Add semantic versioning to workflows and shared files (#60)

* Add version: 0.1.0 frontmatter to all workflows and shared files

Add a semver version field to all 13 SKILL.md files and add YAML
frontmatter (name + version) to the 3 _shared/ files. All start at
0.1.0 per the pre-1.0 convention for actively evolving workflows.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add validate-versions.sh and CI job

Diff-based CI check that validates workflow version bumps when
behavioral files change. Handles merge commits by comparing against
the first parent, traces shared file cascades including transitive
references, and validates semver format on all versioned files.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add version checks to pre-review-checks.py

Validate the version field in SKILL.md frontmatter (semver format)
alongside existing name/description checks. Add shared file frontmatter
validation for _shared/**/*.md files (name and version required).

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add auto-tagging workflow for version bumps

Creates git tags automatically when version bumps are merged to main.
Tags follow {workflow}/v{version} and _shared/{name}/v{version}
conventions. Handles merge commits, checks for existing tags, and
pushes all new tags in a single operation.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Document workflow versioning in AGENTS.md, CONTRIBUTING.md, CLAUDE.md

Add versioning rules for AI assistants (AGENTS.md), developer
contribution guidelines (CONTRIBUTING.md), and a pointer from
CLAUDE.md. Update SKILL.md frontmatter examples to include the
version field.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Validate shared file version bumps, not just cascade

The validation script checked that consuming workflows bumped their
versions when a shared file changed, but did not check that the shared
file itself had its version bumped. Add that check.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address code review feedback

- Remove redundant _shared/*.md case pattern in validate-versions.sh
- Add concurrency control to tag-versions.yaml (serialize tag creation)
- Scope contents:write to job level with explanatory comment
- Add persist-credentials to tag-versions checkout step
- Fix grep patterns in docs to use basename (matches actual references)
- Convert indented code blocks to fenced (MD046)
- Add commit convention and shared file tag format to CONTRIBUTING.md

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Extract frontmatter parsing to module-level function

Move duplicated YAML frontmatter parsing logic from
Checker._parse_frontmatter() and RepoChecker.check_shared_frontmatter()
into a shared parse_frontmatter() function.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix case pattern to match top-level _shared/*.md files

Bash case statements don't support ** as glob-recursive. The pattern
_shared/**/*.md only matches nested files like _shared/recipes/*.md,
not top-level files like _shared/review-protocol.md. Use explicit
patterns for both levels.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Reject frontmatter without closing delimiter

parse_frontmatter() now returns None if the file starts with ---
but never has a matching closing ---. Previously it would parse
the entire file as frontmatter fields, producing false positives.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address Amir's review feedback

- Remove dangling versioning.md reference from CONTRIBUTING.md;
  replace with inline rationale (versioning.md was a planning doc,
  not intended to be committed)
- Reorder validate-versions.sh: run static semver format checks
  (sections 5-6) before arithmetic comparisons (sections 8, 10)
  to avoid bash errors on malformed version strings
- Push only newly created tags in tag-versions.yaml instead of
  --tags which pushes all local tags

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: adalton

.github/scripts/validate-versions.sh

@@ -0,0 +1,290 @@
+#!/usr/bin/env bash
+# Validates that workflow versions are bumped when behavioral files change.
+# Run in CI via .github/workflows/lint.yaml.
+#
+# On PRs: compares the branch against the merge base with the target branch.
+# On push to main: compares HEAD against its first parent (handles merge commits).
+# Locally: compares against origin/main.
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+cd "$REPO_ROOT"
+
+errors=0
+warnings=0
+
+fail() {
+  echo "FAIL: $1"
+  errors=$((errors + 1))
+}
+
+warn() {
+  echo "WARN: $1"
+  warnings=$((warnings + 1))
+}
+
+info() {
+  echo "INFO: $1"
+}
+
+# ---------------------------------------------------------------------------
+# 1. Determine base ref
+# ---------------------------------------------------------------------------
+if [ -n "${GITHUB_BASE_REF:-}" ]; then
+  BASE_REF="origin/${GITHUB_BASE_REF}"
+elif [ "${GITHUB_EVENT_NAME:-}" = "push" ]; then
+  BASE_REF=$(git rev-parse HEAD^1)
+else
+  BASE_REF="origin/main"
+fi
+
+MERGE_BASE=$(git merge-base "$BASE_REF" HEAD 2>/dev/null || echo "$BASE_REF")
+info "Base ref: $BASE_REF"
+info "Merge base: $MERGE_BASE"
+
+# ---------------------------------------------------------------------------
+# 2. Get changed files
+# ---------------------------------------------------------------------------
+mapfile -t CHANGED_FILES < <(git diff --name-only "$MERGE_BASE"...HEAD 2>/dev/null \
+  || git diff --name-only "$MERGE_BASE" HEAD)
+
+if [ ${#CHANGED_FILES[@]} -eq 0 ]; then
+  info "No changed files detected"
+  exit 0
+fi
+
+# ---------------------------------------------------------------------------
+# 3. Semver comparison: returns 0 if $1 < $2
+# ---------------------------------------------------------------------------
+semver_lt() {
+  local IFS='.'
+  read -r a1 a2 a3 <<< "$1"
+  read -r b1 b2 b3 <<< "$2"
+  if [ "$a1" -lt "$b1" ]; then return 0; fi
+  if [ "$a1" -gt "$b1" ]; then return 1; fi
+  if [ "$a2" -lt "$b2" ]; then return 0; fi
+  if [ "$a2" -gt "$b2" ]; then return 1; fi
+  if [ "$a3" -lt "$b3" ]; then return 0; fi
+  return 1
+}
+
+# ---------------------------------------------------------------------------
+# 4. Behavioral file detection
+# ---------------------------------------------------------------------------
+is_behavioral() {
+  local file="$1"
+  case "$file" in
+    */skills/*.md|*/commands/*.md|*/guidelines.md)
+      return 0 ;;
+    */templates/*|*/prompts/*|*/scripts/*)
+      return 0 ;;
+    _shared/*.md|_shared/*/*.md)
+      return 0 ;;
+    */SKILL.md)
+      local body_diff
+      body_diff=$(git diff "$MERGE_BASE"...HEAD -- "$file" 2>/dev/null \
+        || git diff "$MERGE_BASE" HEAD -- "$file")
+      body_diff=$(echo "$body_diff" \
+        | grep '^[+-]' \
+        | grep -v '^[+-]version:' \
+        | grep -v '^[+-]---' \
+        | grep -v '^[+-][+-][+-]' || true)
+      [ -n "$body_diff" ] && return 0
+      return 1 ;;
+    */README.md|*/GUIDE.md)
+      return 1 ;;
+    */*)
+      local dir
+      dir=$(dirname "$file")
+      if [ -f "$dir/SKILL.md" ] && [[ "$file" == *.md ]]; then
+        return 0
+      fi
+      return 1 ;;
+    *)
+      return 1 ;;
+  esac
+}
+
+# ---------------------------------------------------------------------------
+# 5. Static: all SKILL.md files must have valid semver
+# ---------------------------------------------------------------------------
+for skill in */SKILL.md; do
+  [ -f "$skill" ] || continue
+  wf=$(dirname "$skill")
+  ver=$(sed -n 's/^version: *//p' "$skill")
+  if [ -z "$ver" ]; then
+    fail "$wf: SKILL.md missing version field"
+  elif ! echo "$ver" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+    fail "$wf: version '$ver' is not valid semver (expected X.Y.Z)"
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# 6. Static: all _shared/*.md files must have valid frontmatter with version
+# ---------------------------------------------------------------------------
+while IFS= read -r -d '' shared; do
+  if ! head -1 "$shared" | grep -q '^---$'; then
+    fail "$shared: missing YAML frontmatter"
+    continue
+  fi
+  fm=$(sed -n '2,/^---$/p' "$shared" | head -n -1)
+  if ! echo "$fm" | grep -q '^version:'; then
+    fail "$shared: frontmatter missing version field"
+  else
+    ver=$(echo "$fm" | grep '^version:' | sed 's/^version: *//')
+    if ! echo "$ver" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+      fail "$shared: version '$ver' is not valid semver"
+    fi
+  fi
+done < <(find _shared -name '*.md' -print0 2>/dev/null)
+
+# ---------------------------------------------------------------------------
+# 7. Detect behavioral changes and version bumps per workflow
+# ---------------------------------------------------------------------------
+declare -A workflow_behavioral_changed
+declare -A workflow_version_bumped
+declare -A shared_changed
+
+for file in "${CHANGED_FILES[@]}"; do
+  if [[ "$file" == _shared/* ]]; then
+    if is_behavioral "$file"; then
+      shared_changed["$file"]=1
+    fi
+    continue
+  fi
+
+  wf="${file%%/*}"
+  [ -f "$wf/SKILL.md" ] || continue
+
+  if is_behavioral "$file"; then
+    workflow_behavioral_changed["$wf"]=1
+  fi
+
+  if [ "$file" = "$wf/SKILL.md" ]; then
+    new_ver=$(sed -n 's/^version: *//p' "$wf/SKILL.md")
+    old_ver=$(git show "$MERGE_BASE:$wf/SKILL.md" 2>/dev/null \
+      | sed -n 's/^version: *//p' || echo "")
+    if [ -n "$new_ver" ] && [ -n "$old_ver" ] && [ "$new_ver" != "$old_ver" ]; then
+      workflow_version_bumped["$wf"]=1
+    elif [ -n "$new_ver" ] && [ -z "$old_ver" ]; then
+      workflow_version_bumped["$wf"]=1
+    fi
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# 8. Workflows with behavioral changes must have version bumps
+# ---------------------------------------------------------------------------
+for wf in "${!workflow_behavioral_changed[@]}"; do
+  if [ -z "${workflow_version_bumped[$wf]:-}" ]; then
+    fail "$wf: behavioral files changed but version not bumped in SKILL.md"
+  else
+    new_ver=$(sed -n 's/^version: *//p' "$wf/SKILL.md")
+    old_ver=$(git show "$MERGE_BASE:$wf/SKILL.md" 2>/dev/null \
+      | sed -n 's/^version: *//p' || echo "")
+    if [ -n "$old_ver" ] && [ -n "$new_ver" ]; then
+      if ! semver_lt "$old_ver" "$new_ver"; then
+        fail "$wf: version $new_ver is not greater than $old_ver"
+      fi
+    fi
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# 9. Advisory: signals that suggest MAJOR bump
+# ---------------------------------------------------------------------------
+for file in "${CHANGED_FILES[@]}"; do
+  wf="${file%%/*}"
+  [ -f "$wf/SKILL.md" ] || continue
+
+  if ! [ -f "$file" ] && git show "$MERGE_BASE:$file" >/dev/null 2>&1; then
+    case "$file" in
+      */skills/*.md|*/commands/*.md)
+        warn "$wf: deleted $file — consider MAJOR version bump" ;;
+    esac
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# 10. Shared files themselves must have version bumps when changed
+# ---------------------------------------------------------------------------
+for shared_file in "${!shared_changed[@]}"; do
+  new_ver=$(sed -n 's/^version: *//p' "$shared_file")
+  old_ver=$(git show "$MERGE_BASE:$shared_file" 2>/dev/null \
+    | sed -n 's/^version: *//p' || echo "")
+  if [ -n "$new_ver" ] && [ -n "$old_ver" ] && [ "$new_ver" = "$old_ver" ]; then
+    fail "$shared_file: behavioral content changed but version not bumped (still $old_ver)"
+  elif [ -n "$old_ver" ] && [ -n "$new_ver" ] && [ "$new_ver" != "$old_ver" ]; then
+    if ! semver_lt "$old_ver" "$new_ver"; then
+      fail "$shared_file: version $new_ver is not greater than $old_ver"
+    fi
+  fi
+done
+
+# ---------------------------------------------------------------------------
+# 11. Cascade: shared file changes require consuming workflow bumps
+# ---------------------------------------------------------------------------
+for shared_file in "${!shared_changed[@]}"; do
+  base=$(basename "$shared_file" .md)
+
+  referencing_workflows=""
+
+  # Direct references in standard behavioral locations
+  direct=$(grep -rl "$base" */skills/*.md */commands/*.md */guidelines.md \
+    2>/dev/null | sed 's|/.*||' | sort -u || true)
+  if [ -n "$direct" ]; then
+    referencing_workflows="$direct"
+  fi
+
+  # Also check root-level workflow .md files (e.g., design/decomposition-review.md)
+  for wf_dir in */; do
+    wf="${wf_dir%/}"
+    [ -f "$wf/SKILL.md" ] || continue
+    for root_md in "$wf"/*.md; do
+      [ -f "$root_md" ] || continue
+      case "$(basename "$root_md")" in
+        SKILL.md|README.md|GUIDE.md|guidelines.md) continue ;;
+      esac
+      if grep -q "$base" "$root_md" 2>/dev/null; then
+        referencing_workflows=$(printf '%s\n%s' "$referencing_workflows" "$wf" | sort -u)
+      fi
+    done
+  done
+
+  for wf in $referencing_workflows; do
+    [ -n "$wf" ] || continue
+    [ -f "$wf/SKILL.md" ] || continue
+    if [ -z "${workflow_version_bumped[$wf]:-}" ]; then
+      fail "$wf: references changed shared file $shared_file but version not bumped"
+    fi
+  done
+
+  # Transitive: shared file A references shared file B
+  transitive_shared=$(find _shared -name '*.md' -exec grep -l "$base" {} \; 2>/dev/null || true)
+  for trans in $transitive_shared; do
+    [ "$trans" = "$shared_file" ] && continue
+    trans_base=$(basename "$trans" .md)
+    trans_workflows=$(grep -rl "$trans_base" */skills/*.md */commands/*.md \
+      */guidelines.md 2>/dev/null | sed 's|/.*||' | sort -u || true)
+    for tw in $trans_workflows; do
+      [ -f "$tw/SKILL.md" ] || continue
+      if [ -z "${workflow_version_bumped[$tw]:-}" ]; then
+        fail "$tw: transitively affected by $shared_file (via $trans) but version not bumped"
+      fi
+    done
+  done
+done
+
+# ---------------------------------------------------------------------------
+# Summary
+# ---------------------------------------------------------------------------
+echo
+echo "==========================="
+if [ "$errors" -gt 0 ]; then
+  echo "FAILED: $errors error(s), $warnings warning(s)"
+  exit 1
+else
+  echo "PASSED: $warnings warning(s), no errors"
+  exit 0
+fi

.github/workflows/lint.yaml

@@ -40,6 +40,16 @@ jobs:
           persist-credentials: false
       - uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19
 
+  validate-versions:
+    name: Validate Versions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - run: bash .github/scripts/validate-versions.sh
+
   link-check:
     name: Link Check
     runs-on: ubuntu-latest

.github/workflows/tag-versions.yaml

@@ -0,0 +1,79 @@
+name: Tag Versions
+
+on:
+  push:
+    branches: [main]
+
+concurrency:
+  group: tag-versions
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  tag:
+    name: Auto-Tag Version Bumps
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # required to create and push git tags
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+          persist-credentials: true  # required for git push of tags
+      - name: Detect and tag version bumps
+        run: |
+          # Merge commits have >2 words in parent list; use first parent (main before merge)
+          if [ "$(git rev-list --parents -1 HEAD | wc -w)" -gt 2 ]; then
+            PARENT=$(git rev-parse HEAD^1)
+          else
+            PARENT=$(git rev-parse HEAD~1)
+          fi
+
+          NEW_TAGS=()
+
+          # Tag workflow version bumps
+          for skill in */SKILL.md; do
+            [ -f "$skill" ] || continue
+            wf=$(dirname "$skill")
+            new_ver=$(sed -n 's/^version: *//p' "$skill")
+            old_ver=$(git show "$PARENT:$skill" 2>/dev/null \
+              | sed -n 's/^version: *//p' || echo "")
+            if [ -n "$new_ver" ] && [ "$new_ver" != "$old_ver" ]; then
+              tag="${wf}/v${new_ver}"
+              if git rev-parse "$tag" >/dev/null 2>&1; then
+                echo "Tag $tag already exists, skipping"
+              else
+                echo "Tagging $tag"
+                git tag "$tag"
+                NEW_TAGS+=("$tag")
+              fi
+            fi
+          done
+
+          # Tag shared file version bumps
+          while IFS= read -r -d '' shared; do
+            [ -f "$shared" ] || continue
+            new_ver=$(sed -n 's/^version: *//p' "$shared")
+            [ -n "$new_ver" ] || continue
+            old_ver=$(git show "$PARENT:$shared" 2>/dev/null \
+              | sed -n 's/^version: *//p' || echo "")
+            if [ "$new_ver" != "$old_ver" ]; then
+              base=$(basename "$shared" .md)
+              tag="_shared/${base}/v${new_ver}"
+              if git rev-parse "$tag" >/dev/null 2>&1; then
+                echo "Tag $tag already exists, skipping"
+              else
+                echo "Tagging $tag"
+                git tag "$tag"
+                NEW_TAGS+=("$tag")
+              fi
+            fi
+          done < <(find _shared -name '*.md' -print0 2>/dev/null)
+
+          if [ ${#NEW_TAGS[@]} -gt 0 ]; then
+            echo "Pushing ${#NEW_TAGS[@]} new tag(s)"
+            git push origin "${NEW_TAGS[@]}"
+          else
+            echo "No new tags to push"
+          fi