New GitHub Actions check that scans every PR commit for
`Co-authored-by: ... claude ...` or `... anthropic ...` trailers and
fails the PR with a clear remediation message if found. Contributors
can still use AI tools; the trailer attribution must be removed before
the PR is eligible to merge, consistent with the project contributor
guidelines.
The workflow scans only commits introduced by the PR
(base.sha..head.sha), so existing history is untouched.
Triggers on v* tag push or manual dispatch. Builds, tests, then publishes
codeburn to npm with provenance attestation. Uses OIDC so no NPM_TOKEN is
stored in repo secrets. The npm-publish GitHub Environment gates the
publish step behind a required reviewer, so every release needs explicit
human approval before it reaches the registry.
Tag/package version mismatch fails fast before any build work. Tests run
before publish to prevent shipping a broken release.
Removes references to future signing decisions, dollar amounts, and
star thresholds from the menubar README, the CHANGELOG, the release
workflow (its YAML comments and the auto-generated release body), and
the packaging script. The technical description stays; the 'we are
not paying for X right now' framing is out.
