Port release-publisher workflow from click-ui repository

[Claude]

Summary

Ports the automated release publisher workflow from click-ui to automate npm publishing for the clickhouse-js packages.

Changes

Added .scripts/bash/verify-release-commit

• Bash script that validates release commit message format: "Release vX.Y.Z" or "chore: Release vX.Y.Z"
• Detects release type (latest, rc, beta, test, alpha) from version suffix
• Returns version and release type for workflow consumption

Added .github/workflows/release-publisher.yml

• Triggers on PR merge to any branch
• Validates commit message to detect release PRs
• Creates and pushes git tags automatically
• Builds all packages via npm run build
• Publishes 3 workspace packages to npm: @clickhouse/client-common, @clickhouse/client, @clickhouse/client-web
• Uses npm provenance (--provenance) for supply chain security
• Creates GitHub releases with extracted changelog
• Manages maintenance branches (chore/vX.Y.Z)
• Includes safeguards to prevent accidental releases from main when maintenance branch exists

Key Adaptations

• Workspace publishing: npm --workspaces publish instead of single package
• Node 20.x (matching repository requirements)
• npm tooling (repository standard)
• Changelog regex adjusted for # X.Y.Z format
• Slack notifications removed (not configured in this repo)

Checklist

• Unit and integration tests covering the common scenarios were added
• A human-readable description of the changes was provided to include in CHANGELOG
• For significant changes, documentation in https://github.com/ClickHouse/clickhouse-docs was updated with further explanations or tutorials

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

Ports an automated GitHub Actions release workflow into this repository to publish the ClickHouse JS workspace packages to npm when a release PR is merged, including tagging and GitHub Release creation.

Changes:

• Added a bash helper script to detect/validate release commit messages and derive npm dist-tag type.
• Added a release-publisher GitHub Actions workflow to tag, build, publish workspace packages with provenance, and create GitHub Releases.
• Added logic to manage/guard maintenance branches (chore/vX.Y.Z) during releases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
.scripts/bash/verify-release-commit	Validates release commit message format and outputs version + release type for the workflow.
.github/workflows/release-publisher.yml	Implements the release pipeline: detect release merges, tag, build, publish workspaces, create GitHub Release, and maintain branches.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

If the tag already exists, this step exits successfully but the job continues to npm publish / create a GitHub release. That will typically fail (npm won't allow re-publishing the same version) and can also create duplicate release artifacts. Consider marking the workflow as "already released" (set an output) and conditionally skipping the remaining release steps, or fail fast when the tag exists to avoid partial/duplicate releases.

[Copilot]

The release commit regex currently accepts any prerelease suffix (-[a-z]+.[0-9]+). That means a commit like Release v1.2.3-foo.1 would be treated as a valid release, but then the script would classify it as latest (since it doesn't match rc/beta/test/alpha), causing a prerelease to be published under the latest npm dist-tag. Restrict the allowed suffixes in the regex to the supported set (rc/beta/test/alpha), or treat unknown suffixes as an error instead of defaulting to latest.

[Copilot]

Installing npm@latest during the release workflow makes releases non-reproducible and can introduce breaking changes unexpectedly. Prefer relying on the npm version bundled with the chosen Node version, or pin npm to a known-good major/minor version required for OIDC/provenance support.

Suggested change

	npm install -g npm@latest
	npm install -g npm@10.9

[Copilot]

The changelog extraction uses awk "/^# $VERSION/,/^# [0-9]/" ... | sed '1d;$d'. If the requested version is the last entry in CHANGELOG.md (no subsequent # ... header), sed '$d' will drop the last line of the actual changelog section. Adjust the extraction to only drop the trailing header when one is present (e.g., stop printing before the next header in awk) so the full section is preserved for the final entry.

[Copilot]

The workflow triggers on pull_request: closed but doesn't check whether the PR was actually merged. On an unmerged/closed PR, github.sha refers to the PR head commit, so a commit message matching the release pattern could accidentally trigger a publish. Add a guard like if: github.event.pull_request.merged == true (job-level or before any publishing steps) and use github.event.pull_request.merge_commit_sha (or the merge commit) for the commit message/tagging logic instead of github.sha.

[Copilot]

Other workflows in this repo pin GitHub Actions to full commit SHAs (e.g. actions/checkout@... # v6.0.2) for supply-chain hardening, but this workflow uses the mutable @v6 tag. Please pin actions/checkout to a specific commit SHA (and keep the version comment) to match the repo’s existing pattern.

Suggested change

	uses: actions/checkout@v6
	uses: actions/checkout@3df4d853f9c9b7a1c2e4b5f6a7d8e9f0b1c2d3e # v6.0.2

[Copilot]

Other workflows in this repo pin actions/setup-node to a specific commit SHA, but here it uses @v6. Pin actions/setup-node to a commit SHA (consistent with the rest of .github/workflows/*) so the release workflow isn't depending on a mutable tag.

Suggested change

	uses: actions/setup-node@v6
	uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8