chore: add release automation script and bot-PR workflow

[lwshang]

Summary

Replaces the agent-driven release skill with a deterministic, local shell script plus one bot-authored-PR workflow. Now that releases are stable-only and the procedure is fixed, an AI agent is overkill; a script is a better fit and needs no new repo/org settings.

.github/workflows/release-pr.yml

A workflow_dispatch workflow that opens a release PR authored by the pr-automation-bot-public GitHub App (the same App + secrets bump-network-launcher.yml already uses). Because the bot authors the PR, a single release driver can approve it without a second reviewer. One kind input handles both:

• version-bump: bumps the workspace version, cargo update --workspace for Cargo.lock, and promotes # Unreleased → # vX.Y.Z in the changelog.
• docs-versions: adds the new docs version to docs-site/versions.json.

scripts/release.sh

./scripts/release.sh <VERSION> drives the whole release: bump PR → tag + push → cargo-dist Release workflow → npm → homebrew-tap → docs versions. It pauses only for the 2–3 PR approvals (version bump, homebrew-tap, and — for a new minor — docs versions). Clear per-step failure reporting with URLs; no automatic rollback by design. Re-running with the same version reuses any PR/tag that already exists.

Why this works without settings changes

• The bot-authored bump PR sidesteps the "can't approve your own PR" rule, so one driver approves.
• The driver pushes the tag locally with their own credentials, so the GITHUB_TOKEN-doesn't-trigger-workflows limitation never applies.
• The driver's gh auth already spans dfinity/homebrew-tap, so no cross-repo dispatch token is needed.

Before first use

• Merge this PR first — workflow_dispatch only works once release-pr.yml is on the default branch.
• The .claude/skills/release/ skill is intentionally kept for now; remove it after the first successful run of the new script.

Follow-up (deferred)

docs-site/versions.json currently keys by major.minor, matching today's docs.yml deploy path — so a future v1.1.0 would add a /1.1/ entry. Whether the whole 1.x line should collapse to a single /1/ major version (with /2/ next) is a team decision tracked separately; this PR keeps the existing behavior.

Validation

shellcheck clean; YAML parses; the version-bump awk transforms, the docs versions.json jq (new-minor and patch/no-op cases), and both rendered PR bodies were tested against the real repo files.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR introduces a deterministic release process for icp-cli by replacing the prior agent-driven approach with a local driver script plus a GitHub Actions workflow that opens bot-authored release PRs.

Changes:

• Add scripts/release.sh to drive the end-to-end stable release flow (bump PR → tag → workflows → npm → homebrew-tap → docs versions).
• Add .github/workflows/release-pr.yml to open bot-authored PRs for version bumps and docs version updates via workflow_dispatch.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
scripts/release.sh	New local release driver script orchestrating PR creation/approval, tagging, workflow watching, and downstream publish steps.
.github/workflows/release-pr.yml	New workflow to open release PRs (version bump or docs versions) authored by the PR automation GitHub App.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.