feat(release): CI-driven publish pipeline via GitHub Actions + npm OIDC

Replace tools/release.mjs with two workflow_dispatch flows:

- stable: production environment gate (Required Reviewers) + lightweight git tag. Trusted Publishing (OIDC) removes the need for an npm token.
- channel beta: disposable 0.0.0-beta-<sha>-<date> versions on the corresponding dist-tag, no tag, no commit. Any collaborator can dispatch without npm credentials.

Pack-time scans via publint, attw, gitleaks; weekly Dependabot for npm + actions.

Author: XXPermanentXX

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    groups:
+      dev-deps:
+        dependency-type: development
+        update-types:
+          - minor
+          - patch
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/ci.yml

@@ -0,0 +1,30 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  check:
+    name: lint + typecheck + test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: pnpm
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm run check
+
+      - run: pnpm test

.github/workflows/release-channel.yml

@@ -0,0 +1,47 @@
+name: Release (channel)
+
+on:
+  workflow_dispatch:
+    inputs:
+      channel:
+        description: "dist-tag (kebab-case, e.g. mcp/plugin/advisor). Reserved: latest/beta/alpha/next/rc/canary/dev."
+        required: true
+        type: string
+
+# Serialize channel releases per channel name to avoid racing tarball uploads.
+concurrency:
+  group: release-channel-${{ inputs.channel }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read # no tag, no Release; just publish
+  id-token: write # OIDC for npm Trusted Publishing + provenance
+
+jobs:
+  publish:
+    name: publish beta to npm
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: pnpm
+          registry-url: "https://registry.npmjs.org/"
+
+      - name: Install gitleaks
+        run: |
+          set -euo pipefail
+          GITLEAKS_VERSION=8.21.2
+          curl -sSfL \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | sudo tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: publish-channel
+        run: node tools/release/publish-channel.mjs --channel "${{ inputs.channel }}"

.github/workflows/release-stable.yml

@@ -0,0 +1,43 @@
+name: Release (stable)
+
+on:
+  workflow_dispatch:
+
+# Only one stable release at a time.
+concurrency:
+  group: release-stable
+  cancel-in-progress: false
+
+permissions:
+  contents: write # push lightweight tag to origin
+  id-token: write # OIDC for npm Trusted Publishing + provenance
+
+jobs:
+  publish:
+    name: publish to npm + tag
+    runs-on: ubuntu-latest
+    environment: production # Required Reviewers gate
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: pnpm
+          registry-url: "https://registry.npmjs.org/"
+
+      - name: Install gitleaks
+        run: |
+          set -euo pipefail
+          GITLEAKS_VERSION=8.21.2
+          curl -sSfL \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | sudo tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: publish-stable
+        run: node tools/release/publish-stable.mjs

package.json

@@ -19,8 +19,7 @@
     "dev": "pnpm -F bailian-cli-core dev",
     "bl": "pnpm -F bailian-cli dev",
     "test": "vp test",
-    "release:check": "node tools/release.mjs check",
-    "release:publish": "node tools/release.mjs publish",
+    "release:check": "node tools/release/check.mjs",
     "wiki:crawl": "node tools/wiki-crawler/index.mjs",
     "test:stress": "node packages/cli/tests/stress/run.mjs"
   },