feat: add comprehensive GitHub Action publish workflow (#3)

* feat: add comprehensive GitHub Action publish workflow

- Add automated release workflow triggered by GitHub releases
- Add build validation workflow for PR/push to main
- Add manual version tag update workflow
- Update package.json with additional build scripts
- Add comprehensive publishing documentation

Features:
- Semantic versioning with multi-tag system (v1.0.0 + v1)
- Automated building, testing, and validation
- Quality gates before publishing
- Manual override capability for version management
- Follows GitHub Actions best practices

This enables users to reference the action as:
- @v1 (latest patches automatically)
- @v1.0.0 (specific version locked)

* fix: update pnpm version to 9 and add packageManager field

- Update GitHub Actions workflows to use pnpm v9 instead of v8
- Add packageManager field to package.json for consistency
- This should fix the check-dist workflow failure

* fix: add explicit GITHUB_TOKEN permissions to workflows

- Add 'contents: read' permission to check-dist workflow
- Move 'contents: write' permission to workflow level for release and update-version workflows
- Addresses GitHub Advanced Security feedback about explicit permissions

* fix: improve pnpm setup in workflows

- Match the exact pnpm setup pattern from working test.yml workflow
- Add pnpm cache configuration for better performance
- Change step name from 'Setup pnpm' to 'Install pnpm'
- This should resolve the pnpm setup failures

* fix: resolve pnpm version conflicts in workflows

- Remove explicit version from pnpm/action-setup@v4 in all workflows
- Let pnpm use the version specified in packageManager field ([email protected])
- This resolves the 'Multiple versions of pnpm specified' error
- Also fixes the existing test.yml workflow that had the same conflict

Author: dcramer

.github/workflows/check-dist.yml

@@ -0,0 +1,64 @@
+name: Check dist/
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+          
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+      
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+          
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+        
+      - name: Build the action
+        run: pnpm run build
+        
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build. See status below:"
+            git diff --name-only
+            git diff
+            echo "Run 'pnpm run build' and commit the changes"
+            exit 1
+          fi
+        id: diff
+        
+      - name: Upload dist/ artifacts
+        uses: actions/upload-artifact@v4
+        if: failure() && steps.diff.conclusion == 'failure'
+        with:
+          name: dist
+          path: dist/

.github/workflows/release.yml

@@ -0,0 +1,94 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+      
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+          
+      - name: Get pnpm store directory
+        id: pnpm-cache
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
+      
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+          
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+        
+      - name: Build the action
+        run: pnpm run build
+        
+      - name: Run tests
+        run: pnpm run test
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          
+      - name: Run type checking
+        run: pnpm run typecheck
+        
+      - name: Run linting
+        run: pnpm run lint
+        
+      - name: Extract version from tag
+        id: version
+        run: |
+          TAG_NAME="${{ github.event.release.tag_name }}"
+          VERSION=${TAG_NAME#v}
+          MAJOR_VERSION=$(echo $VERSION | cut -d. -f1)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "major_version=v$MAJOR_VERSION" >> $GITHUB_OUTPUT
+          echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT
+          
+      - name: Update package.json version
+        run: |
+          npm version ${{ steps.version.outputs.version }} --no-git-tag-version
+          
+      - name: Rebuild with updated version
+        run: pnpm run build
+        
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          
+      - name: Commit built files
+        run: |
+          git add dist/ package.json
+          git commit -m "Release ${{ steps.version.outputs.tag_name }}"
+          
+      - name: Create or update major version tag
+        run: |
+          git tag -f ${{ steps.version.outputs.major_version }} ${{ steps.version.outputs.tag_name }}
+          git push origin ${{ steps.version.outputs.major_version }} --force
+          
+      - name: Push changes to release tag
+        run: |
+          git tag -f ${{ steps.version.outputs.tag_name }}
+          git push origin ${{ steps.version.outputs.tag_name }} --force

.github/workflows/test.yml

@@ -17,8 +17,6 @@ jobs:
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4
-        with:
-          version: 9
 
       - name: Get pnpm store directory
         id: pnpm-cache

.github/workflows/update-version.yml

@@ -0,0 +1,53 @@
+name: Update Version Tag
+
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'The tag or reference to use'
+        required: true
+        type: string
+      major_version:
+        description: 'The major version to update'
+        required: true
+        type: choice
+        options:
+          - v1
+          - v2
+          - v3
+          - v4
+          - v5
+
+permissions:
+  contents: write
+
+jobs:
+  update-version:
+    runs-on: ubuntu-latest
+      
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          
+      - name: Validate target reference
+        run: |
+          if ! git show-ref --verify --quiet refs/tags/${{ github.event.inputs.target }}; then
+            echo "Error: Tag ${{ github.event.inputs.target }} does not exist"
+            exit 1
+          fi
+          
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          
+      - name: Update major version tag
+        run: |
+          git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
+          git push origin ${{ github.event.inputs.major_version }} --force
+          
+      - name: Summary
+        run: |
+          echo "✅ Successfully updated ${{ github.event.inputs.major_version }} to point to ${{ github.event.inputs.target }}"

PUBLISHING.md

@@ -0,0 +1,143 @@
+# Publishing Workflow
+
+This document describes how to publish new versions of the Only Robots GitHub Action.
+
+## Overview
+
+The action follows semantic versioning and uses a multi-tag system similar to other popular GitHub Actions:
+
+- **Specific version tags**: `v1.0.0`, `v1.1.0`, `v1.1.1` (immutable, points to exact commit)
+- **Major version tags**: `v1`, `v2`, `v3` (mutable, points to latest release within major version)
+
+## Publishing Process
+
+### 1. Automated Publishing (Recommended)
+
+The automated publishing workflow is triggered when you create a GitHub release:
+
+1. **Create a GitHub Release**:
+   - Go to the [Releases page](https://github.com/dcramer/action-onlyrobots/releases)
+   - Click "Create a new release"
+   - Tag version: `v1.0.0` (use semantic versioning)
+   - Generate release notes or write them manually
+   - Click "Publish release"
+
+2. **Automatic Processing**:
+   - The `release.yml` workflow will automatically:
+     - Build the action
+     - Run tests and linting
+     - Update package.json version
+     - Commit built files to the release tag
+     - Update the major version tag (e.g., `v1` → `v1.0.0`)
+
+### 2. Manual Version Tag Updates
+
+If you need to manually update a major version tag to point to a different release:
+
+1. Go to the [Actions tab](https://github.com/dcramer/action-onlyrobots/actions)
+2. Select "Update Version Tag" workflow
+3. Click "Run workflow"
+4. Enter:
+   - **Target**: The existing tag to point to (e.g., `v1.0.1`)
+   - **Major version**: The major version to update (e.g., `v1`)
+
+## Workflow Files
+
+### `.github/workflows/check-dist.yml`
+- Runs on push/PR to main
+- Ensures compiled `dist/` directory is up-to-date
+- Prevents merging code without proper build artifacts
+
+### `.github/workflows/release.yml`
+- Runs when a GitHub release is published
+- Builds, tests, and publishes the action
+- Updates major version tags automatically
+
+### `.github/workflows/update-version.yml`
+- Manual workflow for updating major version tags
+- Useful for hotfixes or corrections
+
+## Pre-Release Checklist
+
+Before creating a release:
+
+1. **Ensure all changes are merged to main**
+2. **Run local validation**:
+   ```bash
+   pnpm run validate
+   ```
+3. **Test the action locally**:
+   ```bash
+   pnpm run test-pr
+   ```
+4. **Verify dist/ is up-to-date**:
+   ```bash
+   pnpm run build
+   git status  # should show no changes in dist/
+   ```
+
+## Version Strategy
+
+### Major Versions (v1, v2, v3)
+- Breaking changes
+- New required inputs
+- Removed functionality
+- Major workflow changes
+
+### Minor Versions (v1.1, v1.2)
+- New features
+- New optional inputs
+- Enhanced functionality
+- Non-breaking changes
+
+### Patch Versions (v1.1.1, v1.1.2)
+- Bug fixes
+- Security patches
+- Documentation updates
+- Performance improvements
+
+## User Consumption
+
+Users can reference the action in multiple ways:
+
+```yaml
+# Recommended: Use major version (gets latest patches automatically)
+- uses: dcramer/action-onlyrobots@v1
+
+# Specific version (locked to exact release)
+- uses: dcramer/[email protected]
+
+# Development version (not recommended for production)
+- uses: dcramer/action-onlyrobots@main
+```
+
+## Troubleshooting
+
+### Build Artifacts Out of Date
+If the `check-dist.yml` workflow fails:
+```bash
+pnpm run build
+git add dist/
+git commit -m "Update build artifacts"
+```
+
+### Release Workflow Fails
+1. Check that `OPENAI_API_KEY` is set in repository secrets
+2. Verify the tag follows semantic versioning (e.g., `v1.0.0`)
+3. Ensure all tests pass locally with `pnpm run test`
+
+### Major Version Tag Issues
+If a major version tag points to the wrong release:
+1. Use the "Update Version Tag" workflow
+2. Or manually update via CLI:
+   ```bash
+   git tag -f v1 v1.0.1
+   git push origin v1 --force
+   ```
+
+## Security Notes
+
+- Only repository maintainers can create releases
+- All builds are performed in GitHub Actions (not local machines)
+- Secrets are only accessible to the release workflow
+- Built artifacts are committed to release tags, not main branch

package.json

@@ -8,6 +8,7 @@
   },
   "scripts": {
     "build": "tsc",
+    "build:clean": "rm -rf dist && pnpm run build",
     "start": "node dist/cli.js",
     "test-pr": "tsx src/test-cli.ts",
     "typecheck": "tsc --noEmit",
@@ -16,11 +17,14 @@
     "lint:fix": "pnpm run typecheck && biome lint --fix",
     "prepare": "simple-git-hooks",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "validate": "pnpm run typecheck && pnpm run lint && pnpm run test",
+    "package": "pnpm run build:clean && pnpm run validate"
   },
   "keywords": [],
   "author": "David Cramer <[email protected]> (https://github.com/dcramer)",
   "license": "Apache-2.0",
+  "packageManager": "[email protected]",
   "devDependencies": {
     "@biomejs/biome": "^2.1.1",
     "@types/node": "^24.0.14",