chore(ci): add release.yml — tag-triggered npm publish + GitHub release

Mirrors agentic-sdlc-wizard's release.yml pattern. Triggers on v* tag
push (or manual dispatch with the tag arg as fallback). Gates publish
behind:
  - tag is on main (rejects detached/branch-only tags)
  - tag matches package.json version (rejects mismatches like v0.2.0
    against package version 0.2.1)
  - npm test passes (113/113 must stay green)

Adds --access public to npm publish since opencode-sdlc-wizard is
unscoped (not @BaseInfinity/...), and --provenance for supply-chain
attestation.

Requires NPM_TOKEN secret on the repo before the first tag push.

Author: BaseInfinity

.github/workflows/release.yml

@@ -0,0 +1,66 @@
+name: Release
+
+on:
+  push:
+    tags: ['v*']
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Existing tag to publish (e.g. v0.2.0) — fallback when push-trigger misfires'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  publish-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.tag || github.ref }}
+
+      - name: Verify tag is on main branch
+        run: |
+          git fetch origin main
+          git merge-base --is-ancestor HEAD origin/main || {
+            echo "::error::Tagged commit is not on main branch. Aborting publish."
+            exit 1
+          }
+
+      - name: Verify tag matches package.json version
+        env:
+          INPUT_TAG: ${{ github.event.inputs.tag }}
+        run: |
+          if [ -n "$INPUT_TAG" ]; then
+            TAG="${INPUT_TAG#v}"
+          else
+            TAG="${GITHUB_REF#refs/tags/v}"
+          fi
+          PKG=$(node -p "require('./package.json').version")
+          [ "$TAG" = "$PKG" ] || {
+            echo "::error::Tag v$TAG does not match package.json version $PKG"
+            exit 1
+          }
+
+      - uses: actions/setup-node@v5
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+
+      - name: Run tests
+        run: npm test
+
+      - name: Publish to npm
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Create GitHub Release
+        run: gh release create "$TAG_NAME" --generate-notes
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ github.event.inputs.tag || github.ref_name }}