publish(task 22): github-actions-workflow für auto-publish

.github/workflows/publish.yml triggert bei:
  - push auf main mit änderungen in content/posts/**
  - manuellem workflow_dispatch (optional mit force_all=true)

ablauf:
  1. deno 2.x setup
  2. pre-flight check (bunker, kind:10002, kind:10063)
  3. publish (diff-modus per default, force-all bei manuellem trigger)
  4. log-artefakt (publish-*.json, 30 tage retention)

benötigt 4 repo-secrets im github-ui:
  - BUNKER_URL
  - AUTHOR_PUBKEY_HEX
  - BOOTSTRAP_RELAY
  - CLIENT_SECRET_HEX (stabile client-identität für amber-permissions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/publish.yml

@@ -0,0 +1,57 @@
+name: Publish Nostr Events
+
+on:
+  push:
+    branches: [main]
+    paths: ['content/posts/**']
+  workflow_dispatch:
+    inputs:
+      force_all:
+        description: 'Publish all posts (--force-all)'
+        type: boolean
+        default: false
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: denoland/setup-deno@v2
+        with:
+          deno-version: v2.x
+
+      - name: Pre-Flight Check
+        working-directory: ./publish
+        env:
+          BUNKER_URL: ${{ secrets.BUNKER_URL }}
+          AUTHOR_PUBKEY_HEX: ${{ secrets.AUTHOR_PUBKEY_HEX }}
+          BOOTSTRAP_RELAY: ${{ secrets.BOOTSTRAP_RELAY }}
+          CLIENT_SECRET_HEX: ${{ secrets.CLIENT_SECRET_HEX }}
+        run: |
+          deno run --allow-env --allow-read --allow-net src/cli.ts check
+
+      - name: Publish
+        working-directory: ./publish
+        env:
+          BUNKER_URL: ${{ secrets.BUNKER_URL }}
+          AUTHOR_PUBKEY_HEX: ${{ secrets.AUTHOR_PUBKEY_HEX }}
+          BOOTSTRAP_RELAY: ${{ secrets.BOOTSTRAP_RELAY }}
+          CLIENT_SECRET_HEX: ${{ secrets.CLIENT_SECRET_HEX }}
+          GITHUB_EVENT_BEFORE: ${{ github.event.before }}
+        run: |
+          if [ "${{ github.event.inputs.force_all }}" = "true" ]; then
+            deno run --allow-env --allow-read --allow-write=./logs --allow-net --allow-run=git src/cli.ts publish --force-all
+          else
+            deno run --allow-env --allow-read --allow-write=./logs --allow-net --allow-run=git src/cli.ts publish
+          fi
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: publish-log
+          path: ./publish/logs/publish-*.json
+          retention-days: 30