feat: recognize security: commit prefix for changelog and versioning

[BYK]

Summary

Adds a dedicated Security 🔒 category to the default release config, positioned between Breaking Changes and New Features. Commits prefixed security: (with optional scope and/or breaking marker !) are now recognized for both changelog grouping and auto-versioning.

Commit	Category	Semver bump
security: patch XSS	Security 🔒	patch
security(auth): fix login bypass	Security 🔒 (grouped under auth when multiple)	patch
security!: rotate signing keys	Breaking Changes 🛠	major
security(auth)!: rotate keys	Breaking Changes 🛠	major

Why a dedicated section vs. folding into Bug Fixes

1. Security fixes are the kind of entry downstream consumers scan changelogs for — giving them their own heading makes them discoverable.
2. Conventional Commits and downstream tooling (Keep a Changelog, release-please) already treat security as a first-class type.
3. Empty sections are not rendered, so the cost is zero when no security commits are present.

Design choices

• Ordering: Security sits above feat:/fix: so a security: commit is never swallowed by a broader catch-all, but below Breaking Changes so security!: still escalates to major (consistent with every other type).
• Pattern parity: ^(?<type>security(?:\((?<scope>[^)]+)\))?!?:\s*) mirrors the existing feat:/fix: patterns exactly — scope extraction, title stripping and case-insensitive matching all work without further wiring.
• Semver: patch, matching how fix: is treated. security!: escalates to major via Breaking Changes.

Changes

• src/utils/changelog.ts — one new category inserted in DEFAULT_RELEASE_CONFIG.
• docs/src/content/docs/configuration.md — Default Configuration YAML snippet updated to include the Security entry so users copy-pasting it as a customization starting point get parity with the real default.
• New tests (unit + e2e):
  • getBumpTypeForPR for plain, scoped, breaking, scoped-breaking, case-insensitive, and lookalike-rejection cases.
  • stripTitle for the security type (plain + scoped).
  • extractScope for security(auth): and security(auth)!:.
  • End-to-end generateChangesetFromGit cases covering: Security section rendering, ordering (Security above New Features above Bug Fixes), mixed-with-docs: aggregation stays patch, and security!: escalating to Breaking Changes / major.

Verification

• pnpm test — all new tests pass; 972 total pass. The 7 failures are the pre-existing environment-dependent EDITOR unset failures in src/__tests__/prepare-dry-run.e2e.test.ts (documented in AGENTS.md), unrelated to this change.
• pnpm lint — clean (only pre-existing warnings in src/utils/git.ts).
• pnpm build — clean.

Non-goals

• No change to existing category order or the BUMP_TYPES priority map.
• No new user-facing config surface; users who want to override the section can already do so via .github/release.yml (the standard readReleaseConfig mechanism).

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-04-21 19:47 UTC