fix: add production environment to release-please workflow for npm publishing

[buremba]

Summary

• Add environment: production to the release-please workflow job
• This allows the workflow to access the NPM_TOKEN secret stored in the production environment
• Fixes npm package publishing which was failing due to missing token

Context

The NPM_TOKEN is stored in the production environment secrets, but the release-please workflow wasn't configured to use that environment. This prevented npm packages (create-peerbot and @peerbot/worker) from being published when releases were created.

Test Plan

• Merge this PR
• Merge the pending release PR chore(main): release 2.0.0 #80 (v2.0.0)
• Verify that npm packages are published successfully
• Check that npm view create-peerbot and npm view @peerbot/worker return the published packages

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore missing templates required by init command

The new initCommand renders .env.tmpl and .gitignore.tmpl via renderTemplate, but the templates directory now only contains Dockerfile and README templates. At runtime this call will throw an ENOENT before any files are created, causing create-peerbot to fail immediately for every user. Either add these template files back or stop referencing them.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Provide an actual CLI executable for the published package

The package metadata still advertises a binary at ./bin/create-peerbot.js, but the repository no longer contains a bin directory or that file. After publishing, npx create-peerbot will fail with a "file not found" error because Node cannot locate the executable. Point the bin entry at a real built file (e.g. dist/index.js) or reintroduce the missing script before publishing.

Useful? React with 👍 / 👎.

[claude]

Claude finished @buremba's task —— View job

---

PR Review Analysis

I'll provide a comprehensive review of this PR that adds production environment configuration for npm publishing.

Todo List:

• Read and analyze changed files
• Review workflow configuration changes
• Assess security implications
• Validate Codex feedback about missing templates/CLI
• Check package renaming consistency
• Provide final review feedback

Summary

Primary Issue: This PR correctly adds environment: production to access NPM_TOKEN, but two critical regression bugs from the previous refactor (commit bac16cf) will prevent successful publishing and break user experience.

---

🚨 Critical Issues (Must Fix Before Merge)

1. Missing CLI Executable (P1)

• Issue: packages/cli/package.json:8 declares "bin": {"create-peerbot": "./bin/create-peerbot.js"} but /bin/create-peerbot.js doesn't exist
• Impact: npx create-peerbot fails with "file not found" after publishing
• Root Cause: Renamed from peerbot to create-peerbot in bac16cf but never created the new bin file
• Fix: Either create /bin/create-peerbot.js or update package.json bin to point to "dist/index.js"

2. Missing Template Files (P1)

• Issue: init.ts:462,483 calls renderTemplate(".env.tmpl") and renderTemplate(".gitignore.tmpl") but these files were deleted in commit bac16cf
• Impact: create-peerbot init crashes immediately with ENOENT errors for all users
• Root Cause: Templates package.json.tmpl, peerbot.config.js.tmpl, .gitignore.tmpl were removed but code still references them
• Evidence: ✅ .gitignore.tmpl existed before bac16cf, ❌ missing after
• Fix: Restore missing template files or update init.ts to not reference them

---

✅ What Works Well

Workflow Security & Configuration

• Correct Fix: Adding environment: production properly grants access to NPM_TOKEN
• Security: No credential exposure, proper use of GitHub environments
• Process: Conditional publishing only on release creation is appropriate

Package Renaming Consistency

• Package name correctly changed from @peerbot/cli → create-peerbot
• Supports both npm create peerbot and npx create-peerbot conventions
• Build script properly copies templates to dist/

---

🔍 Additional Observations

Build Process

• Enhanced build script copies templates from src/templates/ to dist/templates/ ✅
• TypeScript compilation to dist/ works correctly ✅

Template Architecture Change

The refactor simplified from complex config-driven templates to simple Docker Compose approach:

• Removed: package.json.tmpl, peerbot.config.js.tmpl (advanced config)
• Kept: Dockerfile.worker*.tmpl, README.md.tmpl ✅
• Missing: .env.tmpl still referenced in code ❌

---

🛠️ Recommended Actions

Block Merge Until Fixed:

1. Fix CLI executable: Create /bin/create-peerbot.js or update package.json bin path
2. Fix missing templates: Either restore .env.tmpl/.gitignore.tmpl or update init.ts logic

After Fixes:

• Test publishing workflow with pending release PR chore(main): release 2.0.0 #80
• Verify npx create-peerbot init works end-to-end

Security: No concerns - environment approach is secure and follows best practices.