feat: changelog-first release flow with build artifacts on draft releases (#125)

* docs: add administrative guide for CI/CD infrastructure

Documents GitHub Workflows, protected environments, secrets,
variables, permissions, security posture, code ownership,
and release process for administrators and AI coding agents.

* feat: add build artifacts to draft releases

- release.yml: create draft release instead of published (draft: true)
- codebuild.yml: add v* tag trigger, elevate contents permission to
  write, add resilient release upload step that handles all states
  (draft exists, no release, already published with graceful failure)
- docs: update ADMINISTRATIVE_GUIDE.md with new release flow

The release process now requires human review before publishing:
tag push → draft release created → CodeBuild artifacts attached →
human reviews and publishes → changelog workflow triggered.

* docs: replace ASCII pipeline diagrams with mermaid in admin guide

Adds manual approval gate (codebuild environment) to the diagrams
and shows the resilient three-state release upload logic visually.

* feat: add workflow_dispatch tag input and mermaid diagrams

- codebuild.yml: add optional tag input to workflow_dispatch as a
  backup strategy for attaching artifacts to a release when the
  tag-triggered run fails or is blocked
- docs: replace pipeline diagrams with mermaid, show draft release
  convergence from release.yml into codebuild upload, and include
  the manual dispatch backup path

* feat: changelog-first release flow with release PR and auto-tagging

Replace the post-release changelog workflow with a changelog-first flow:
- release-pr.yml: generates CHANGELOG.md and opens a release PR
- tag-on-merge.yml: auto-tags the merge commit when a release PR is merged
- Delete changelog.yml (no longer needed)
- Update cliff.toml with skip rule for changelog noise and bump config
- Update release.yml header comment to reference new flow
- Update ADMINISTRATIVE_GUIDE.md with new architecture, diagrams, and process

* feat: validate semver format on release-pr version input

Reject version inputs that don't match strict MAJOR.MINOR.PATCH format.

* feat: graceful fallback when no conventional commits detected

Fall back to patch bump from latest tag instead of failing. If no tags
exist at all, exit cleanly with a warning instead of failing the workflow.

* fix: only apply release label if it exists in the repo

* fix: dispatch release and codebuild workflows explicitly after tagging

Tags created via GITHUB_TOKEN don't trigger push events in other
workflows. Use gh workflow run with --ref to dispatch release.yml and
codebuild.yml directly, which is exempt from this limitation.

* docs: update admin guide for workflow dispatch pattern

Update diagram, workflow reference, permissions, and release process
to reflect that tag-on-merge.yml dispatches release.yml and codebuild.yml
explicitly via workflow_dispatch rather than relying on tag push events.

* fix: add --repo flag to gh workflow run commands

The tag-on-merge job has no checkout step, so gh needs an explicit
--repo to know which repository to dispatch workflows in.

* fix: skip release gracefully when dispatched from a branch

Show a warning annotation and skip remaining steps instead of failing
with a confusing error when the workflow runs on a non-tag ref.

* docs: fix admin guide accuracy for recent workflow changes

- Release PR: document semver validation, graceful fallback, conditional label
- Tag Release: add --repo to dispatch step descriptions
- CodeBuild: mention dispatch from tag-on-merge.yml in trigger description
- Release: document graceful skip when dispatched from a branch
- Security Posture: add injection-safe input patterns

* style: align markdown table columns in admin guide

* feat: wait for draft release before dispatching codebuild

Dispatch release.yml first and watch it to completion before dispatching
codebuild.yml. This ensures the draft release exists before build
artifacts are uploaded. Falls back to dispatching codebuild anyway if
the release run can't be found or doesn't succeed.

* docs: update admin guide for sequential release-then-codebuild dispatch

* fix: skip gracefully when release branch already exists

Check for existing remote branch before attempting to create it.
Exits cleanly with a warning annotation pointing the user to the
existing PR instead of failing on git checkout -b.

* docs: document release branch existence check in admin guide

* fix: simplify mermaid diagram node text to fix rendering

Remove special characters (--ref, --bumped-version) from node labels
that mermaid may interpret as link syntax. Fix ambiguous dual outgoing
edges from release.yml node.

* fix: use ::warning:: annotation for no-tags-exist case

---------

Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>

Author: scottschreckengaust

.github/workflows/changelog.yml

@@ -5,6 +5,8 @@ on:
   push:
     branches:
       - main
+    tags:
+      - 'v*'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -36,7 +38,7 @@ jobs:
 
     permissions:
       actions: write
-      contents: read
+      contents: write
       id-token: write # Required for OIDC token request to AWS STS
 
     runs-on: ubuntu-latest
@@ -203,3 +205,51 @@ jobs:
           name: trend.zip
           path: ${{ github.workspace }}/.codebuild/downloads/trend.zip
           if-no-files-found: error
+
+      - name: Upload artifacts to release
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+          REPO: ${{ github.repository }}
+        run: |
+          DOWNLOADS="${GITHUB_WORKSPACE}/.codebuild/downloads"
+          ARTIFACTS=(
+            "$DOWNLOADS/${{ env.CODEBUILD_PROJECT_NAME }}.zip"
+            "$DOWNLOADS/evaluation.zip"
+            "$DOWNLOADS/trend.zip"
+          )
+
+          # Wait for release to exist (release.yml typically finishes in ~30s,
+          # CodeBuild takes minutes — this is a safety net)
+          RELEASE_EXISTS=false
+          for i in $(seq 1 30); do
+            if gh release view "$TAG" --repo "$REPO" --json isDraft,tagName &>/dev/null; then
+              RELEASE_EXISTS=true
+              break
+            fi
+            echo "Waiting for release $TAG (attempt $i/30)..."
+            sleep 10
+          done
+
+          if [[ "$RELEASE_EXISTS" == "true" ]]; then
+            # Release exists (draft or published) — upload/replace artifacts
+            IS_DRAFT=$(gh release view "$TAG" --repo "$REPO" --json isDraft --jq '.isDraft')
+            if [[ "$IS_DRAFT" == "true" ]]; then
+              echo "Draft release $TAG found — uploading artifacts"
+            else
+              echo "Published release $TAG found — attempting to replace artifacts"
+            fi
+            gh release upload "$TAG" "${ARTIFACTS[@]}" --repo "$REPO" --clobber || {
+              echo "WARNING: Failed to upload artifacts to release $TAG (release may be immutable)"
+              echo "Artifacts are still available as workflow artifacts above"
+            }
+          else
+            # No release exists — create a draft with artifacts
+            echo "No release found for $TAG — creating draft release with artifacts"
+            gh release create "$TAG" "${ARTIFACTS[@]}" \
+              --repo "$REPO" \
+              --draft \
+              --title "AI-DLC Workflow ${TAG#v}" \
+              --notes "Build artifacts from CodeBuild. Rules zip pending from release workflow."
+          fi

.github/workflows/codebuild.yml

@@ -0,0 +1,148 @@
+# Release PR
+#
+# Creates a PR with an updated CHANGELOG.md for a new release.
+# The changelog is generated from conventional commits using git-cliff.
+#
+# When the PR is merged, tag-on-merge.yml automatically tags the merge commit,
+# which triggers release.yml (draft release) and codebuild.yml (build artifacts).
+#
+# Usage:
+#   1. Run this workflow via workflow_dispatch (optionally specify a version)
+#   2. Review and merge the resulting PR
+#   3. The tag is created automatically — review and publish the draft release
+
+name: Release PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g., 0.2.0). Leave empty to auto-determine from conventional commits.'
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-pr:
+    name: Create Release PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Install git-cliff
+        uses: orhun/git-cliff-action@e16f179f0be49ecdfe63753837f20b9531642772 # v4.7.0
+        with:
+          config: cliff.toml
+          args: --version
+        env:
+          OUTPUT: /dev/null
+
+      - name: Determine version
+        id: version
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          if [[ -n "$INPUT_VERSION" ]]; then
+            # Strip leading v if present for validation
+            VERSION="${INPUT_VERSION#v}"
+            if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              echo "ERROR: Version '$INPUT_VERSION' is not valid semver (expected: MAJOR.MINOR.PATCH, e.g. 0.2.0)"
+              exit 1
+            fi
+          else
+            VERSION=$(git-cliff --bumped-version 2>/dev/null || echo "")
+            if [[ -z "$VERSION" ]]; then
+              # Fall back to patch bump from latest tag
+              LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+              if [[ -n "$LATEST_TAG" ]]; then
+                LATEST="${LATEST_TAG#v}"
+                MAJOR="${LATEST%%.*}"
+                REST="${LATEST#*.}"
+                MINOR="${REST%%.*}"
+                PATCH="${REST#*.}"
+                PATCH=$((PATCH + 1))
+                VERSION="${MAJOR}.${MINOR}.${PATCH}"
+                echo "WARNING: No conventional commits detected — falling back to patch bump: $VERSION"
+              else
+                echo "::warning::No conventional commits and no existing tags — nothing to release"
+                exit 0
+              fi
+            fi
+          fi
+          # Strip leading v if present
+          VERSION="${VERSION#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=v$VERSION" >> "$GITHUB_OUTPUT"
+          echo "Determined version: $VERSION (tag: v$VERSION)"
+
+      - name: Check tag does not exist
+        env:
+          TAG: ${{ steps.version.outputs.tag }}
+        run: |
+          if git rev-parse "refs/tags/$TAG" &>/dev/null; then
+            echo "ERROR: Tag $TAG already exists"
+            exit 1
+          fi
+
+      - name: Generate changelog
+        uses: orhun/git-cliff-action@e16f179f0be49ecdfe63753837f20b9531642772 # v4.7.0
+        with:
+          config: cliff.toml
+          args: --tag ${{ steps.version.outputs.tag }}
+        env:
+          OUTPUT: CHANGELOG.md
+          GITHUB_REPO: ${{ github.repository }}
+
+      - name: Create release PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.version }}
+          TAG: ${{ steps.version.outputs.tag }}
+        run: |
+          BRANCH="release/$TAG"
+
+          # Check if branch already exists (local or remote)
+          if git ls-remote --exit-code --heads origin "$BRANCH" &>/dev/null; then
+            echo "::warning::Branch '$BRANCH' already exists. A release PR may already be open — close it and delete the branch to re-run."
+            exit 0
+          fi
+
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+
+          git add CHANGELOG.md
+          if git diff --cached --quiet CHANGELOG.md; then
+            echo "No changes to CHANGELOG.md"
+            exit 0
+          fi
+
+          git checkout -b "$BRANCH"
+          git commit -m "docs: update changelog for $TAG"
+          git push origin "$BRANCH"
+
+          LABEL_FLAG=""
+          if gh label list --search "release" --json name --jq '.[].name' | grep -qx "release"; then
+            LABEL_FLAG="--label release"
+          fi
+
+          gh pr create \
+            --title "release: $TAG" \
+            --body "$(cat <<EOF
+          ## Release $TAG
+
+          This PR updates CHANGELOG.md for the $TAG release.
+
+          **When merged**, the merge commit will be automatically tagged as \`$TAG\`, which triggers:
+          - \`release.yml\` — creates a draft GitHub Release with the rules zip
+          - \`codebuild.yml\` — runs CodeBuild and attaches build artifacts to the draft
+
+          After both workflows complete, review and publish the draft release.
+          EOF
+          )" \
+            $LABEL_FLAG

.github/workflows/release-pr.yml

@@ -1,21 +1,24 @@
 # Release Pipeline
 #
 # This workflow handles versioning and distribution of the AI-DLC methodology.
-# It triggers when you push a version tag and:
+# It triggers when a version tag is pushed (by tag-on-merge.yml or manually) and:
 #
 #   1. Creates distribution artifact:
 #      - ai-dlc-rules-vX.X.X.zip (Rules format for Amazon Q, Kiro, etc.)
-#   2. Publishes a GitHub Release with artifact attached
+#   2. Creates a draft GitHub Release with artifact attached
 #
-# Note: Changelog is generated separately by changelog.yml after release is published.
+# The release is created as a draft so that build artifacts from CodeBuild
+# (codebuild.yml) can be attached before a human reviews and publishes it.
 #
-# Usage:
-#   git tag v1.2.0
-#   git push origin v1.2.0
+# Normal flow:
+#   1. release-pr.yml creates a PR with CHANGELOG update (manual dispatch)
+#   2. Human reviews and merges the release PR
+#   3. tag-on-merge.yml auto-tags the merge commit → triggers this workflow
 
 name: Release
 
 on:
+  workflow_dispatch: {}
   push:
     tags:
       - 'v*'
@@ -37,18 +40,26 @@ jobs:
       - name: Extract version
         id: version
         run: |
+          if [[ "$GITHUB_REF" != refs/tags/v* ]]; then
+            echo "::warning::Skipping release — this workflow must run on a v* tag (got $GITHUB_REF). Use workflow_dispatch from a tag, not a branch."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
           VERSION=${GITHUB_REF#refs/tags/v}
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Create release artifact
+        if: steps.version.outputs.skip != 'true'
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           zip -r "ai-dlc-rules-v${VERSION}.zip" aidlc-rules/
 
       - name: Create GitHub Release
+        if: steps.version.outputs.skip != 'true'
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
+          draft: true
           name: "AI-DLC Workflow v${{ steps.version.outputs.version }}"
           body: |
             Release v${{ steps.version.outputs.version }}