ci: unreleased changes check + tag safety in release workflow (#66)

## Summary

Two CI improvements to prevent the v1.6.0 → v1.6.1 gap from happening
again.

### 1. Unreleased changes check (`unreleased-check.yml`)
Runs on every push to main. Compares HEAD against the latest version tag
and emits a `::warning` annotation when source commits exist without a
version bump. Skips gracefully when the tag doesn't exist yet (i.e., the
push IS the release).

### 2. Tag safety in release workflow (`publish-release.yml`)
- Explicit `git tag` + `git push origin <tag>` step before `gh release
create`
- `--verify-tag` flag on `gh release create` for belt-and-suspenders
safety
- Outputs version for reuse across steps

### Also going forward
Release commits must use `chore: release vX.Y.Z` format to pass
commitlint. Always create a branch first, never commit directly to main.

Author: jpr5

.github/workflows/publish-release.yml

@@ -8,6 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
@@ -21,6 +22,7 @@ jobs:
         run: |
           PKG_NAME=$(node -p "require('./package.json').name")
           PKG_VERSION=$(node -p "require('./package.json').version")
+          echo "version=${PKG_VERSION}" >> "$GITHUB_OUTPUT"
           if npm view "${PKG_NAME}@${PKG_VERSION}" version 2>/dev/null; then
             echo "published=true" >> "$GITHUB_OUTPUT"
           else
@@ -34,10 +36,20 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
+      - name: Ensure git tag exists
+        if: steps.check.outputs.published == 'false'
+        run: |
+          TAG="v${{ steps.check.outputs.version }}"
+          if ! git rev-parse "${TAG}" >/dev/null 2>&1; then
+            git tag "${TAG}"
+            git push origin "${TAG}"
+          fi
+
       - name: Create GitHub Release
         if: steps.check.outputs.published == 'false'
         run: |
-          PKG_VERSION=$(node -p "require('./package.json').version")
-          gh release create "v${PKG_VERSION}" --generate-notes --title "v${PKG_VERSION}"
+          TAG="v${{ steps.check.outputs.version }}"
+          # --verify-tag ensures the tag exists before creating the release
+          gh release create "${TAG}" --generate-notes --title "${TAG}" --verify-tag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/unreleased-check.yml

@@ -0,0 +1,36 @@
+name: Unreleased Changes Check
+on:
+  push:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }
+
+      - name: Check for unreleased source changes
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          TAG="v${PKG_VERSION}"
+
+          # If the tag doesn't exist yet, this is the release commit itself — skip
+          if ! git rev-parse "${TAG}" >/dev/null 2>&1; then
+            echo "Tag ${TAG} not found — this push likely IS the release. Skipping."
+            exit 0
+          fi
+
+          # Count source-file commits since the last release tag
+          UNRELEASED=$(git log "${TAG}..HEAD" --oneline -- 'src/' | wc -l | tr -d ' ')
+
+          if [ "$UNRELEASED" -gt 0 ]; then
+            echo "::warning::${UNRELEASED} source commits on main since ${TAG} — version has not been bumped."
+            echo ""
+            echo "Unreleased commits:"
+            git log "${TAG}..HEAD" --oneline -- 'src/'
+            echo ""
+            echo "Run: bump package.json version, update CHANGELOG.md, push to trigger publish."
+          else
+            echo "No unreleased source changes since ${TAG}."
+          fi