feat: add prepare and publish composite actions

Add two focused subdirectory composite actions:

- prepare/action.yml: downloads the vociferate binary, runs it to update
  changelog and release-version, then commits, tags, and pushes — replacing
  the boilerplate git steps consumers previously had to write inline.

- publish/action.yml: extracts the matching changelog section and creates or
  updates the Gitea/GitHub release. Outputs release-id, tag, and version so
  consumers can upload their own assets after it runs.

Simplify the vociferate workflows to use ./prepare and ./publish directly,
validating both actions in the self-release pipeline.

Update README to show the clean two-action usage pattern.

prepare/action.yml

@@ -0,0 +1,210 @@
+name: vociferate/prepare
+description: >
+  Download vociferate, prepare release files, then commit, tag, and push.
+  The repository must be checked out before this action runs.
+
+inputs:
+  token:
+    description: >
+      Token used to download the vociferate binary and to push the release
+      commit and tag. Defaults to the workflow token.
+    required: false
+    default: ''
+  version:
+    description: >
+      Optional semantic version override (with or without leading v). When
+      omitted, the recommended next version is derived from the changelog.
+    required: false
+    default: ''
+  version-file:
+    description: >
+      Path to version file relative to repository root. When omitted, the
+      current version is derived from the most recent released section in
+      the changelog.
+    required: false
+    default: ''
+  version-pattern:
+    description: >
+      Regular expression with one capture group containing the version value.
+      Only required when version-file is set.
+    required: false
+    default: ''
+  changelog:
+    description: Path to changelog file relative to repository root.
+    required: false
+    default: changelog.md
+  git-user-name:
+    description: Name for the release commit author.
+    required: false
+    default: 'gitea-actions[bot]'
+  git-user-email:
+    description: Email for the release commit author.
+    required: false
+    default: 'gitea-actions[bot]@users.noreply.local'
+  git-add-files:
+    description: >
+      Space-separated list of file paths to stage for the release commit.
+      Defaults to changelog.md and release-version. Adjust when using a
+      custom version-file.
+    required: false
+    default: 'changelog.md release-version'
+
+outputs:
+  version:
+    description: >
+      The resolved version tag (e.g. v1.2.3) that was committed and pushed.
+    value: ${{ steps.run-vociferate.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    - name: Resolve vociferate binary metadata
+      id: resolve-binary
+      shell: bash
+      env:
+        ACTION_REF: ${{ github.action_ref }}
+        SERVER_URL: ${{ github.server_url }}
+        API_URL: ${{ github.api_url }}
+        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        RUNNER_ARCH: ${{ runner.arch }}
+        RUNNER_TEMP: ${{ runner.temp }}
+      run: |
+        set -euo pipefail
+
+        case "$RUNNER_ARCH" in
+          X64)   arch="amd64" ;;
+          ARM64) arch="arm64" ;;
+          *)
+            echo "Unsupported runner architecture: $RUNNER_ARCH" >&2
+            exit 1
+            ;;
+        esac
+
+        release_tag="$ACTION_REF"
+        if [[ -z "$release_tag" || "$release_tag" == refs/* || "$release_tag" != v* ]]; then
+          release_tag="$(curl -fsSL \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_URL}/repos/aether/vociferate/releases/latest" | sed -n 's/.*"tag_name"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' | head -n 1)"
+        fi
+
+        if [[ -z "$release_tag" ]]; then
+          echo "Unable to resolve a vociferate release tag for binary download" >&2
+          exit 1
+        fi
+
+        normalized_version="${release_tag#v}"
+        asset_name="vociferate_${normalized_version}_linux_${arch}"
+        cache_dir="${RUNNER_TEMP}/vociferate/${release_tag}/linux-${arch}"
+        binary_path="${cache_dir}/vociferate"
+        asset_url="${SERVER_URL}/aether/vociferate/releases/download/${release_tag}/${asset_name}"
+
+        mkdir -p "$cache_dir"
+
+        echo "release_tag=$release_tag"   >> "$GITHUB_OUTPUT"
+        echo "asset_name=$asset_name"     >> "$GITHUB_OUTPUT"
+        echo "asset_url=$asset_url"       >> "$GITHUB_OUTPUT"
+        echo "cache_dir=$cache_dir"       >> "$GITHUB_OUTPUT"
+        echo "binary_path=$binary_path"   >> "$GITHUB_OUTPUT"
+
+    - name: Restore cached vociferate binary
+      id: cache-vociferate
+      uses: actions/cache@v4
+      with:
+        path: ${{ steps.resolve-binary.outputs.cache_dir }}
+        key: vociferate-${{ steps.resolve-binary.outputs.release_tag }}-linux-${{ runner.arch }}
+
+    - name: Download vociferate binary
+      if: steps.cache-vociferate.outputs.cache-hit != 'true'
+      shell: bash
+      env:
+        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        ASSET_URL: ${{ steps.resolve-binary.outputs.asset_url }}
+        BINARY_PATH: ${{ steps.resolve-binary.outputs.binary_path }}
+      run: |
+        set -euo pipefail
+
+        curl --fail --location \
+          -H "Authorization: token ${TOKEN}" \
+          -o "$BINARY_PATH" \
+          "$ASSET_URL"
+        chmod +x "$BINARY_PATH"
+
+    - name: Run vociferate
+      id: run-vociferate
+      shell: bash
+      env:
+        VOCIFERATE_BIN: ${{ steps.resolve-binary.outputs.binary_path }}
+        INPUT_VERSION: ${{ inputs.version }}
+      run: |
+        set -euo pipefail
+
+        common_args=(--root .)
+
+        if [[ -n "${{ inputs.version-file }}" ]]; then
+          common_args+=(--version-file "${{ inputs.version-file }}")
+        fi
+
+        if [[ -n "${{ inputs.version-pattern }}" ]]; then
+          common_args+=(--version-pattern "${{ inputs.version-pattern }}")
+        fi
+
+        if [[ -n "${{ inputs.changelog }}" ]]; then
+          common_args+=(--changelog "${{ inputs.changelog }}")
+        fi
+
+        provided_version="$(printf '%s' "${INPUT_VERSION:-}" | sed 's/^[[:space:]]\+//; s/[[:space:]]\+$//')"
+        if [[ -z "$provided_version" ]]; then
+          provided_version="$("$VOCIFERATE_BIN" "${common_args[@]}" --recommend)"
+        fi
+
+        normalized_version="${provided_version#v}"
+        tag="v${normalized_version}"
+
+        "$VOCIFERATE_BIN" "${common_args[@]}" --version "$provided_version" --date "$(date -u +%F)"
+
+        echo "version=$tag" >> "$GITHUB_OUTPUT"
+
+    - name: Commit and push release
+      shell: bash
+      env:
+        TOKEN: ${{ inputs.token != '' && inputs.token || github.token }}
+        GIT_USER_NAME: ${{ inputs.git-user-name }}
+        GIT_USER_EMAIL: ${{ inputs.git-user-email }}
+        GIT_ADD_FILES: ${{ inputs.git-add-files }}
+        RELEASE_TAG: ${{ steps.run-vociferate.outputs.version }}
+        GITHUB_SERVER_URL: ${{ github.server_url }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
+      run: |
+        set -euo pipefail
+
+        if git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
+          echo "Tag ${RELEASE_TAG} already exists" >&2
+          exit 1
+        fi
+
+        case "$GITHUB_SERVER_URL" in
+          https://*)
+            authed_remote="https://oauth2:${TOKEN}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git"
+            ;;
+          http://*)
+            authed_remote="http://oauth2:${TOKEN}@${GITHUB_SERVER_URL#http://}/${GITHUB_REPOSITORY}.git"
+            ;;
+          *)
+            echo "Unsupported GITHUB_SERVER_URL: ${GITHUB_SERVER_URL}" >&2
+            exit 1
+            ;;
+        esac
+
+        git config user.name  "$GIT_USER_NAME"
+        git config user.email "$GIT_USER_EMAIL"
+        git remote set-url origin "$authed_remote"
+
+        for f in $GIT_ADD_FILES; do
+          git add "$f"
+        done
+
+        git commit -m "release: prepare ${RELEASE_TAG}"
+        git tag "$RELEASE_TAG"
+        git push origin HEAD
+        git push origin "$RELEASE_TAG"