fix(ci): re-add changelog and git plugins with signed commit support

[skevetter]

Summary

• Re-added @semantic-release/changelog and @semantic-release/git plugins to .releaserc.json (incorrectly removed in e971f37)
• Added tagFormat: "v${version}" for consistent tag naming
• Configured git identity (devsy-bot[bot]) in semantic-release.yml for signed commits
• Added persist-credentials: true to checkout step for git push capability

Summary by CodeRabbit

• Chores
  • Optimized release automation workflow to ensure persistent credential handling during repository checkout and establish standardized git identity configuration for release commits
  • Extended release configuration to support automatic changelog generation, improve GitHub release integration with detailed status comments, and automate commits for version and changelog files

[netlify]

✅ Deploy Preview for devsydev canceled.

Name	Link
🔨 Latest commit	6630228
🔍 Latest deploy log	https://app.netlify.com/projects/devsydev/deploys/6a0c494f6febf70007c9867e

[coderabbitai]

Warning

Rate limit exceeded

@skevetter has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 52 minutes and 51 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c707c69-a4af-4fd8-83ee-84f3f64d6bd2

📥 Commits

Reviewing files that changed from the base of the PR and between b3279fb and 6630228.

📒 Files selected for processing (1)

• .github/workflows/semantic-release.yml

📝 Walkthrough

Walkthrough

The PR updates the semantic-release workflow by adding git credential persistence and identity configuration to the GitHub Actions checkout step, then updates .releaserc.json to configure tag formatting, changelog generation, GitHub notifications, and automated git commits of release artifacts with templated commit messages.

Changes

Semantic Release Automation

Layer / File(s)	Summary
Workflow Git Authentication and Identity .github/workflows/semantic-release.yml	Checkout action persists credentials and a new step configures git user name and email to devsy-bot[bot] for authenticated release commits.
Semantic-Release Configuration .releaserc.json	Tag format is set to v${version}, plugins are added for changelog generation (@semantic-release/changelog), GitHub integration (@semantic-release/github), and git commits (@semantic-release/git) configured to commit CHANGELOG.md and package.json with templated release notes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

size/xs

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: re-adding changelog and git plugins with signed commit support, matching the PR objectives of restoring removed plugins and configuring git identity.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/semantic-release.yml:
- Around line 35-38: The workflow currently sets a custom Git identity via the
git config commands that set user.name and user.email, which prevents GitHub's
bot signature verification; either remove those git config lines so
semantic-release uses the GitHub App identity (allowing automatic verified
commits), or keep them but implement explicit commit signing by importing a
GPG/SSH key and configuring commit.gpgsign and user.signingkey in the workflow
before committing so created commits are verified; update the semantic-release
job accordingly and ensure the chosen approach satisfies branch protection rules
for verified commits.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b997bb89-fd9a-4b9e-a2b0-73e3428a925e

📥 Commits

Reviewing files that changed from the base of the PR and between e971f37 and b3279fb.

📒 Files selected for processing (2)

• .github/workflows/semantic-release.yml
• .releaserc.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

# First, let's check if the workflow file exists and read the relevant lines
fd -type f -name "semantic-release.yml"

Repository: devsy-org/devsy

Length of output: 230

---

🏁 Script executed:

# Read the workflow file to see the actual content
cat -n .github/workflows/semantic-release.yml | head -50

Repository: devsy-org/devsy

Length of output: 1636

---

🌐 Web query:

GitHub bot signature verification custom author committer metadata

💡 Result:

GitHub provides a mechanism for GitHub Apps and bots to have their commits automatically marked as "Verified" without requiring manual GPG or SSH key management [1][2]. However, this automatic verification is subject to strict constraints regarding commit metadata [1][2]. To receive a "Verified" status via a bot signature, the commit request must meet the following criteria: 1. The request must be authenticated as the GitHub App or bot [1][2]. 2. The commit must contain no custom author information [1][2]. 3. The commit must contain no custom committer information [1][2]. 4. The commit must contain no custom signature information (e.g., it cannot be manually signed via the Commits API) [1][2]. If you provide custom author or committer metadata, GitHub will not apply the automatic bot signature verification [1][2]. In such cases, the commit will remain unverified unless it is signed using a GPG, SSH, or S/MIME key associated with a user account or a configured bot identity [2][3]. For workflows that require both custom metadata (such as specific author/committer names and emails) and verified status, you must manually sign the commits [4][5]. This is typically achieved in GitHub Actions by: - Importing a GPG or SSH private key into the runner environment [4][5]. - Configuring the local Git environment (e.g., user.name, user.email, commit.gpgsign, and user.signingkey) to use that key [4][5]. - Performing the commit locally within the runner, which allows you to specify the desired author and committer metadata while still producing a cryptographically verifiable signature [4][5][6]. Note that the GitHub REST API for creating commits allows for custom author and committer fields, but using these fields will disqualify the commit from the automatic bot signature verification process [1][7][6].

Citations:

• 1: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification
• 2: https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/about-commit-signature-verification
• 3: https://docs.github.com/en/authentication/managing-commit-signature-verification
• 4: https://github.com/marketplace/actions/git-ssh-signing-action
• 5: For anyone looking to add commit signing (GPG) stefanzweifel/git-auto-commit-action#334
• 6: https://192dot.medium.com/sign-commit-using-github-actions-app-13488f6e76b7
• 7: https://docs.github.com/rest/git/commits

---

Custom git identity prevents bot signature verification on release commits.

Lines 35-38 set custom author/committer metadata (user.name and user.email). However, GitHub's bot signature verification explicitly requires that commits contain no custom author or committer information to be automatically marked verified. With this configuration, semantic-release will create commits that are not verified, even though authenticated as a bot via the GitHub App token.

Choose one path:

1. Remove lines 35-38 to allow automatic bot signature verification (semantic-release will use the app identity), or
2. Add manual GPG/SSH signing (import key, configure commit.gpgsign, user.signingkey) to obtain verified commits with custom metadata.

Verify the approach meets your branch protection requirements for verified commits.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/semantic-release.yml around lines 35 - 38, The workflow
currently sets a custom Git identity via the git config commands that set
user.name and user.email, which prevents GitHub's bot signature verification;
either remove those git config lines so semantic-release uses the GitHub App
identity (allowing automatic verified commits), or keep them but implement
explicit commit signing by importing a GPG/SSH key and configuring
commit.gpgsign and user.signingkey in the workflow before committing so created
commits are verified; update the semantic-release job accordingly and ensure the
chosen approach satisfies branch protection rules for verified commits.