Add automated release pipeline with prerelease support

[Copilot]

Release Pipeline Implementation - COMPLETE ✅

All requirements have been successfully implemented and tested.

Implementation Summary

Files Created:

• .github/workflows/release.yml - Automated release workflow
• .github/RELEASE.md - Comprehensive release documentation

Files Modified:

• CONTRIBUTING.md - Added automated release process documentation
• .gitignore - Excluded generated checksums directory

Release Workflow Architecture

The workflow is split into 5 modular jobs for better separation of concerns:

1. validate job:

   • Extracts version from tag
   • Verifies version matches code
   • Determines if prerelease
   • Outputs: version and prerelease for downstream jobs

2. test job:

   • Runs full test suite (RSpec + Cucumber)
   • Depends on: validate

3. build job:

   • Builds gem package
   • Generates SHA-512 checksums
   • Uploads artifacts for downstream jobs
   • Depends on: test

4. release-github job:

   • Downloads build artifacts
   • Creates GitHub Release with artifacts
   • Runs in parallel with release-rubygems
   • Requires: contents: write permission (only job with elevated permissions)
   • Depends on: validate, build

5. release-rubygems job:

   • Downloads build artifacts
   • Publishes to RubyGems.org
   • Runs in parallel with release-github
   • Repository-scoped (only runs on official repo)
   • Depends on: validate, build

Key Features

• Trigger: Activated by pushing version tags (e.g., v1.2.0, v1.3.0-alpha.1)
• Modular design: Each job has a single, clear responsibility
• Parallel execution: GitHub and RubyGems releases run simultaneously for faster completion
• Artifact reuse: Build artifacts are created once and shared between jobs
• Security hardened: Workflow-level permissions locked down, no bundler cache
• Version display: Custom run-name shows version/tag in workflow runs

Requirements Verification ✅

✅ Supports prereleases: Any version tag with content after MAJOR.MINOR.PATCH is automatically detected and marked as prerelease

• Examples: v1.3.0-alpha.1, v1.2.3.rc1, v2.0.0-beta.2

✅ Tags releases in git: Workflow is triggered by version tags which serve as git release tags

✅ GitHub releases with artifacts: Each release includes:

• Gem package (.gem file)
• SHA-512 checksum file (.sha512 file)
• Auto-generated release notes

Testing & Validation ✅

• ✅ YAML syntax validated
• ✅ Gem build tested successfully
• ✅ Checksum generation tested successfully
• ✅ Full test suite passes (RSpec + Cucumber)
• ✅ Version verification logic tested
• ✅ Prerelease detection logic validated
• ✅ RuboCop linting passes
• ✅ CodeQL security scan passes (0 alerts)

Documentation ✅

• ✅ Automated release process in CONTRIBUTING.md
• ✅ Comprehensive release guide in .github/RELEASE.md
• ✅ Required secrets documented (RUBYGEMS_API_KEY)
• ✅ Troubleshooting guide included

Security Considerations ✅

• Version verification prevents accidental mismatched releases
• Secret validation before publishing
• Repository-scoped publishing (forks cannot publish)
• Tests must pass before release
• Least privilege permissions (workflow-level lockdown, only release-github has contents:write with clear explanation)
• No bundler cache to prevent supply chain attacks
• Explicit dependency installation
• Build artifacts shared securely between jobs
• No security vulnerabilities detected by CodeQL

Fixes #46

Original prompt

---

This section details on the original issue you should resolve

<issue_title>chore: create a release pipeline</issue_title>
<issue_description>goal: have a working, state-of-the-art pipeline for building and releasing this package to rubygems.

Requirements:

• supports prereleases
• tags releases in git

optional:

• have releases on github with the build results as release artifacts.
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes chore: create a release pipeline #46

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[jkowalleck]

per default, no permissions should be assigned.

Suggested change

	permissions:
	permissions: {}

instead, the steps shold be on job level.

@copilot make it so.

[jkowalleck]

@copilot why cache? does this not perist cache poisoning?
harden the settings for security reasons.

[Copilot]

Disabled bundler-cache and added explicit bundle install --jobs 4 --retry 3 in commit fd75af4. This prevents potential cache poisoning attacks in the supply chain.

[jkowalleck]

@copilot move the version and determination prerelease detection to an own job

[Copilot]

Moved version extraction and prerelease detection to dedicated validate job in commit 96a34a4. This job outputs version and prerelease for downstream jobs to consume.

[jkowalleck]

@copilot i dont see why the permission woudl be needed.
explain! or remove if not needed

[Copilot]

The contents: write permission is required for the release-github job to create GitHub releases. Added inline comment at line 113 explaining this. No other jobs need elevated permissions.

[jkowalleck]

move the "generate github release" to an own job...
publishing a release is nice to have.
maybe run this in parallel to rubygems release, if this is state of the art.

[Copilot]

Moved GitHub release to dedicated release-github job in commit 96a34a4. Both release-github and release-rubygems now run in parallel (both depend on validate and build) for faster completion.