Add CI/CD workflows, version pinning, and release tooling

- Add CI workflow (ruff + pytest on Python 3.11/3.12 matrix)
- Add release workflow (PyPI via OIDC, npm, GitHub Release on tag push)
- Pin PyPI version in npm wrapper to match package.json version
- Add bump-version.sh script to keep versions in sync
- Document release process in CONTRIBUTING.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: iamspathan

.github/workflows/ci.yml

@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint with ruff
+        run: ruff check src/ tests/
+
+      - name: Run tests
+        run: pytest

.github/workflows/release.yml

@@ -0,0 +1,87 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Lint with ruff
+        run: ruff check src/ tests/
+
+      - name: Run tests
+        run: pytest
+
+  publish-pypi:
+    needs: test
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment: pypi
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build sdist and wheel
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  publish-npm:
+    needs: publish-pypi
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Publish to npm
+        working-directory: npm
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+
+  github-release:
+    needs: publish-npm
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create GitHub Release
+        run: gh release create "${{ github.ref_name }}" --generate-notes
+        env:
+          GH_TOKEN: ${{ github.token }}

CONTRIBUTING.md

@@ -194,6 +194,26 @@ Before opening a PR, verify:
 - [ ] New rules have valid YAML schema and OWASP mapping
 - [ ] Commit messages are clear and descriptive
 
+## Releasing
+
+Releases are automated via GitHub Actions. When a version tag is pushed, CI publishes to PyPI and npm automatically.
+
+```bash
+# Bump version in pyproject.toml + npm/package.json, commit, and tag
+./scripts/bump-version.sh 1.1.0
+
+# Push to trigger the release workflow
+git push origin main --tags
+```
+
+The release workflow will:
+1. Run the full test suite
+2. Publish to PyPI (via OIDC trusted publishing)
+3. Publish to npm (via `NODE_AUTH_TOKEN` secret)
+4. Create a GitHub Release with auto-generated notes
+
+**Important**: PyPI is published before npm because the npm wrapper installs from PyPI at runtime.
+
 ## Reporting Issues
 
 ### Bug reports

npm/lib/venv-manager.js

@@ -5,6 +5,8 @@ const fs = require("fs");
 const { execFileSync } = require("child_process");
 const { findPython, MIN_MAJOR, MIN_MINOR } = require("./python-resolver");
 
+const PKG = require("../package.json");
+
 const VENV_DIR = path.join(__dirname, "..", ".venv");
 const PIP_PACKAGE = "llm-authz-audit";
 const REPO_ROOT = path.join(__dirname, "..", "..");
@@ -65,7 +67,7 @@ function setup() {
       stdio: "inherit",
     });
   } else {
-    execFileSync(pip, ["-m", "pip", "install", PIP_PACKAGE], {
+    execFileSync(pip, ["-m", "pip", "install", `${PIP_PACKAGE}==${PKG.version}`], {
       stdio: "inherit",
     });
   }

scripts/bump-version.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <version>"
+  echo "Example: $0 1.1.0"
+  exit 1
+fi
+
+VERSION="$1"
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+# Validate semver format
+if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+  echo "Error: version must be in semver format (e.g. 1.2.3)"
+  exit 1
+fi
+
+echo "Bumping version to $VERSION..."
+
+# Update pyproject.toml
+sed -i.bak "s/^version = \".*\"/version = \"$VERSION\"/" "$REPO_ROOT/pyproject.toml"
+rm -f "$REPO_ROOT/pyproject.toml.bak"
+
+# Update npm/package.json
+cd "$REPO_ROOT/npm"
+npm version "$VERSION" --no-git-tag-version --allow-same-version
+
+# Commit and tag
+cd "$REPO_ROOT"
+git add pyproject.toml npm/package.json
+git commit -m "chore: bump version to $VERSION"
+git tag "v$VERSION"
+
+echo ""
+echo "Done! Version bumped to $VERSION and tagged v$VERSION."
+echo "Run 'git push origin main --tags' to trigger the release workflow."