ci: add npm release workflow

.github/release-drafter.yml

@@ -0,0 +1,95 @@
+name-template: "plugin-inspector v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+category-template: "### $TITLE"
+change-template: "- $TITLE (#$NUMBER) @$AUTHOR"
+change-title-escapes: '\<*_&'
+no-changes-template: "- No merged pull requests in this release."
+
+categories:
+  - title: "Features"
+    labels:
+      - "feature"
+      - "enhancement"
+      - "feat"
+  - title: "Fixes"
+    labels:
+      - "bug"
+      - "fix"
+  - title: "Other Changes"
+    labels:
+      - "perf"
+      - "chore"
+      - "ci"
+      - "build"
+      - "dependencies"
+      - "dep"
+      - "deps"
+      - "docs"
+      - "refactor"
+      - "test"
+      - "tests"
+      - "other"
+
+exclude-labels:
+  - "skip-changelog"
+  - "no-changelog"
+
+version-resolver:
+  major:
+    labels:
+      - "major"
+  minor:
+    labels:
+      - "feat"
+      - "feature"
+      - "enhancement"
+  patch:
+    labels:
+      - "bug"
+      - "fix"
+      - "perf"
+      - "chore"
+      - "ci"
+      - "build"
+      - "dependencies"
+      - "dep"
+      - "deps"
+      - "docs"
+      - "refactor"
+      - "test"
+      - "tests"
+      - "other"
+  default: patch
+
+autolabeler:
+  - label: "skip-changelog"
+    title:
+      - '/^chore\(release\):/i'
+  - label: "feat"
+    title:
+      - '/^feat(\(.+\))?:/i'
+  - label: "fix"
+    title:
+      - '/^fix(\(.+\))?:/i'
+  - label: "docs"
+    title:
+      - '/^docs(\(.+\))?:/i'
+  - label: "refactor"
+    title:
+      - '/^refactor(\(.+\))?:/i'
+  - label: "test"
+    title:
+      - '/^test(s)?(\(.+\))?:/i'
+  - label: "chore"
+    title:
+      - '/^chore(\(.+\))?:/i'
+
+template: |
+  ## plugin-inspector v$RESOLVED_VERSION
+
+  Offline compatibility inspector for OpenClaw plugins.
+
+  $CHANGES
+
+  ### Contributors
+  $CONTRIBUTORS

.github/workflows/release-drafter.yml

@@ -0,0 +1,26 @@
+name: Release Drafter
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+  pull_request_target:
+    types:
+      - opened
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update_release_draft:
+    name: Update Release Draft
+    runs-on: ubuntu-latest
+    steps:
+      - name: Draft release notes
+        uses: release-drafter/release-drafter@v7
+        with:
+          disable-releaser: ${{ github.event_name != 'workflow_dispatch' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,80 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: "Release tag to publish (for example: v0.1.0)"
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Resolve release tag
+        env:
+          INPUT_TAG: ${{ inputs.tag_name }}
+        run: |
+          set -euo pipefail
+          TAG="${INPUT_TAG:-${GITHUB_REF_NAME}}"
+          if [[ ! "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z]+)*$ ]]; then
+            echo "Invalid release tag: ${TAG}"
+            exit 1
+          fi
+          VERSION="${TAG#v}"
+          PACKAGE_VERSION="$(node -p 'JSON.parse(require("fs").readFileSync("package.json", "utf8")).version')"
+          if [ "${VERSION}" != "${PACKAGE_VERSION}" ]; then
+            echo "Tag ${TAG} does not match package.json version ${PACKAGE_VERSION}"
+            exit 1
+          fi
+          echo "RELEASE_TAG=${TAG}" >> "$GITHUB_ENV"
+          echo "RELEASE_VERSION=${VERSION}" >> "$GITHUB_ENV"
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
+
+      - name: Verify package
+        run: npm run release:local
+
+      - name: Verify npm token
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "${NODE_AUTH_TOKEN}" ]; then
+            echo "NPM_TOKEN repository secret is required to publish @openclaw/plugin-inspector."
+            exit 1
+          fi
+
+      - name: Publish GitHub release
+        uses: release-drafter/release-drafter@v7
+        with:
+          publish: true
+          tag: ${{ env.RELEASE_TAG }}
+          version: ${{ env.RELEASE_VERSION }}
+          name: "plugin-inspector ${{ env.RELEASE_TAG }}"
+          prerelease: ${{ contains(env.RELEASE_TAG, 'beta') || contains(env.RELEASE_TAG, 'alpha') || contains(env.RELEASE_TAG, 'rc') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish npm package
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+## 0.1.0 - 2026-04-27
+
+Initial public package release for `@openclaw/plugin-inspector`.
+
+### Added
+
+- Plugin-root `plugin-inspector check` command with optional `plugin-inspector.config.json`.
+- Static OpenClaw plugin compatibility reports, issue reports, and CI policy summaries.
+- Crabpot-compatible fixture-set inspection and report assembly APIs.
+- Target OpenClaw surface parsing for compat registry records, hook names, registrar names, SDK exports, and manifest type fields.
+- Package metadata, manifest, SDK import, hook, registration, runtime-capture, cold-import, synthetic-probe, runtime-profile, ref-diff, and profile-diff report helpers.
+- Optional `PLUGIN_INSPECTOR_EXECUTE_ISOLATED=1 plugin-inspector check --capture` runtime registration capture using a temporary mocked `openclaw/plugin-sdk`.
+- Copy-ready config and GitHub Actions examples under `examples/`.

docs/releasing.md

@@ -0,0 +1,44 @@
+# Releasing plugin-inspector
+
+`plugin-inspector` publishes from a signed Git tag through the GitHub Actions
+release workflow. The workflow runs the test suite, verifies the npm tarball,
+publishes a GitHub release, and publishes the public npm package with
+provenance.
+
+## First-time setup
+
+Add an npm automation token to the repository Actions secrets:
+
+```bash
+gh secret set NPM_TOKEN --app actions
+```
+
+The token must be allowed to publish `@openclaw/plugin-inspector` with public
+access.
+
+## Local verification
+
+```bash
+npm run release:local
+```
+
+This runs tests, `npm pack --dry-run`, and `npm publish --dry-run --access
+public`.
+
+## Publish
+
+For the initial release:
+
+```bash
+git tag -a v0.1.0 -m "plugin-inspector v0.1.0"
+git push origin v0.1.0
+```
+
+The same workflow can be triggered manually from GitHub Actions with
+`tag_name=v0.1.0`.
+
+## Release notes
+
+Release Drafter keeps a draft up to date from PR labels. For this first release,
+use the `CHANGELOG.md` `0.1.0` notes as the body if there is no PR history to
+summarize.

package.json

@@ -18,7 +18,7 @@
     "node": ">=22"
   },
   "bin": {
-    "plugin-inspector": "./src/cli.js"
+    "plugin-inspector": "src/cli.js"
   },
   "exports": {
     ".": "./src/index.js",
@@ -41,10 +41,12 @@
     "src",
     "examples",
     "README.md",
+    "CHANGELOG.md",
     "LICENSE"
   ],
   "scripts": {
-    "check": "npm test && npm pack --dry-run",
+    "check": "npm test && npm pack --dry-run && npm publish --dry-run --access public",
+    "release:local": "npm run check",
     "test": "node --test test/*.test.js"
   },
   "keywords": [