add ci cd with trusted publishing

[samuelstroschein]

Note

Sets up GitHub Actions for CI, versioning, and npm publishing, and aligns repo metadata and tooling versions.

• New Continuous Integration workflow: Ubuntu runners, node@24, pnpm@10.23.0, pnpm install --frozen-lockfile, runs pnpm run ci
• New publish-npm-packages.yml: gated on CI success or manual, configures trusted publishing (OIDC, npm@^11.5.1), builds and runs pnpm exec changeset publish
• Updated versioning.yml: allow manual runs; ubuntu-latest, node@24, creates release PR via changesets/action, auto-updates lockfile on changeset-release/main
• Repo/package metadata: root renamed to zettel-monorepo; added top-level repository field and repository URLs to packages

^{Written by Cursor Bugbot for commit b28ddfc. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dd71ef23ec

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Run build before tests to satisfy dist exports

CI now runs pnpm test before pnpm build, which breaks workspace packages that import other packages via exports pointing at ./dist (e.g., @opral/zettel-ast exports ./dist/index.js and is a dependency of @opral/zettel-html; see packages/zettel-ast/package.json lines 10–13 and packages/zettel-html/package.json lines 31–33). In a clean checkout there is no dist/, so tests that import these dependencies will fail to resolve until the build step has run; this is why the previous pnpm run ci built before testing. Consider restoring the build-before-test order (or using pnpm run ci) to keep CI green.

Useful? React with 👍 / 👎.

[cursor]

Publish workflow may checkout untested code after rapid commits

Medium Severity

When triggered by workflow_run, the actions/checkout without a ref parameter checks out github.sha, which is the latest commit on the default branch—not necessarily the commit that CI tested. If another commit is pushed between CI starting and the publish workflow running, untested code could be published. The checkout needs to specify ref: ${{ github.event.workflow_run.head_sha }} to ensure it checks out the exact commit that passed CI.