chore: add release workflow for setup-sourcebot

[brendan-kellam]

Summary

Adds a manually-triggered GitHub Action (.github/workflows/release-setup-sourcebot.yml) that automates releasing the setup-sourcebot CLI (packages/setupWizard) to the public npm registry.

Triggered via workflow_dispatch with a bump_type choice (patch/minor/major), matching the convention in release-prod.yml. In one job it:

1. Mints the existing RELEASE_APP GitHub App token (to push to protected main).
2. Bumps packages/setupWizard/package.json and guards against an existing setup-sourcebot-v<version> tag.
3. Builds @sourcebot/schemas then setup-sourcebot.
4. Packs with Yarn (rewrites the workspace:^ schemas dep to a concrete version range — something npm publish can't do on its own).
5. Upgrades npm and publishes the tarball with OIDC Trusted Publishing (npm publish --provenance, no long-lived token).
6. Commits the bump ([skip ci]), tags setup-sourcebot-v<version>, pushes to main, and cuts a GitHub release.

Publish happens before the git commit/tag so a late git failure can't leave a tag for a version that never reached npm. The setup-sourcebot-v tag prefix avoids colliding with the main product's v<version> tags.

Prerequisites (one-time, before first run)

• npm Trusted Publisher: on npmjs.org, configure a trusted publisher for the setup-sourcebot package pointing at sourcebot-dev/sourcebot + workflow release-setup-sourcebot.yml. (The package already exists at 0.1.5, so trusted publishing can attach to it.)
• RELEASE_APP_ID / RELEASE_APP_PRIVATE_KEY secrets already exist (shared with release-prod.yml); the App needs push access to main.

Notes

• setupWizard versioning is independent of the main repo's CHANGELOG.md-driven release; its own package.json is the source of truth.
• No product-facing change, so no CHANGELOG entry (CI tooling only).

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved release process automation for the setup-sourcebot package with automated versioning, building, and npm publishing.

[github-actions]

@brendan-kellam your pull request is missing a changelog!

[coderabbitai]

Walkthrough

This PR adds a new GitHub Actions workflow for automating the release of the setup-sourcebot CLI. The workflow accepts a manual version bump type (patch/minor/major), generates a GitHub App token, bumps the package version, builds dependent workspaces, publishes the tarball to npm using OIDC provenance, and finally commits and tags the version change on main.

Changes

Release setup-sourcebot automation

Layer / File(s)

Summary

Release workflow: token generation through npm publish and git push .github/workflows/release-setup-sourcebot.yml

Workflow accepts manual bump_type input, generates GitHub App token via actions/create-github-app-token, checks out main, bumps packages/setupWizard/package.json, validates the annotated tag does not exist, builds @sourcebot/schemas and setup-sourcebot workspaces in dependency order, packs the CLI, upgrades npm for OIDC compliance, publishes the tarball with --provenance --access public, commits the version bump, creates an annotated tag, and pushes both to main.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding a GitHub Actions release workflow for the setup-sourcebot package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch brendan/release-setup-sourcebot-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-setup-sourcebot.yml:
- Around line 53-63: Replace unpinned action versions and remove unnecessary
submodule checkout: update uses for actions/checkout, actions/setup-node, and
actions/create-github-app-token to specific commit SHAs (pin the actions to
exact commit hashes instead of tags) and change or remove the checkout input
submodules: "true" (e.g., set submodules: false or remove the key) since
vendor/zoekt isn't used by the workspace builds; ensure the workflow still
passes the token through (token: ${{ steps.generate_token.outputs.token }})
after making these replacements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d43101b7-5cbd-4d87-9a2f-90e721df8ff9

📥 Commits

Reviewing files that changed from the base of the PR and between bd47aab and c4babfd.

📒 Files selected for processing (1)

• .github/workflows/release-setup-sourcebot.yml