fix(ci): harden release workflows

[konard]

Fixes #31

Summary

• Hardened the Rust release workflow so ambiguous crates.io probes fail closed instead of triggering duplicate publishes, and so GitHub release creation no longer prints a false success after already_exists.
• Hardened JavaScript npm trusted-publishing setup to require Node.js >= 22.14.0 and npm >= 11.5.1, with a registry-driven npm 11.x fallback and final version check.
• Extended npm publish failure guidance for E404 PUT/access/trusted-publisher failures.
• Removed the separate Python PyPI diagnostic-only steps because pypa/gh-action-pypi-publish already emits the root cause and troubleshooting URL.
• Preserved issue evidence and template comparison notes in docs/case-studies/issue-31.

Evidence

• Downloaded and preserved the cited Rust, JavaScript, and Python run metadata/logs under docs/case-studies/issue-31.
• Added a case-study README with exact log line references for the false Rust success, npm setup failure, npm publish access failure, and duplicate Python diagnostic step.
• Compared the Rust, JavaScript, Python, and C# templates. The Rust/Python templates already had the right shape; the JavaScript template has the same npm minimum-version issue.
• Filed upstream template follow-up: setup-npm.mjs should enforce npm >= 11.5.1 after fallbacks js-ai-driven-development-pipeline-template#48

Verification

• JS: npm test
• JS: npm run lint (0 errors; existing warnings remain in unrelated files)
• JS: npm run format:check
• JS: npm run check:duplication
• JS: node scripts/validate-changeset.mjs
• Rust: node --test rust/scripts/*.test.mjs
• Rust: node --test experiments/issue-31/test-rust-release-helpers.mjs
• Rust: cargo fmt --check
• Rust: cargo clippy --all-targets --all-features
• Rust: cargo test --verbose
• Rust: cargo test --doc --verbose
• Rust: cargo run --example basic_usage
• Rust: cargo package --list --allow-dirty
• Rust: HAS_FRAGMENTS=true node scripts/check-release-needed.mjs
• Python: ruff check src tests
• Python: ruff format --check src tests
• Python: mypy src
• Python: pytest tests/ -v --cov=src --cov-report=xml --cov-report=term
• Python: python scripts/check_file_size.py
• Repo: git diff --check
• Repo: YAML parse check for .github/workflows/python.yml, .github/workflows/rust.yml, and .github/workflows/js.yml

Registry Configuration Still Required

The workflow code now fails honestly and gives clearer operator guidance, but package registry trust settings still need to match this repository:

• npm package lino-objects-codec: configure trusted publishing for this repo and .github/workflows/js.yml, or fix package access/ownership.
• PyPI project: configure the trusted publisher for owner link-foundation, repo lino-objects-codec, workflow python.yml, and the configured environment value.
• crates.io: keep CARGO_REGISTRY_TOKEN or CARGO_TOKEN valid for the crate.

[konard]

Working session summary

Done. PR 32 is updated, pushed, and ready for review:

#32

Implemented:

• Rust release probe now fails closed on ambiguous crates.io responses and tests release-decision logic.
• Rust GitHub release creation now checks gh api result and handles existing releases idempotently.
• JS npm setup now enforces Node.js >=22.14.0 and npm >=11.5.1, with a safer fallback.
• npm publish guidance now covers E404 PUT/package access/trusted-publisher failures.
• Removed duplicate Python PyPI diagnostic steps.
• Preserved logs and analysis in docs/case-studies/issue-31/README.md.
• Filed upstream JS template issue: setup-npm.mjs should enforce npm >= 11.5.1 after fallbacks js-ai-driven-development-pipeline-template#48

Verification:

• Fresh CI for pushed SHA c78eb96 is passing:
  • Python CI/CD: https://github.com/link-foundation/lino-objects-codec/actions/runs/25287279804
  • JavaScript CI/CD: https://github.com/link-foundation/lino-objects-codec/actions/runs/25287279785
  • Rust CI/CD: https://github.com/link-foundation/lino-objects-codec/actions/runs/25287279793
• Local checks passed across JS, Rust, Python, workflow YAML parsing, and git diff --check.
• Working tree is clean.

One residual note: CI has GitHub’s Node 20 action deprecation annotations from upstream actions, but they are warnings only and all checks passed. Registry trusted-publisher/package-access settings still need to be correct for actual publish jobs. Sources used: npm trusted publishing docs https://docs.npmjs.com/trusted-publishers and PyPI troubleshooting docs https://docs.pypi.org/trusted-publishers/troubleshooting/.

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Model: GPT-5.5
• Provider: OpenAI
• Public pricing estimate: $19.784631

📊 Context and tokens usage:

• 499.5K / 1.1M (48%) input tokens, 55.7K / 128K (44%) output tokens

Total: (499.5K + 12.3M cached) input tokens, 55.7K output tokens, $19.784631 cost

🤖 Models used:

• Tool: OpenAI Codex
• Requested: gpt-5.5
• Model: GPT-5.5 (gpt-5.5)

📎 Log file uploaded as Repository (68768KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag