feat(release): automate releases

[joryirving]

Add a tag-only manual release workflow for protected main; no source version bump is required. Publishing the release continues to trigger the existing Godot export workflow.

Validated with YAML parsing and git diff --check.

[its-saffron]

AI Automated Review

Full PR review.

Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — escalated (fast_low_confidence)

Recommendation: Approve

This PR adds a new manual-release GitHub Actions workflow and updates AGENTS.md documentation to reflect the automated release process. The change is low-risk and follows existing repository patterns.

Change-by-Change Findings

.github/workflows/manual-release.yml (new file, 75 lines)

• Introduces a workflow_dispatch trigger accepting a version input (supports both 0.0.20 and v0.0.20 formats)
• Uses actions/create-github-app-token v3.2.0 (pinned SHA) to generate a GitHub App token with contents: write permission
• Uses actions/checkout v7.0.0 (pinned SHA) to checkout the protected main branch with full history
• Validates the version string against semver regex before creating any GitHub resources
• Implements idempotent tag creation: skips creation if the tag already points to the current SHA; fails if it points elsewhere
• Creates GitHub releases idempotently: skips if already exists
• Workflow is concurrency-grouped to prevent parallel runs

AGENTS.md (documentation update)

• Replaces manual git-based release steps with the new automated workflow instructions
• Consolidates validation gates to match existing CI practices
• Accurately reflects the current release process

Required Checks — Explicitly Addressed

✅ Check for breaking API changes in updated dependencies

Status: Not applicable — this is not a dependency upgrade in the traditional sense.

The PR introduces a new workflow file that uses two GitHub Actions:

• actions/create-github-app-token v3.2.0 (pinned SHA bcd2ba4)
• actions/checkout v7.0.0 (pinned SHA 9c091bb)

These same action versions are already used throughout the repository in .github/workflows/test.yml, .github/workflows/release.yml, and .github/workflows/ai-pr-review.yaml. No new action versions are introduced; this PR simply uses actions already established in the codebase. Consequently, there are no breaking API changes to evaluate.

✅ Run full test suite after upgrade

Status: Satisfied — CI passed on this PR's commit.

The CI check results (authoritative, from the GitHub status API for commit 9f73144) confirm all three validation suites completed successfully:

• Script test suite: completed → success
• Headless smoke test: completed → success
• macOS validation: completed → success

The PR body notes "Validated with YAML parsing and git diff --check" as author-side sanity checks, but the full test suite ran via CI and passed.

Standards Compliance

• Action pinning: Both actions are pinned to full commit SHAs, not tags — compliant with repository security expectations
• Idempotency: Tag and release creation handle existing resources gracefully, preventing accidental double-publishing
• Permissions: Uses least-privilege contents: write permission scoped to the workflow job
• Concurrency control: Prevents parallel release workflow runs with cancel-in-progress: false (correct for release safety)
• Documentation: AGENTS.md accurately reflects the new workflow; version convention (plain semver, v prefix accepted) matches existing practice

Linked Issue Fit

No linked issues. The PR body describes the feature clearly: "Add a tag-only manual release workflow for protected main; no source version bump is required." The implementation matches this description.

Unknowns / Needs Verification

None. The corpus contains sufficient evidence: CI passed, actions are already used elsewhere in the repo, workflow logic is sound and idempotent.