feat(workflow): add GitHub Actions workflow for publishing agentflow sdk

[jocelynlin-wd]

• Introduced a new workflow to handle version bumps and publishing of the @flowiseai/agentflow package.
• Supports various version bump types (prerelease, patch, minor, major, custom) and allows for custom version input.
• Includes a dry-run step to validate the version and simulate the publish process before actual deployment.
• Configured to use pnpm for dependency management and publishing tasks.

Workflow Flow

Trigger (manual dispatch)
        │
        ▼
┌───────────────┐
│   dry-run     │  1. Validates semver (custom bump only)
│               │  2. Installs deps, sets version via bump type
│               │  3. Resolves & logs version to job summary
│               │  4. Lists package contents (npm pack --dry-run)
│               │  5. Runs publish --dry-run
└───────┬───────┘
        │ (passes)
        ▼
┌───────────────┐
│   approval    │  Pauses here — requires manual approval via
│   gate        │  the "npm-publish" GitHub environment
└───────┬───────┘
        │ (approved)
        ▼
┌───────────────┐
│   publish     │  1. Installs deps, sets version
│               │  2. Publishes to npm with selected dist-tag
│               │  3. Creates a PR to bump package.json version
└───────┬───────┘
        │ (PR created)
        ▼
┌───────────────┐
│   version     │  Team member reviews and merges the
│   bump PR     │  auto-generated version bump PR
└───────────────┘

Inputs

Input	Required	Default	Description
bump	Yes	prerelease	Version bump type: prerelease, patch, minor, major, custom
custom_version	No	—	Exact semver version (only used when bump is custom)
tag	No	dev	npm dist-tag: dev or latest

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[mmattu-wd]

small things but looks good to give a test run

[mmattu-wd]

is there a risk with how we accept a string value for custom version that is interpolated directly into the shell below?

[jocelynlin-wd]

Shell injection fix — all ${{ inputs.custom_version }} and ${{ inputs.bump }} are now passed via env: blocks and referenced as $CUSTOM_VERSION / $BUMP in shell. This prevents injection since env vars are safely quoted, unlike ${{ }} which is interpolated directly into the shell script before execution.

[jocelynlin-wd]

this is for PR creation, will review if we really want PR creation since it will require us to either give github actions write permission to the repo or use a fine-grained PAT for the PR creation job.