chore: add tagged release assets for installers

Author: nehal-a2z

.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "coderabbit",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "AI-powered code review in Claude Code, powered by CodeRabbit",
   "homepage": "https://docs.coderabbit.ai/cli/claude-code-integration",
   "author": {

.cursor-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "coderabbit",
   "displayName": "CodeRabbit",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "AI-powered code review and review-comment autofix for Cursor, powered by CodeRabbit.",
   "author": {
     "name": "CodeRabbit AI",

.github/workflows/release.yml

@@ -0,0 +1,66 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out tagged source
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build archive, checksum, and manifest
+        env:
+          TAG_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          VERSION="${TAG_NAME#v}"
+          ARCHIVE_NAME="coderabbit-skills-${TAG_NAME}.tar.gz"
+          CHECKSUM_NAME="coderabbit-skills-${TAG_NAME}.sha256"
+          RELEASE_BASE_URL="https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAG_NAME}"
+          SOURCE_TARBALL_URL="https://codeload.github.com/${GITHUB_REPOSITORY}/tar.gz/refs/tags/${TAG_NAME}"
+
+          git archive \
+            --format=tar.gz \
+            --prefix="coderabbit-skills-${VERSION}/" \
+            "${TAG_NAME}" > "${ARCHIVE_NAME}"
+
+          sha256sum "${ARCHIVE_NAME}" > "${CHECKSUM_NAME}"
+          ARCHIVE_SHA256="$(cut -d ' ' -f1 "${CHECKSUM_NAME}")"
+          PUBLISHED_AT="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+
+          printf '%s\n' \
+            '{' \
+            "  \"version\": \"${VERSION}\"," \
+            "  \"tag\": \"${TAG_NAME}\"," \
+            "  \"publishedAt\": \"${PUBLISHED_AT}\"," \
+            '  "archive": {' \
+            "    \"name\": \"${ARCHIVE_NAME}\"," \
+            "    \"url\": \"${RELEASE_BASE_URL}/${ARCHIVE_NAME}\"," \
+            "    \"sha256\": \"${ARCHIVE_SHA256}\"" \
+            '  },' \
+            '  "checksum": {' \
+            "    \"name\": \"${CHECKSUM_NAME}\"," \
+            "    \"url\": \"${RELEASE_BASE_URL}/${CHECKSUM_NAME}\"" \
+            '  },' \
+            "  \"sourceTarballUrl\": \"${SOURCE_TARBALL_URL}\"" \
+            '}' > release-manifest.json
+
+      - name: Publish GitHub release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            coderabbit-skills-*.tar.gz
+            coderabbit-skills-*.sha256
+            release-manifest.json
+          generate_release_notes: true

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this repository are documented in this file.
 
+## [1.1.1] - 2026-04-22
+
+### Added
+
+- GitHub release workflow that builds a tagged source archive, SHA-256 checksum,
+  and `release-manifest.json` for binary consumers.
+
+### Changed
+
+- Documented the tag-pinned, checksum-verified install contract for binary
+  installers in `README.md`.
+- Added the tagged release archive channel to `DISTRIBUTION_CHANNELS.md`.
+
 ## [1.1.0] - 2026-04-21
 
 ### Added

DISTRIBUTION_CHANNELS.md

@@ -0,0 +1,25 @@
+# Distribution Channels
+
+Last verified: 2026-04-22
+
+This file is the repository's operating inventory for where CodeRabbit skills and adjacent agent integrations are distributed. Update it whenever a channel is launched, deprecated, moved, or repackaged.
+
+## Channels
+
+| Channel | Status | Source of truth | Notes |
+| --- | --- | --- | --- |
+| Skills package (`npx skills add coderabbitai/skills`) | Live | `README.md`, `skills/` | Canonical multi-agent distribution path for 35+ skills-compatible agents. |
+| Tagged GitHub release archive for binary installers | Repo-configured, publish on `v*` tag push | `.github/workflows/release.yml`, `README.md` | Publishes a versioned tarball, SHA-256 file, and release manifest; consumers should pin tags and reject checksum mismatch. |
+| Claude Code plugin marketplace | Live | `.claude-plugin/plugin.json`, `commands/`, `agents/` | In-repo packaging is active and documented. |
+| Cursor native plugin marketplace | Repo-packaged, publication should be verified | `.cursor-plugin/plugin.json` | Repo contains marketplace manifest; treat public listing as separate verification work. |
+| Codex plugin marketplace | Live, separate repo | CodeRabbit docs + `coderabbitai/codex-plugin` | Not packaged from this repository today. |
+| VS Code / Cursor / Windsurf IDE extension | Live, separate distribution | CodeRabbit IDE extension docs | Complements skills; not a replacement for `SKILL.md` installs. |
+| GitHub Marketplace app (PR reviews) | Live, separate product channel | CodeRabbit GitHub Marketplace listing | Product distribution, not a skills install path. |
+
+## Maintenance checklist
+
+- When README install text changes, verify this table still matches the recommended paths.
+- When the release workflow or asset names change, update the binary-installer row and its verification note.
+- When a new marketplace manifest is added, record whether it is only packaged in-repo or publicly published.
+- If a channel moves to another repository, keep the status here and link the new owner repo in the note.
+- If a channel is deprecated, keep it in this file until all docs and install references are removed.

README.md

@@ -1,6 +1,6 @@
 # CodeRabbit Skills
 
-![Version](https://img.shields.io/badge/version-1.0.0-blue)
+![Version](https://img.shields.io/badge/version-1.1.1-blue)
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 [![Agents](https://img.shields.io/badge/works_with-35%2B_agents-brightgreen)](#supported-agents)
 
@@ -44,6 +44,26 @@ Installation options for the skills installer:
 | `-s, --skill`  | Install particular skills by name                |
 | `--all`        | Install all skills to all agents without prompts |
 
+#### Tagged release archives for binary installers
+
+Consumers embedding these skills in a binary or installer should pin an
+immutable release tag and verify the downloaded archive before unpacking it.
+Do not consume branch archives such as `refs/heads/main`.
+
+Every `v*` release tag publishes these GitHub release assets:
+
+- `coderabbit-skills-vX.Y.Z.tar.gz`
+- `coderabbit-skills-vX.Y.Z.sha256`
+- `release-manifest.json`
+
+Preferred install flow for non-interactive consumers:
+
+1. Pin a release tag such as `v1.1.1`.
+2. Download `release-manifest.json` and `coderabbit-skills-vX.Y.Z.tar.gz` from
+   that release.
+3. Verify the archive SHA-256 against the manifest or `.sha256` asset.
+4. Reject the install if the checksum does not match.
+
 ### Claude Code Plugin
 
 Claude Code users can also install this as a plugin directly from the official marketplace:
@@ -77,6 +97,9 @@ For the current recommended setup, see the
 Codex users can install the official CodeRabbit plugin by following the
 [Codex app integration guide](https://docs.coderabbit.ai/cli/codex-integration#codex-app).
 
+For an at-a-glance inventory of active and repo-packaged distribution paths, see
+[DISTRIBUTION_CHANNELS.md](DISTRIBUTION_CHANNELS.md).
+
 ## Usage
 
 Once installed, just ask your agent: