ci: automate extension releases via changesets + tag-triggered workflow

Removes @playhtml/extension from the changesets ignore list so
extension changes get tracked alongside core-package changes. The
package stays private:true, so changeset publish skips npm but still
emits a @playhtml/extension@x.y.z tag.

Adds .github/workflows/extension-release.yml that fires on those tags,
builds Chrome + Firefox zips, and runs wxt submit with credentials
from GitHub secrets. workflow_dispatch supports a dry-run toggle for
testing without actually submitting.

Documents required secrets and the OAuth Desktop-app client
requirement (Web app clients trigger Google's 7-day token expiry).

Author: spencerc99

.changeset/config.json

@@ -7,7 +7,7 @@
   "access": "public",
   "baseBranch": "main",
   "updateInternalDependencies": "patch",
-  "ignore": ["@playhtml/extension", "@playhtml/extension-worker", "wewere-online", "@playhtml/docs-site"],
+  "ignore": ["@playhtml/extension-worker", "wewere-online", "@playhtml/docs-site"],
   "snapshot": {
     "useCalculatedVersion": true,
     "prereleaseTemplate": "{tag}-{commit}"

.github/workflows/extension-release.yml

@@ -0,0 +1,118 @@
+name: Extension Release
+
+on:
+  push:
+    tags:
+      - "@playhtml/extension@*"
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Dry run (build + validate, do not submit)"
+        type: boolean
+        default: true
+      skip-chrome:
+        description: "Skip Chrome submission"
+        type: boolean
+        default: false
+      skip-firefox:
+        description: "Skip Firefox submission"
+        type: boolean
+        default: false
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+permissions:
+  contents: read
+
+jobs:
+  submit:
+    name: Build and submit to stores
+    runs-on: ubuntu-latest
+    env:
+      DRY_RUN: ${{ inputs.dry-run && 'true' || 'false' }}
+      SKIP_CHROME: ${{ inputs.skip-chrome && 'true' || 'false' }}
+      SKIP_FIREFOX: ${{ inputs.skip-firefox && 'true' || 'false' }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Build packages
+        run: bun run build-packages
+
+      - name: Read extension version
+        id: version
+        run: echo "version=$(node -p "require('./extension/package.json').version")" >> "$GITHUB_OUTPUT"
+
+      - name: Build Chrome zip
+        if: env.SKIP_CHROME != 'true'
+        run: WXT_OUT_DIR=publish bun run -C extension wxt zip
+
+      - name: Build Firefox zip
+        if: env.SKIP_FIREFOX != 'true'
+        run: WXT_OUT_DIR=publish bun run -C extension wxt zip -b firefox
+
+      - name: Resolve zip paths
+        id: zips
+        working-directory: extension
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          if [ -d publish ]; then
+            CHROME_ZIP=$(ls publish/*-"$VERSION"-chrome.zip 2>/dev/null | head -1 || true)
+            FIREFOX_ZIP=$(ls publish/*-"$VERSION"-firefox.zip 2>/dev/null | head -1 || true)
+            SOURCES_ZIP=$(ls publish/*-"$VERSION"-sources.zip 2>/dev/null | head -1 || true)
+            echo "chrome=$CHROME_ZIP" >> "$GITHUB_OUTPUT"
+            echo "firefox=$FIREFOX_ZIP" >> "$GITHUB_OUTPUT"
+            echo "sources=$SOURCES_ZIP" >> "$GITHUB_OUTPUT"
+            echo "Built artifacts:"
+            ls -la publish/
+          fi
+
+      - name: Submit to stores
+        working-directory: extension
+        env:
+          CHROME_EXTENSION_ID: ${{ secrets.CHROME_EXTENSION_ID }}
+          CHROME_CLIENT_ID: ${{ secrets.CHROME_CLIENT_ID }}
+          CHROME_CLIENT_SECRET: ${{ secrets.CHROME_CLIENT_SECRET }}
+          CHROME_REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }}
+          FIREFOX_EXTENSION_ID: ${{ secrets.FIREFOX_EXTENSION_ID }}
+          FIREFOX_JWT_ISSUER: ${{ secrets.FIREFOX_JWT_ISSUER }}
+          FIREFOX_JWT_SECRET: ${{ secrets.FIREFOX_JWT_SECRET }}
+          CHROME_ZIP: ${{ steps.zips.outputs.chrome }}
+          FIREFOX_ZIP: ${{ steps.zips.outputs.firefox }}
+          SOURCES_ZIP: ${{ steps.zips.outputs.sources }}
+        run: |
+          ARGS=()
+          if [ "$SKIP_CHROME" != "true" ] && [ -n "$CHROME_ZIP" ]; then
+            ARGS+=(--chrome-zip "$CHROME_ZIP")
+          fi
+          if [ "$SKIP_FIREFOX" != "true" ] && [ -n "$FIREFOX_ZIP" ]; then
+            ARGS+=(--firefox-zip "$FIREFOX_ZIP" --firefox-sources-zip "$SOURCES_ZIP")
+          fi
+          if [ "$DRY_RUN" = "true" ]; then
+            bun run wxt submit --dry-run "${ARGS[@]}"
+          else
+            bun run wxt submit "${ARGS[@]}"
+          fi
+
+      - name: Upload zips as artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: extension-${{ steps.version.outputs.version }}
+          path: extension/publish/*.zip
+          retention-days: 30
+          if-no-files-found: warn

extension/CLAUDE.md

@@ -15,6 +15,41 @@ Worker backend (in `worker/`):
 - `cd worker && wrangler dev`: Local API server (localhost:8787)
 - `cd worker && wrangler deploy`: Deploy to Cloudflare
 
+## Releases
+
+The extension uses the same Changesets flow as the core packages. Add a
+`.changeset/<slug>.md` file describing user-facing changes (frontmatter:
+`"@playhtml/extension": patch|minor|major`). Changesets bumps the version,
+updates `extension/CHANGELOG.md`, and pushes a tag (`@playhtml/extension@x.y.z`)
+when the "Release: Version packages" PR merges. Because the package is
+`private: true`, `changeset publish` skips npm — the tag is the trigger.
+
+The tag push fires `.github/workflows/extension-release.yml`, which builds
+Chrome + Firefox zips and runs `wxt submit` for both stores.
+
+**Required GitHub Actions secrets** (set once at repo level):
+
+Chrome Web Store:
+- `CHROME_EXTENSION_ID`
+- `CHROME_CLIENT_ID` — OAuth Desktop-app client (NOT Web app — Web clients use
+  the deprecated OOB flow which Google penalizes with ~7-day token expiry)
+- `CHROME_CLIENT_SECRET`
+- `CHROME_REFRESH_TOKEN` — generated once via OAuth Playground, scope
+  `https://www.googleapis.com/auth/chromewebstore`. Long-lived but can be
+  invalidated by Google account password change, 6-month inactivity, or
+  security events. Regenerate locally with `bun run submit:refresh-chrome-token`
+  and update the secret if CI fails with an OAuth error.
+
+Firefox AMO:
+- `FIREFOX_EXTENSION_ID`
+- `FIREFOX_JWT_ISSUER` — from addons.mozilla.org → Developer Hub → Manage API Keys
+- `FIREFOX_JWT_SECRET`
+
+**Manual fallback / testing:** The workflow also supports `workflow_dispatch`
+with a `dry-run` toggle (defaults to true) — run it from the Actions tab to
+verify zips build and credentials work without actually submitting. The local
+`./release.sh` continues to work as a manual escape hatch.
+
 ## Website & experiments (`extension/website/`)
 
 The `extension/website/` Vite app serves both the marketing/landing pages