Refactor release into separate child workflows with isolated deployment environments (#45)

* Refactor release into multi-workflow architecture

Split the monolithic release.yml into dedicated child workflows
(release-tag, release-npm, release-codeql) callable independently
via workflow_dispatch. Add environment protection gates to all
three publish workflows. Isolate CodeQL pack operations from npm
publish to prevent .codeql/ and .qlx contamination. Use npm ci
instead of npm install in all workflows except release-tag.

Also add .codeql exclusion to server/.npmignore as defense-in-depth.

* Publish to npmjs.org with OIDC trusted publishing

- Rename package to unscoped `codeql-development-mcp-server`
- Switch from GitHub Packages to public npmjs.org registry
- Use OIDC trusted publishing (no tokens, auto-provenance)
- Make release.yml the sole dispatch entry point with
  configurable publish_npm, publish_codeql_packs, and
  create_github_release flags
- Remove workflow_dispatch from child workflows (release-npm,
  release-codeql, release-tag) to comply with OIDC validation
- Fix release-tag.yml: wire tag_sha output to final-sha step,
  guard git add -A against staging CodeQL artifacts
- Add setup-packs.sh script (shipped in npm package) to install
  CodeQL pack dependencies from bundled lock files
- Update all docs, tests, and SKILL.md references

* Update .gitignore for .codeql/ and *.qlx

* Release v2.24.1-prerelease: update versions to 2.24.1-prerelease

* fixresolve npm publish warnings & prerelease error

- Handle prerelease versions in release-npm workflow by detecting semver
  prerelease identifiers and passing --tag to npm publish (e.g.,
  2.24.1-beta.1 publishes with --tag beta)
- Remove ./ prefix from bin paths in server/package.json to eliminate
  "script name was invalid and removed" warnings
- Normalize repository.url to git+https:// format per npm conventions

* Fixes for PR review comments

* Fix release-codeql.yml workflow conditionals

* Release v2.24.1-beta: update versions to 2.24.1-beta

* Release v2.24.1: update versions to 2.24.1

* resolve npm symlinks in entry guard & fix MCP IO

The npm/npx installation path was broken by two issues:

1. The import.meta.url entry guard used resolve() which does
   not follow symlinks. Global npm installs create a symlink
   (e.g. /opt/homebrew/bin/… → node_modules/.../dist/…), so
   the paths never matched and main() was never called. The
   server exited silently.
   Fix: use realpathSync(resolve(…)) to follow symlinks.

2. dotenv v17 prints a banner to stdout by default, which
   corrupts the MCP stdio JSON-RPC channel.
   Fix: pass quiet: true to dotenv.config().

* Release v2.24.1-prerelease: update versions to 2.24.1-prerelease

* Release v2.24.1-rc1: update versions to 2.24.1-rc1

* Update client and server README.md docs

Updates the user-facing server/README.md to be a
useful for external use, where the server/README.md
doc is now used as the home paga for published
npmjs.com packages for codeql-development-mcp-server.

* Release v2.24.1: update versions to 2.24.1

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: data-douser

.github/skills/validate-ql-mcp-server-tools-queries/SKILL.md

@@ -336,7 +336,7 @@ When the STDIO transport receives an immediate EOF on stdin (e.g., via `</dev/nu
 
 ### npm Package Includes Tool Query Source Packs
 
-The published npm package (`@advanced-security/codeql-development-mcp-server`) bundles all tool query source packs under `ql/*/tools/src/`. These are the same `.ql`, `.qll`, `.md`, `codeql-pack.yml`, and `codeql-pack.lock.yml` files — but **never** compiled `.qlx` bytecode (excluded by `server/.npmignore`).
+The published npm package (`codeql-development-mcp-server`) bundles all tool query source packs under `ql/*/tools/src/`. These are the same `.ql`, `.qll`, `.md`, `codeql-pack.yml`, and `codeql-pack.lock.yml` files — but **never** compiled `.qlx` bytecode (excluded by `server/.npmignore`).
 
 ## Success Criteria
 

.github/workflows/release-codeql.yml

@@ -0,0 +1,143 @@
+name: Release CodeQL - Publish and Bundle CodeQL Packs
+
+on:
+  workflow_call:
+    inputs:
+      publish_codeql_packs:
+        default: true
+        description: 'Publish CodeQL tool query packs to GHCR. Disable for pre-release or re-run scenarios where packs already exist.'
+        required: false
+        type: boolean
+      version:
+        description: 'Release version tag (e.g., vX.Y.Z). Must start with "v".'
+        required: true
+        type: string
+    outputs:
+      release_name:
+        description: 'The release name without "v" prefix (e.g., X.Y.Z)'
+        value: ${{ jobs.publish-codeql-packs.outputs.release_name }}
+      version:
+        description: 'The full version string with "v" prefix (e.g., vX.Y.Z)'
+        value: ${{ jobs.publish-codeql-packs.outputs.version }}
+
+# Note: This workflow is called exclusively via workflow_call from release.yml.
+# It does NOT have a workflow_dispatch trigger to keep release.yml as the single
+# entry point for all release operations. To re-publish CodeQL packs standalone,
+# use workflow_dispatch on release.yml with publish_npm=false and
+# create_github_release=false.
+
+permissions:
+  contents: read
+
+jobs:
+  publish-codeql-packs:
+    name: Publish and Bundle CodeQL Packs
+    runs-on: ubuntu-latest
+
+    environment: release-codeql
+
+    permissions:
+      contents: read
+      packages: write
+
+    outputs:
+      release_name: ${{ steps.version.outputs.release_name }}
+      version: ${{ steps.version.outputs.version }}
+
+    steps:
+      - name: CodeQL - Validate and parse version
+        id: version
+        run: |
+          VERSION="${{ inputs.version }}"
+          if [[ ! "${VERSION}" =~ ^v ]]; then
+            echo "::error::Version '${VERSION}' must start with 'v'"
+            exit 1
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
+
+      - name: CodeQL - Checkout tag
+        uses: actions/checkout@v6
+        with:
+          ref: refs/tags/${{ steps.version.outputs.version }}
+
+      - name: CodeQL - Setup CodeQL environment
+        uses: ./.github/actions/setup-codeql-environment
+        with:
+          add-to-path: true
+          install-language-runtimes: false
+
+      - name: CodeQL - Install CodeQL pack dependencies
+        run: server/scripts/install-packs.sh
+
+      - name: CodeQL - Validate version consistency
+        run: |
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Validating all version-bearing files match ${RELEASE_NAME}..."
+          ./server/scripts/update-release-version.sh --check "${RELEASE_NAME}"
+
+      - name: CodeQL - Publish CodeQL tool query packs
+        if: inputs.publish_codeql_packs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          LANGUAGES="actions cpp csharp go java javascript python ruby swift"
+          echo "Publishing CodeQL tool query packs..."
+          for lang in ${LANGUAGES}; do
+            PACK_DIR="server/ql/${lang}/tools/src"
+            if [ -d "${PACK_DIR}" ]; then
+              echo "📦 Publishing ${PACK_DIR}..."
+              codeql pack publish --threads=-1 -- "${PACK_DIR}"
+              echo "✅ Published ${lang} tool query pack"
+            else
+              echo "⚠️ Skipping ${lang}: ${PACK_DIR} not found"
+            fi
+          done
+
+      - name: CodeQL - Skip CodeQL tool query pack publishing
+        if: '!inputs.publish_codeql_packs'
+        run: echo "⏭️ CodeQL tool query pack publishing disabled via workflow input"
+
+      - name: CodeQL - Bundle CodeQL tool query packs
+        run: |
+          mkdir -p dist-packs
+          LANGUAGES="actions cpp csharp go java javascript python ruby swift"
+          echo "Bundling CodeQL tool query packs..."
+          for lang in ${LANGUAGES}; do
+            PACK_DIR="server/ql/${lang}/tools/src"
+            if [ -d "${PACK_DIR}" ]; then
+              PACK_NAME="ql-mcp-${lang}-tools-src"
+              OUTPUT="dist-packs/${PACK_NAME}.tar.gz"
+              echo "📦 Bundling ${PACK_DIR} -> ${OUTPUT}..."
+              codeql pack bundle --threads=-1 --output="${OUTPUT}" -- "${PACK_DIR}"
+              echo "✅ Bundled ${PACK_NAME}"
+            fi
+          done
+          echo "Bundled packs:"
+          ls -lh dist-packs/
+
+      - name: CodeQL - Upload CodeQL pack artifacts
+        uses: actions/upload-artifact@v6
+        with:
+          name: codeql-tool-query-packs-${{ steps.version.outputs.version }}
+          path: dist-packs/*.tar.gz
+
+      - name: CodeQL - Summary
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "## CodeQL Packs Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ inputs.publish_codeql_packs }}" == "true" ]; then
+            echo "✅ Published CodeQL tool query packs to GHCR" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⏭️ CodeQL tool query pack publishing was disabled" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "✅ Bundled CodeQL tool query packs as artifacts" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Published CodeQL Packs" >> $GITHUB_STEP_SUMMARY
+          echo "| Pack | Version |" >> $GITHUB_STEP_SUMMARY
+          echo "| ---- | ------- |" >> $GITHUB_STEP_SUMMARY
+          for lang in actions cpp csharp go java javascript python ruby swift; do
+            echo "| \`advanced-security/ql-mcp-${lang}-tools-src\` | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
+          done

.github/workflows/release-npm.yml

@@ -0,0 +1,126 @@
+name: Release npm - Publish npm Package
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: 'Release version tag (e.g., vX.Y.Z). Must start with "v".'
+        required: true
+        type: string
+    outputs:
+      release_name:
+        description: 'The release name without "v" prefix (e.g., X.Y.Z)'
+        value: ${{ jobs.publish-npm.outputs.release_name }}
+      version:
+        description: 'The full version string with "v" prefix (e.g., vX.Y.Z)'
+        value: ${{ jobs.publish-npm.outputs.version }}
+
+# Note: This workflow is called exclusively via workflow_call from release.yml.
+# It does NOT have a workflow_dispatch trigger because npm Trusted Publishing
+# validates the *calling* workflow filename for OIDC. The trusted publisher on
+# npmjs.com is configured with workflow "release.yml" and environment
+# "release-npm". Direct dispatch would present "release-npm.yml" as the workflow
+# name, causing OIDC authentication to fail. To re-publish the npm package
+# standalone, use workflow_dispatch on release.yml instead.
+
+permissions:
+  contents: read
+
+jobs:
+  publish-npm:
+    name: Publish npm Package
+    runs-on: ubuntu-latest
+
+    environment: release-npm
+
+    permissions:
+      contents: read
+      id-token: write
+
+    outputs:
+      release_name: ${{ steps.version.outputs.release_name }}
+      version: ${{ steps.version.outputs.version }}
+
+    steps:
+      - name: npm - Validate and parse version
+        id: version
+        run: |
+          VERSION="${{ inputs.version }}"
+          if [[ ! "${VERSION}" =~ ^v ]]; then
+            echo "::error::Version '${VERSION}' must start with 'v'"
+            exit 1
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "release_name=${VERSION#v}" >> $GITHUB_OUTPUT
+
+      - name: npm - Checkout tag
+        uses: actions/checkout@v6
+        with:
+          ref: refs/tags/${{ steps.version.outputs.version }}
+
+      - name: npm - Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          cache: 'npm'
+          node-version-file: '.node-version'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: npm - Install dependencies
+        run: npm ci --include=optional
+
+      - name: npm - Build server
+        run: npm run build -w server
+
+      - name: npm - Validate version consistency
+        run: |
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Validating all version-bearing files match ${RELEASE_NAME}..."
+          ./server/scripts/update-release-version.sh --check "${RELEASE_NAME}"
+
+      - name: npm - Publish npm package
+        working-directory: server
+        run: |
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "Publishing codeql-development-mcp-server@${RELEASE_NAME} to npmjs.org via OIDC trusted publishing..."
+
+          # Prerelease versions (containing a hyphen) must use a dist-tag other
+          # than "latest" — npm enforces this to prevent prereleases from being
+          # installed by default.
+          if [[ "${RELEASE_NAME}" == *-* ]]; then
+            # Extract the prerelease identifier before any dot
+            # e.g., "2.24.1-prerelease" -> "prerelease", "2.24.1-beta.1" -> "beta"
+            PRERELEASE_ID="${RELEASE_NAME#*-}"
+            PRERELEASE_ID="${PRERELEASE_ID%%.*}"
+            echo "Detected prerelease version — publishing with --tag ${PRERELEASE_ID}"
+            npm publish --tag "${PRERELEASE_ID}"
+          else
+            npm publish
+          fi
+          echo "✅ Published npm package to npmjs.org (with provenance)"
+
+      - name: npm - Upload release build artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: release-build-${{ steps.version.outputs.version }}
+          path: |
+            .node-version
+            server/dist/
+            server/ql/
+            server/package.json
+            server/scripts/setup-packs.sh
+            README.md
+            LICENSE
+            docs/
+
+      - name: npm - Summary
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          RELEASE_NAME="${{ steps.version.outputs.release_name }}"
+          echo "## npm Package Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Detail | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "| ------ | ----- |" >> $GITHUB_STEP_SUMMARY
+          echo "| Package | \`codeql-development-mcp-server\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | ${RELEASE_NAME} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Registry | npmjs.org |" >> $GITHUB_STEP_SUMMARY
+          echo "| Tag | ${VERSION} |" >> $GITHUB_STEP_SUMMARY