chore(ci): adopt Changesets for releases

[masnwilliams]

Summary

Replaces the manual "bump package.json + git tag + git push" flow with a fully PR-driven Changesets pipeline.

Why

We hit four separate friction points on the first few releases (alpha.0 through v0.1.0):

• alpha.1 failed because npm publish requires --tag for hyphenated versions — added a workflow branch.
• alpha.2 failed because release.yaml ran typecheck before build — same bug test.yaml originally had.
• alpha.3 failed because --provenance requires a public GitHub repo and ours is internal.
• Every version-bump commit churned package.json formatting (bun and prettier disagree about array wrapping) → format:check would fail on the next PR.

All of that goes away with Changesets — releases follow the normal PR + status-check + approval flow like any other change.

New flow

1. In a PR that changes published behavior, run bun run changeset and commit the resulting .changeset/<random>.md. Skip for tooling/docs PRs.
2. Merge to main. The bot opens (or updates) a "chore: version packages" PR with bumps + auto-generated CHANGELOG.md.
3. Merge the version PR → bot publishes to npm via OIDC, tags, creates the GitHub release.

No more manual git tag, no package.json edits, no admin-only bypasses to release.

Notable choices

• @changesets/changelog-github so CHANGELOG entries link back to PRs/commits.
• access: public in the changesets config (was the default restricted).
• Demo workspace ignored (private package).
• Added .prettierignore for **/package.json so prettier stops fighting bun + changesets over array formatting — that single setting kills the recurring format churn.
• --provenance still intentionally omitted (repo is internal); flip on when the repo goes public.
• Workflow keeps using OIDC trusted publishing — same npm trusted-publisher registration we already set up.

Adoption note

This PR itself does NOT include a .changeset/*.md because it's a CI/tooling change with no published-package impact. The bot will sit idle after merge until the next code-change PR includes a changeset.

Test plan

• bun run typecheck clean (both packages)
• bun run --filter '@onkernel/managed-auth-react' build clean
• bun run format:check clean
• CI test workflow passes (auto)
• After merge: confirm Release workflow runs and exits cleanly with no Version PR opened (because no pending changesets)
• First subsequent PR with a changeset triggers the bot to open a "chore: version packages" PR

Made with Cursor

---

Note

Medium Risk
Changes the production release pipeline from tag-triggered manual publishing to a Changesets bot workflow on every main push, which could affect publish timing/behavior if misconfigured. No runtime/library code changes, but incorrect CI config could block releases or publish unexpected versions.

Overview
Migrates releases to a Changesets-driven workflow: release.yaml now runs on pushes to main and uses changesets/action to either open/update a single "chore: version packages" PR (version bumps + CHANGELOG.md) or, when no pending changesets remain, run bun run release to build and publish via OIDC.

Adds Changesets configuration (.changeset/config.json + README) and new root scripts (changeset, version-packages, release) including the build+LICENSE copy+changeset publish publish step. Also adds .prettierignore to exclude package.json/lock/build/changelog files from Prettier to avoid format churn, and updates the README to document the new PR-driven release process.

^{Reviewed by Cursor Bugbot for commit ba27171. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: This PR modifies CI/release tooling (Changesets configuration) with no changes to API endpoints or Temporal workflows, which are the specific monitoring targets.

To monitor this PR anyway, reply with @firetiger monitor this.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ba27171. Configure here.}

[cursor]

Missing @changesets/cli and changelog devDependencies break releases

High Severity

The changeset, version-packages, and release scripts all invoke the changeset CLI, and .changeset/config.json references @changesets/changelog-github, but neither @changesets/cli nor @changesets/changelog-github appear in devDependencies (or anywhere in bun.lock). The changesets/action GitHub Action resolves the CLI via require.resolve() from the project's node_modules, so it will fail at runtime. Both packages need to be added to root devDependencies.

Additional Locations (1)

• .changeset/config.json#L2-L6

 

^{Reviewed by Cursor Bugbot for commit ba27171. Configure here.}