chore(ci): add release-package and release-publish workflows

[samchu-zsl]

Description

Split the monolithic release workflow into two independent workflows: release-package.yaml handles tag-triggered packaging and preview builds, while release-publish.yaml handles GitHub Release creation from pre-built official artifacts. This separation decouples the build and publish steps, allowing release managers to verify the packaged artifact (via dry-run) before making it publicly available. The two-stage design also enforces a clear artifact provenance contract: only official artifacts produced by release-package.yaml on tag push are accepted by release-publish.yaml.

flowchart TD
    subgraph PKG["release-package.yaml"]
        T1["push tag\ncosh/v* | sec-core/v* | sight/v* | skill/v*"]
        T2["workflow_dispatch\ncomponent + version"]

        T1 --> P1["parse-tag\n解析 tag → component + version"]
        P1 --> P2["package-official\n调用 package-archive action"]
        P2 --> A1["官方制品\n{component}-{version}.tar.gz\n保留 28 天"]

        T2 --> P3["package-preview\n调用 package-archive action"]
        P3 --> A2["预览制品\n{component}-{version}.preview.tar.gz\n保留 14 天\n仅供人工验证"]
    end

    subgraph PUB["release-publish.yaml"]
        T3["workflow_dispatch\ncomponent + version + dry_run"]

        T3 --> Q1["Find package run-id"]
        Q1 --> Q2{artifact 找到?}
        Q2 -- No --> ERR["exit 1\n未找到 / 已过期 / 输入不匹配"]
        Q2 -- Yes --> Q3["Download official artifact"]
        Q3 --> DR{dry_run?}
        DR -- true --> D1["Step Summary 预览\ntar -t 列出内容\n不创建 Release"]
        DR -- false --> D2["gh release create\n创建 GitHub Release\n上传 tar.gz"]
    end

    A1 -.->|"跨 workflow 下载\n28天内有效"| Q1

Loading

Related Issue

closes #118

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• sec-core (agent-sec-core)
• skill (os-skills)
• sight (agentsight)
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For sec-core (Python): Ruff format and pytest pass
• For skill: Skill directory structure is valid and shell scripts pass syntax check
• For sight: cargo clippy -- -D warnings and cargo fmt --check pass
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

Additional Notes

release-package.yaml key behaviors:

• Triggered by tags matching cosh/v*, sec-core/v*, sight/v*, skill/v*
• Official artifact: {component}-{version}.tar.gz, retained 28 days
• Preview artifact (via workflow_dispatch): {component}-{version}.preview.tar.gz, retained 14 days

release-publish.yaml key behaviors:

• Manual-only (workflow_dispatch); requires component, version, and dry_run inputs
• Looks up the official artifact from the latest successful release-package.yaml run
• dry_run=true: prints release info and archive contents only, no Release created
• dry_run=false: creates GitHub Release and uploads the artifact as a release asset
• Fails clearly if the artifact is not found or has exceeded the 28-day retention window

Merge suggestion: please use Squash and Merge with title chore(ci): add release-package and release-publish workflows to keep the commit history clean.

[samchu-zsl]

@kongche-jbw Made two main changes based on code review feedback: updated comments to match actual retention days, and changed signing status to be passed via environment variables rather than inferred from component names.