fix: clean up and harden GitHub Actions workflows

[GenerQAQ]

Why we need this PR?

The workflow filenames documented in AGENTS.md don't match the actual files under .github/workflows/. Multiple workflows also have incorrect path filters, inconsistent Node.js/pnpm versions, missing version checks, and other issues that can cause CI triggers to be missed or release pipelines to behave inconsistently. Additionally, all 10 release workflows generate static changelog templates (just a title + install command) with no actual code changes listed between versions.

Describe your solution

Systematic fixes across all 27 workflow files and AGENTS.md:

1. AGENTS.md table correction — Update Workflow column to match actual filenames
2. Path filter fix — Add src/packages/sandbox-cloudflare/** to package-test-sandbox-cloudflare.yaml
3. Remove workflow_dispatch — 10 release workflows now trigger only on tags
4. Remove version comments — Strip # vX.Y.Z from all action SHA pins (SHA itself is the pin)
5. Unify Node.js to 22 — Upgrade from 20 in 9 files
6. Unify pnpm to 10 — Upgrade from 9 in docs-test.yaml
7. Fix pnpm installation — security-reusable.yaml now uses pnpm/action-setup action instead of npm install -g pnpm
8. Add --provenance to npm publish — 3 npm release workflows (OIDC trusted publishers auth)
9. Fix cache key — package-release-openclaw.yaml cache-dependency-path changed to package-lock.json
10. Helm chart version check — publish-chart.yaml now verifies tag matches Chart.yaml version before publishing
11. Path-scoped changelog generation — New reusable script .github/scripts/generate-changelog.sh replaces static changelog templates in all release workflows. Scopes git log to each component's source directory and groups commits by conventional commit type (Features, Bug Fixes, Other).
12. Helm chart GitHub Release — publish-chart.yaml now creates a GitHub Release (was missing entirely)

Implementation Tasks

• Update AGENTS.md workflow filename table
• Fix package-test-sandbox-cloudflare.yaml path filters
• Remove workflow_dispatch from all release workflows
• Remove version comments from action SHA pins (27 files)
• Unify Node.js version to 22 (9 files)
• Unify pnpm version to 10 (docs-test.yaml)
• Fix security-reusable.yaml pnpm installation method
• Add --provenance to npm publish steps (OIDC trusted publishers)
• Fix package-release-openclaw.yaml cache dependency path
• Add version verification step to publish-chart.yaml
• Create .github/scripts/generate-changelog.sh reusable changelog script
• Replace inline changelog in _reusable-docker-release.yaml (add source_dir input)
• Pass source_dir from api/core/ui-release.yaml callers
• Replace inline changelog in cli-release.yaml, client-release-ts.yaml, client-release-py.yaml
• Replace heredoc changelog in package-release-openclaw.yaml, package-release-sandbox-cloudflare.yaml, package-release-claude-code.yaml
• Add GitHub Release step to publish-chart.yaml
• Update AGENTS.md to document changelog script

Impact Areas

• Documentation
• Other: CI/CD workflows (all 27 workflow files)

Checklist

• Open your pull request against the dev branch.
• All tests pass in available continuous integration systems (e.g., GitHub Actions).
• Tests are added or modified as needed to cover code changes.

🤖 Generated with Claude Code

[GenerQAQ]

Code review

Found 1 issue:

1. generate-changelog.sh requires full git history, but all release workflows use shallow clones (default fetch-depth: 1). The script calls git tag -l on line 55 to find the previous tag, but with a shallow clone no prior tags are available. This means PREV_TAG will always be empty, and every release changelog will say "Initial release." instead of listing actual commits. All checkout steps that precede the changelog script need with: fetch-depth: 0 (or at minimum fetch-tags: true).

Affected workflows: _reusable-docker-release.yaml, cli-release.yaml, client-release-ts.yaml, client-release-py.yaml, package-release-openclaw.yaml, package-release-sandbox-cloudflare.yaml, package-release-claude-code.yaml, publish-chart.yaml.

Script (tag lookup that will fail on shallow clone):

Acontext/.github/scripts/generate-changelog.sh

Lines 54 to 58 in a4740db

	# ---------------------------------------------------------------------------
	PREV_TAG=$(git tag -l "${TAG_PREFIX}*" --sort=-v:refname \
	| grep -v "^${CURRENT_TAG}$" \
	| head -1) || true

Example checkout missing fetch-depth: 0:

Acontext/.github/workflows/cli-release.yaml

Lines 17 to 19 in a4740db

	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

Acontext/.github/workflows/_reusable-docker-release.yaml

Lines 36 to 38 in a4740db

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}

[GenerQAQ]

Fix: Add fetch-depth: 0 to release workflow checkouts

generate-changelog.sh relies on git tag -l and git log to build changelogs, but all release workflows were using shallow clones (fetch-depth: 1 by default). This meant the script could never find previous tags and always fell back to outputting "Initial release." instead of real commit history.

Changes:

• Added fetch-depth: 0 to the actions/checkout step in the job that runs generate-changelog.sh across all 8 release workflows
• Updated AGENTS.md to document this requirement so future workflow changes don't regress