged commit)

Test plan

• Trigger workflow manually with "patch" from Actions tab
• git show vX.Y.Z:review-pr/action.yml has pinned @vX.Y.Z refs
• git show vX.Y.Z:.github/workflows/review-pr.yml has pinned @vX.Y.Z refs
• main HEAD still has @latest refs (unchanged)
• GitHub Release exists with auto-generated notes
• latest tag points to the same commit as vX.Y.Z
• Docker Hub agent published successfully

[docker-agent]

Review Summary

Found 1 critical issue in the release workflow that needs to be addressed before merging. The CAGENT_VERSION file is not being included in the release commit, which could cause inconsistencies between the tagged release and what gets published.

[docker-agent]

Review Summary

This PR successfully refactors the release workflow to use workflow_dispatch with automated versioning and introduces a single source of truth for the cagent version via the CAGENT_VERSION file. The implementation is generally solid, but there's a reliability issue with the sed operations that modify workflow files during release creation.

Found 1 issue requiring attention:

• Missing error handling for sed operations that modify critical workflow files

[derekmisler]

/review

[docker-agent]

Review Summary

✅ This PR successfully modernizes the release workflow with automated versioning and ref pinning. The approach is sound, but there are two issues in the changed code:

1. MEDIUM severity: Incomplete verification of @latest ref pinning could allow orphaned unpinned refs in tagged releases
2. LOW severity: Error messages reference the wrong filename (action.yml instead of CAGENT_VERSION)

The other concerns raised (TOCTOU race conditions, file staging, file existence checks) are either mitigated by existing safeguards or dismissed as non-issues.