ci: add tag-driven release workflow for SDK packages

[behnam-oneschema]

Summary

Adds minimal, opt-in release automation (Option A from the prep discussion) so that publishing the SDK packages no longer requires running npm publish from a developer laptop. Versioning and the two hand-curated changelogs stay exactly as they are today.

Two release trains, synced within each family

Family	Packages	Changelog	Tag
importer	@oneschema/importer, @oneschema/react, @oneschema/vue, @oneschema/angular	CHANGELOG.md	importer-vX.Y.Z
filefeeds	@oneschema/filefeeds, @oneschema/filefeeds-react	CHANGELOG-filefeeds.md	filefeeds-vX.Y.Z

New workflows

• .github/workflows/release.yml — fires on importer-v* / filefeeds-v* tag pushes and on workflow_dispatch. It:
  1. Parses family + version from the tag (or from the dispatch inputs).
  2. Verifies every package.json in the family matches the tag version; fails fast on mismatch (I tested both the happy-path and the mismatch path locally — see below).
  3. yarn install --frozen-lockfile → per-package yarn build (incl. ng build for Angular).
  4. npm publish --access public --provenance in dependency order (core → wrappers). Angular publishes from the ng-packagr dist/@oneschema/angular output (which ships its own generated package.json).
  5. Creates a GitHub Release on tag pushes.
• .github/workflows/ci.yml — lint + build on every PR and every push to main, so we never tag a broken commit.

npm auth

Per the earlier decision, primary path is npm OIDC trusted publishing (no secret needed). One-time setup on npmjs.com required per package (see RELEASING.md). If an NPM_TOKEN repo secret is set, the workflow uses it as a fallback — --provenance works in both modes because id-token: write is granted.

Explicit non-goals

• Does not bump versions or edit changelogs — those remain in the PR the release manager opens (matching today's chore: bump version number flow, e.g. chore: bump version number #147).
• Does not change package contents on npm (I compared npm publish --dry-run output to today's published tarballs; file list is unchanged).
• Does not automate tag creation. Tags are still pushed manually after the version-bump PR merges.

Review & Testing Checklist for Human

• Set up trusted publishing on npm for each of the 6 packages (or configure an NPM_TOKEN secret) before the first real release. Without this the tag-push will fail on npm publish.
• Confirm the tag conventions (importer-v*, filefeeds-v*) work for your release flow — happy to rename to anything else.
• Do a manual dispatch dry-run after merge: Actions → Release → Run workflow → pick importer, version 0.7.4, check dry_run. Confirm it builds all 4 packages and prints publish --dry-run output for each. Repeat for filefeeds / 0.5.2.
• Decide whether the CI workflow on every PR is too heavy (yarn install + 6 builds + Angular build ≈ a couple of minutes).

Things I verified locally

• yarn install --frozen-lockfile --ignore-scripts ✓
• yarn build succeeds for all 5 rollup packages ✓
• yarn ng build for Angular produces packages/importer-angular/dist/@oneschema/angular with a valid package.json ✓
• npm publish --dry-run --access public from each package dir (incl. the Angular dist dir) produces the expected tarball ✓
• actionlint passes on both workflow files ✓
• Tag-parse + version-verify bash logic unit-tested for happy and mismatch cases ✓

Notes

• Two small side observations I did not address in this PR, to keep the diff focused:
  • The existing @oneschema/importer tarball ships a stale oneschema-importer-v0.5.3.tgz, rollup.config.js, and the test/ tree, because no package.json#files field is set. This is pre-existing and unchanged.
  • importer-angular's workspace-root package.json has "build": "true" (no-op); the real build lives in the ng CLI. The workflow calls yarn run ng build directly for clarity, but we could wire this into the root script later.
• If you'd prefer Option B (Changesets) in the future, this workflow composes with it — Changesets' release PR would drop a tag that this workflow picks up.

Link to Devin session: https://app.devin.ai/sessions/8aeb53a2c3cf4d51b133df9f10757a48
Requested by: @behnam-oneschema

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring