pgserve 1.1.9 → 1.2.0

package/.github/workflows/release.yml

@@ -1,138 +1,253 @@
-name: Unified Release
+name: Release
+
+# Single-branch release pipeline modeled on khal-os/desktop.
+#
+# Two trigger paths into the same workflow:
+#
+#   1. push to main with a hand-bumped package.json (no [skip ci] marker)
+#      -> auto-detect path: prepare reads package.json, checks if v${version}
+#         tag exists, builds + publishes + creates GitHub Release if not.
+#
+#   2. workflow_dispatch with bump=patch|minor|major
+#      -> bump job runs `npm version`, commits with [skip ci], tags, pushes.
+#         prepare/build/release continue inline in the same workflow run.
+#
+# Bot-loop guard: bump commits carry [skip ci]. Push of those commits is
+# filtered out by the prepare gate, so the bot's own push does not retrigger.
+#
+# Auth: npm OIDC Trusted Publishing (configured via build-all-platforms.yml).
 
 on:
-  pull_request:
-    types: [closed]
+  push:
     branches: [main]
   workflow_dispatch:
     inputs:
-      action:
-        description: 'Release action'
+      bump:
+        description: "Version bump type"
         required: true
         type: choice
         options:
-          - bump-rc
-          - promote
+          - patch
+          - minor
+          - major
 
 concurrency:
-  group: unified-release
+  group: release-${{ github.ref }}
   cancel-in-progress: false
 
 permissions:
   contents: write
-  pull-requests: read
-  id-token: write
+  id-token: write   # required so the reusable `version.yml` workflow can mint
+                    # the OIDC token for npm Trusted Publishing — without this,
+                    # GH rejects the workflow at parse time (startup_failure)
+                    # because the called job's `id-token: write` permission
+                    # exceeds what the caller has granted.
 
 jobs:
-  # Gate: Skip bot commits, detect action from PR labels
-  gate:
-    name: Release Gate
-    runs-on: ubuntu-latest
-    if: |
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true &&
-       (contains(github.event.pull_request.labels.*.name, 'rc') ||
-        contains(github.event.pull_request.labels.*.name, 'stable')))
-    outputs:
-      should_run: ${{ steps.check.outputs.should_run }}
-      action: ${{ steps.detect.outputs.action }}
-
-    steps:
-      - name: Check for bot commits
-        id: check
-        run: |
-          # Skip if this is a bot commit (prevents infinite loops)
-          if [[ "${{ github.actor }}" == "github-actions[bot]" ]]; then
-            echo "Skipping: bot commit detected"
-            echo "should_run=false" >> $GITHUB_OUTPUT
-          else
-            echo "should_run=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Detect action
-        id: detect
-        if: steps.check.outputs.should_run == 'true'
-        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "action=${{ inputs.action }}" >> $GITHUB_OUTPUT
-            echo "Action from dispatch: ${{ inputs.action }}"
-          elif [[ "${{ contains(github.event.pull_request.labels.*.name, 'stable') }}" == "true" ]]; then
-            echo "action=promote" >> $GITHUB_OUTPUT
-            echo "Action from label: promote (stable)"
-          elif [[ "${{ contains(github.event.pull_request.labels.*.name, 'rc') }}" == "true" ]]; then
-            echo "action=bump-rc" >> $GITHUB_OUTPUT
-            echo "Action from label: bump-rc"
-          else
-            echo "No release label found"
-            echo "action=" >> $GITHUB_OUTPUT
-          fi
-
-  # Version: Bump version and create tag
-  version:
-    name: Bump Version
-    needs: gate
-    if: needs.gate.outputs.should_run == 'true' && needs.gate.outputs.action != ''
+  # ---------------------------------------------------------------------------
+  # Bump (workflow_dispatch only): npm version, commit [skip ci], tag, push.
+  # ---------------------------------------------------------------------------
+  bump:
+    name: Bump version
+    if: github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     outputs:
       version: ${{ steps.bump.outputs.version }}
       tag: ${{ steps.bump.outputs.tag }}
-      npm_tag: ${{ steps.bump.outputs.npm_tag }}
-      is_promote: ${{ steps.bump.outputs.is_promote }}
-
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
+          ref: main
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: "22"
 
-      - name: Configure Git
+      - name: Configure git
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-      - name: Run release script
+      - name: Bump version
         id: bump
-        run: node scripts/release.cjs --action ${{ needs.gate.outputs.action }}
+        run: |
+          npm version "${{ inputs.bump }}" --no-git-tag-version
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Bumped to ${VERSION}"
+
+      - name: Commit, tag, push
+        run: |
+          VERSION="${{ steps.bump.outputs.version }}"
+          TAG="${{ steps.bump.outputs.tag }}"
+          git add package.json
+          git commit -m "[skip ci] release ${TAG}"
+          git tag "${TAG}"
+          git push origin HEAD --follow-tags
+
+  # ---------------------------------------------------------------------------
+  # Prepare: resolve version, skip if tag already exists, build changelog.
+  #
+  # Gate handles both event types:
+  #   - push:    bump is skipped; the !cancelled() && !failure() guard lets
+  #              this job run regardless. The [skip ci] check filters the
+  #              bot's own bump-commit push so it does not retrigger.
+  #   - dispatch: bump succeeded; the workflow_dispatch branch of the OR
+  #              short-circuits the [skip ci] check (the dispatch event
+  #              itself does not carry the bump's commit message).
+  # ---------------------------------------------------------------------------
+  prepare:
+    name: Prepare release
+    needs: bump
+    if: |
+      !cancelled() && !failure() &&
+      (github.event_name == 'workflow_dispatch' ||
+       (github.event_name == 'push' &&
+        !startsWith(github.event.head_commit.message, '[skip ci]')))
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    outputs:
+      version: ${{ steps.ver.outputs.version }}
+      tag: ${{ steps.ver.outputs.tag }}
+      skip: ${{ steps.ver.outputs.skip }}
+      changelog: ${{ steps.changelog.outputs.notes }}
+      # Surface the resolved checkout-ref so downstream jobs (build, release)
+      # can use it. They cannot reference `needs.bump.outputs.*` directly
+      # because they only have `needs: prepare` (or [prepare, build]) — not
+      # `bump` — in their needs context.
+      ref: ${{ needs.bump.outputs.tag || github.sha }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # On dispatch, check out the freshly-pushed tag; on push, the
+          # triggering SHA already has the bumped package.json.
+          # (Prepare cannot reference its own `outputs.ref` here — that's
+          # only available to downstream jobs.)
+          ref: ${{ needs.bump.outputs.tag || github.sha }}
+          fetch-depth: 0
+
+      - name: Resolve version
+        id: ver
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          TAG="v${VERSION}"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+
+          if gh release view "${TAG}" > /dev/null 2>&1; then
+            echo "Release ${TAG} already exists — skipping"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Find previous release tag
+        id: prev
+        if: steps.ver.outputs.skip == 'false'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          TAG="${{ steps.ver.outputs.tag }}"
+          PREV=$(gh release list --limit 50 --json tagName -q '.[].tagName' | grep -v "^${TAG}$" | head -1)
+          if [ -n "$PREV" ] && git merge-base --is-ancestor "$PREV" HEAD 2>/dev/null; then
+            echo "tag=${PREV}" >> "$GITHUB_OUTPUT"
+            echo "Previous tag: ${PREV}"
+          else
+            echo "tag=" >> "$GITHUB_OUTPUT"
+            echo "No previous tag reachable from HEAD"
+          fi
+
+      - name: Generate changelog
+        id: changelog
+        if: steps.ver.outputs.skip == 'false' && steps.prev.outputs.tag != ''
+        run: |
+          PREV="${{ steps.prev.outputs.tag }}"
+          NOTES=$(git log --oneline "${PREV}..HEAD" --pretty="- %s" | head -50)
+          {
+            echo "notes<<EOF"
+            echo "$NOTES"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
 
-      - name: Push changes
+      # Echo the resolved outputs so downstream skip/no-skip decisions are
+      # debuggable from the run log without re-running with step debug.
+      - name: Debug resolved outputs
         run: |
-          git push origin HEAD:${{ github.ref_name }}
-          git push origin --tags
+          echo "version=${{ steps.ver.outputs.version }}"
+          echo "tag=${{ steps.ver.outputs.tag }}"
+          echo "skip=${{ steps.ver.outputs.skip }}"
+          echo "prev=${{ steps.prev.outputs.tag }}"
 
-  # Build & Publish: Always build and publish (npm_tag comes from version job)
+  # ---------------------------------------------------------------------------
+  # Build & Publish: matrix build of platform binaries + npm publish via OIDC.
+  #
+  # The reusable workflow filename is `version.yml` because npm Trusted
+  # Publisher is configured against that exact path. Renaming requires
+  # updating the npmjs.com Trusted Publisher entry first.
+  #
+  # The `if:` uses `always() && needs.prepare.result == 'success' &&
+  # needs.prepare.outputs.skip != 'true'`. This is the bulletproof pattern
+  # for reusable-workflow callers when any upstream job in the `needs:`
+  # chain was SKIPPED. With the simpler `needs.prepare.outputs.skip != 'true'`
+  # alone, GH Actions silently evaluated the gate as false even though the
+  # debug step in `prepare` proved the output was actually `'false'` — a
+  # known GH Actions quirk: when a job's transitive `needs:` chain includes
+  # a skipped job (here, `bump` is skipped on push events), the reusable-
+  # workflow caller's expression evaluator treats `needs.<job>.outputs.<x>`
+  # as null/missing regardless of the actual value.
+  #
+  # `always()` opts out of the implicit success() filter; the explicit
+  # `result == 'success'` reinstates it correctly; the outputs check then
+  # works as intended.
+  # ---------------------------------------------------------------------------
   build:
     name: Build & Publish
-    needs: version
-    uses: ./.github/workflows/build-all-platforms.yml
+    needs: prepare
+    if: |
+      always() &&
+      needs.prepare.result == 'success' &&
+      needs.prepare.outputs.skip != 'true'
+    uses: ./.github/workflows/version.yml
     with:
-      version: ${{ needs.version.outputs.version }}
-      npm_tag: ${{ needs.version.outputs.npm_tag }}
-      ref: ${{ needs.version.outputs.tag }}
+      version: ${{ needs.prepare.outputs.version }}
+      npm_tag: latest
+      # Use prepare.outputs.ref (which resolves to the bump-job tag on
+      # dispatch, or `github.sha` on push). Build cannot reference
+      # `needs.bump.*` directly — only `prepare` is in its `needs:` chain.
+      # On the push path nobody creates the tag before this runs; the
+      # SHA-based checkout works because the merge commit already has the
+      # bumped package.json. The release job creates the tag at the end
+      # via `gh release create`.
+      ref: ${{ needs.prepare.outputs.ref }}
     secrets: inherit
 
-  # GitHub Release: Create release with changelog
-  github-release:
+  # ---------------------------------------------------------------------------
+  # Release: download artifacts, create GitHub Release with cliff-free notes.
+  # ---------------------------------------------------------------------------
+  release:
     name: Create GitHub Release
-    needs: [version, build]
-    if: always() && needs.version.result == 'success' && needs.build.result == 'success'
+    needs: [prepare, build]
+    if: |
+      always() &&
+      needs.prepare.result == 'success' &&
+      needs.build.result == 'success' &&
+      needs.prepare.outputs.skip != 'true'
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-
+    timeout-minutes: 10
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
-          ref: ${{ needs.version.outputs.tag }}
+          # Same as the build job: prefer the bump job's tag (dispatch
+          # path) but fall back to the SHA (push path, no tag exists yet).
+          ref: ${{ needs.prepare.outputs.ref }}
 
-      - name: Download artifacts
-        if: needs.build.result == 'success'
+      - name: Download binaries
         uses: actions/download-artifact@v4
         with:
           path: dist/
@@ -140,28 +255,35 @@ jobs:
           merge-multiple: true
 
       - name: List artifacts
+        run: ls -la dist/
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_NOTES: ${{ needs.prepare.outputs.changelog }}
         run: |
-          if [ -d "dist" ]; then
-            echo "Release artifacts:"
-            ls -la dist/
-          else
-            echo "No artifacts (promote release)"
+          TAG="${{ needs.prepare.outputs.tag }}"
+          VERSION="${{ needs.prepare.outputs.version }}"
+
+          if [ -z "$RELEASE_NOTES" ]; then
+            RELEASE_NOTES="Release ${TAG}"
           fi
 
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ needs.version.outputs.tag }}
-          name: ${{ needs.version.outputs.tag }}
-          generate_release_notes: true
-          body: |
-            ## Install
-
-            ```bash
-            npm install pgserve@${{ needs.version.outputs.npm_tag }}
-            bunx pgserve@${{ needs.version.outputs.npm_tag }}
-            ```
-          prerelease: ${{ contains(needs.version.outputs.version, '-rc.') }}
-          files: |
+          {
+            echo "$RELEASE_NOTES"
+            echo ""
+            echo "## Install"
+            echo ""
+            echo '```bash'
+            echo "npm install pgserve@${VERSION}"
+            echo "bunx pgserve@${VERSION}"
+            echo '```'
+          } > /tmp/release-notes.md
+
+          # The tag already exists (created by bump job on dispatch, or by the
+          # human commit on push). gh release create resolves --target via the
+          # tag automatically when omitted.
+          gh release create "${TAG}" \
+            --title "${TAG}" \
+            --notes-file /tmp/release-notes.md \
             dist/*
-          fail_on_unmatched_files: false

package/.github/workflows/{build-all-platforms.yml → version.yml}

@@ -112,7 +112,12 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     if: inputs.version != ''
-    environment: npm-publish
+    # Note: `environment: npm-publish` was removed because the npmjs.com
+    # Trusted Publisher entry for `pgserve` does not declare an environment
+    # name. With the env gate present here, the OIDC token's environment
+    # claim did not match the registry's expectation and `npm publish`
+    # returned 404. Re-add this line if/when the Trusted Publisher entry
+    # has its Environment Name field set to `npm-publish`.
     permissions:
       id-token: write
       contents: read
@@ -123,10 +128,14 @@ jobs:
         with:
           ref: ${{ inputs.ref || github.ref }}
 
+      # Node 24 ships npm 11.5+ which has built-in OIDC trusted-publisher
+      # support. Avoids the `npm install -g npm@latest` self-upgrade bug
+      # (Arborist clobbering its own promise-retry dep mid-install) that
+      # broke rlmx's OIDC publish on Node 22.
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Setup Bun
@@ -137,6 +146,16 @@ jobs:
       - name: Install dependencies
         run: bun install
 
+      - name: Verify npm version supports OIDC trusted publishing
+        run: |
+          NPM_VERSION=$(npm --version)
+          echo "npm version: ${NPM_VERSION}"
+          MAJOR=$(echo "${NPM_VERSION}" | cut -d. -f1)
+          if [ "${MAJOR}" -lt 11 ]; then
+            echo "::error::npm ${NPM_VERSION} too old — OIDC requires >= 11.5.1. Bump node-version above."
+            exit 1
+          fi
+
       - name: Download all artifacts
         uses: actions/download-artifact@v4
         with:
@@ -179,13 +198,18 @@ jobs:
             echo "published=false" >> $GITHUB_OUTPUT
           fi
 
-      - name: Publish to npm
+      - name: Publish to npm via OIDC
         if: steps.check.outputs.published == 'false'
+        env:
+          HUSKY: "0"
+          # npm auto-enables provenance in any CI env with `id-token: write`,
+          # regardless of the --provenance CLI flag. On some runners the
+          # server-side sigstore check fails with 422; disable explicitly.
+          # OIDC token exchange still happens.
+          NPM_CONFIG_PROVENANCE: "false"
         run: |
-          echo "Publishing version ${{ inputs.version }} with tag ${{ inputs.npm_tag }}"
+          echo "Publishing version ${{ inputs.version }} with tag ${{ inputs.npm_tag }} via OIDC"
           npm publish --access public --tag ${{ inputs.npm_tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Verify publish
         if: steps.check.outputs.published == 'false'

package/AGENTS.md

@@ -1,3 +1,5 @@
+> **Shared rules in `~/.claude/rules/agent-bible.md`. Read it.**
+
 # Genie Agent Framework
 
 ## Core Identity
@@ -188,16 +190,18 @@ Before editing ANY implementation file, Base Genie must check:
 
 **Protocol:** `@.genie/spells/orchestration-boundary-protocol.md`
 
-**Release Workflow Protocol:**
-- ❌ Never manually trigger `workflow_dispatch` for releases
-- ❌ Never manually bump version in package.json
-- ✅ Always use PR with `rc` or `stable` label - release.yml auto-triggers on merge
-- ✅ Version bumping is automated by scripts/release.cjs
+**Release Workflow Protocol (push-to-main, single tier):**
+- ✅ Manual path: bump locally with `npm version patch|minor|major`, commit, PR to main. Merge → `release.yml` fires automatically.
+- ✅ Bot path: `gh workflow run release.yml -f bump=patch` (or `minor`/`major`). Bot bumps, tags, builds binaries, publishes to npm via OIDC.
+- ✅ Skip: any commit message starting with `[skip ci]` is filtered by the prepare gate.
+- ❌ No `rc`/`stable` PR labels (legacy — removed). No `scripts/release.cjs` (deleted).
+- ❌ Don't edit `package.json` `version` directly on `main` outside the `npm version` flow above.
+- ⚙️ npm publish runs from `.github/workflows/version.yml` (the file npmjs.com Trusted Publisher is bound to).
 
-**Documented Violations:**
+**Documented Violations (history):**
 - Bug #168, task b51db539, 2025-10-21 (duplicate implementation)
 - 2025-10-26 (claimed release implementation steps without investigating automation)
-- 2025-12-08 (manually set version to 1.1.0 + triggered workflow_dispatch → version jumped to 1.1.1-rc.1)
+- 2025-12-08 (manually set version to 1.1.0 + triggered workflow_dispatch → version jumped to 1.1.1-rc.1; this class of error is no longer possible — the bump path goes through `gh workflow run`, not direct package.json edits)
 
 ### 4. Task State Optimization - Live State, Not Documentation 🔴 CRITICAL
 **Rule:** Task state is ephemeral runtime data, not permanent documentation

package/Makefile

@@ -28,15 +28,13 @@ help: ## Show this help
 	@echo "$(CYAN)Embedded PostgreSQL server with multi-tenant support$(RESET)"
 	@echo ""
 	@echo "$(BOLD)Quick Commands:$(RESET)"
-	@echo "  $(PURPLE)release-rc$(RESET)     Create RC release locally"
-	@echo "  $(PURPLE)release-stable$(RESET) Promote RC to stable"
 	@echo "  $(PURPLE)test-local$(RESET)     Test server locally"
 	@echo "  $(PURPLE)pm2-start$(RESET)      Start server with PM2"
 	@echo ""
-	@echo "$(BOLD)CI/CD Workflow:$(RESET)"
-	@echo "  1. Create PR with changes"
-	@echo "  2. Add 'rc' label → auto-publishes to npm @next"
-	@echo "  3. Add 'stable' label → promotes to npm @latest"
+	@echo "$(BOLD)Releasing:$(RESET)"
+	@echo "  Manual: bump locally with 'npm version patch|minor|major', PR to main."
+	@echo "  Bot:    'gh workflow run release.yml -f bump=patch' (or minor/major)."
+	@echo "  Skip:   any commit message starting with [skip ci] is ignored."
 	@echo ""
 	@echo "$(BOLD)Build Executables:$(RESET)"
 	@echo "  $(PURPLE)build$(RESET)          Build for current platform"
@@ -211,35 +209,19 @@ clean-dist: ## Clean build artifacts
 	@echo "$(GREEN)✅ Dist cleaned!$(RESET)"
 
 # ==========================================
-# 🚀 CI/CD Release (Automated)
+# 🚀 Releasing
 # ==========================================
-# Releases are triggered by GitHub Actions when PRs are merged with labels:
-#   - 'rc' label → Creates RC release (1.0.8 → 1.0.9-rc.1)
-#   - 'stable' label → Promotes RC to stable (1.0.9-rc.1 → 1.0.9)
+# Releases are driven by .github/workflows/release.yml on push to main.
 #
-# See .github/workflows/release.yml for full automation.
+#   Manual:  bump locally with `npm version patch|minor|major`, commit, PR
+#            to main. Merge -> release fires automatically.
+#   Bot:     `gh workflow run release.yml -f bump=patch` (or minor/major).
+#            The bot bumps, tags, builds binaries, publishes to npm via OIDC.
+#   Skip:    any commit message starting with [skip ci] is ignored.
+#
+# There are no Make targets for releases — versioning is intentionally
+# centralized in CI to keep the local-vs-prod workflow paths identical.
 # ==========================================
-.PHONY: release-rc release-stable release-dry
-
-release-rc: ## Create RC release locally (for testing)
-	@echo "$(CYAN)🔢 Creating RC release...$(RESET)"
-	@node scripts/release.cjs --action bump-rc
-	@echo ""
-	@echo "$(GREEN)✅ RC release created!$(RESET)"
-	@echo "$(YELLOW)Push with: git push && git push --tags$(RESET)"
-
-release-stable: ## Promote RC to stable locally (for testing)
-	@echo "$(CYAN)🎉 Promoting to stable...$(RESET)"
-	@node scripts/release.cjs --action promote
-	@echo ""
-	@echo "$(GREEN)✅ Stable release created!$(RESET)"
-	@echo "$(YELLOW)Push with: git push && git push --tags$(RESET)"
-
-release-dry: ## Dry-run release (no changes)
-	@echo "$(CYAN)🔍 Dry-run release...$(RESET)"
-	@node scripts/release.cjs --action bump-rc --dry-run
-	@echo ""
-	@echo "$(GREEN)✅ Dry-run complete (no changes made)$(RESET)"
 
 # ==========================================
 # 📦 Manual Publish (Deprecated)
@@ -254,19 +236,14 @@ publish-dry: pre-publish ## Dry-run publish (test without actually publishing)
 	@echo "$(GREEN)✅ Dry-run successful!$(RESET)"
 	@echo "$(YELLOW)To actually publish, run: make publish$(RESET)"
 
-publish: ## ⚠️ [DEPRECATED] Use PR labels instead
+publish: ## ⚠️ [DEPRECATED] Releases run from CI on push to main
 	@echo ""
 	@echo "$(YELLOW)$(BOLD)╔═══════════════════════════════════════════════════════════════╗$(RESET)"
 	@echo "$(YELLOW)$(BOLD)║  ⚠️  Manual publish is DEPRECATED                            ║$(RESET)"
 	@echo "$(YELLOW)$(BOLD)║                                                               ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║  Use PR labels for automated releases:                       ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║    • Add 'rc' label → RC release (npm @next)                 ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║    • Add 'stable' label → Promote to stable (npm @latest)   ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║                                                               ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║  Local testing:                                              ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║    make release-rc      Create RC locally                    ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║    make release-stable  Promote locally                      ║$(RESET)"
-	@echo "$(YELLOW)$(BOLD)║    make release-dry     Dry-run (no changes)                 ║$(RESET)"
+	@echo "$(YELLOW)$(BOLD)║  Releases are driven by .github/workflows/release.yml:       ║$(RESET)"
+	@echo "$(YELLOW)$(BOLD)║    Manual: npm version patch|minor|major, commit, PR to main ║$(RESET)"
+	@echo "$(YELLOW)$(BOLD)║    Bot:    gh workflow run release.yml -f bump=patch         ║$(RESET)"
 	@echo "$(YELLOW)$(BOLD)╚═══════════════════════════════════════════════════════════════╝$(RESET)"
 	@echo ""