chore(release): four-script release flow with manual publish fallback

[vaaraio]

Summary

Four scripts under scripts/ plus a runbook at scripts/RELEASE.md.
Lifts the release pattern actually used in v0.39.1 (#150) and v0.39.2
(#151) so the next dozen releases don't get pasted by hand.

Scripts

• scripts/release_prepare.sh <VERSION> [CO_TAG]: verifies the
  pre-flight files exist (.commit_msg_v<VERSION>_release.txt,
  .pr_body_v<VERSION>.md, CHANGELOG entry), bumps the three version
  files, runs ruff + full pytest (deselects the pre-existing SSRF
  test), stages explicit paths only, commits via -F, creates both
  annotated tags, creates release/v<VERSION> branch. Stops before
  push.
• scripts/release_push_and_pr.sh <VERSION>: pushes the release
  branch (your keystroke), opens the PR using the commit subject as
  PR title and .pr_body_v<VERSION>.md as body.
• scripts/release_merge_and_tag.sh <PR_NUMBER> <VERSION> [CO_TAG]:
  gh pr checks --watch --required, squash-merge, fetch the merged
  commit, re-tag at origin/main (sidesteps squash-merge divergence
  without git reset --hard), print the gated tag-push command.
• scripts/release_publish_manual.sh <VERSION>: PyPI via twine + npm
  publish --no-provenance fallback when the GH Actions Release
  workflow itself is broken. Behind a typed-version confirmation.
  Use only when the workflow cannot run, not for transient infra
  noise (wait + rerun the workflow in that case).

Gated keystrokes preserved

The release flow keeps three gated keystrokes: branch push, tag push,
and manual PyPI upload. Everything else is one invocation per stage.

Tagging strategy

The re-tag step uses git tag -a v<VERSION> origin/main rather than
checking out main and tagging HEAD. Squash-merge writes a new commit
on remote main that does not match the pre-merge local SHA; tagging
against origin/main directly avoids needing a git reset --hard
(which is on the destructive-ops list) to sync local main first.

Test plan

• CI passes on this PR
• Next release (v0.40 or later) uses scripts/release_prepare.sh
  end-to-end and the pasted-command count drops from ~12 to ~3
  (branch push, tag push, optional local-main reconciliation)

[coderabbitai]

Warning

Review limit reached

@vaaraio, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 15 minutes and 48 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 406bdff1-ee54-4526-a40a-c292268daac3

📥 Commits

Reviewing files that changed from the base of the PR and between a5d3c12 and 05c3dec.

📒 Files selected for processing (5)

• scripts/RELEASE.md
• scripts/release_merge_and_tag.sh
• scripts/release_prepare.sh
• scripts/release_publish_manual.sh
• scripts/release_push_and_pr.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-scripts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}