ci: migrate release pipeline to Changesets (+ Linear sync, .claude tooling)

.changeset/README.md

@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)

.changeset/config.json

@@ -0,0 +1,17 @@
+{
+  "$schema": "https://unpkg.com/@changesets/config@3.0.5/schema.json",
+  "changelog": [
+    "@changesets/changelog-github",
+    { "repo": "lifinance/widget" }
+  ],
+  "commit": false,
+  "access": "public",
+  "baseBranch": "main",
+  "updateInternalDependencies": "minor",
+  "ignore": [
+    "@lifi/widget-embedded",
+    "@lifi/widget-playground",
+    "@lifi/widget-playground-next",
+    "@lifi/widget-playground-vite"
+  ]
+}

.changeset/migrate-release-pipeline.md

@@ -0,0 +1,2 @@
+---
+---

.changeset/pre.json

@@ -0,0 +1,20 @@
+{
+  "mode": "pre",
+  "tag": "beta",
+  "initialVersions": {
+    "@lifi/wallet-management": "4.0.0-beta.20",
+    "@lifi/widget": "4.0.0-beta.20",
+    "@lifi/widget-embedded": "1.0.0",
+    "@lifi/widget-light": "4.0.0-beta.19",
+    "@lifi/widget-playground": "1.0.0",
+    "@lifi/widget-playground-next": "1.0.0",
+    "@lifi/widget-playground-vite": "1.0.0",
+    "@lifi/widget-provider": "4.0.0-beta.20",
+    "@lifi/widget-provider-bitcoin": "4.0.0-beta.20",
+    "@lifi/widget-provider-ethereum": "4.0.0-beta.20",
+    "@lifi/widget-provider-solana": "4.0.0-beta.20",
+    "@lifi/widget-provider-sui": "4.0.0-beta.20",
+    "@lifi/widget-provider-tron": "4.0.0-beta.20"
+  },
+  "changesets": []
+}

.claude/commands/changeset.md

@@ -0,0 +1,22 @@
+---
+description: Add a Changesets changeset for the changes on the current branch
+---
+
+Add a [Changesets](https://github.com/changesets/changesets) changeset describing the
+changes on the current branch, so this work ships with the right version bump and a
+changelog entry.
+
+Use the **`changeset` skill** to do this. In short:
+
+1. `git fetch origin main` then `git diff --name-only origin/main...HEAD` to see which
+   packages changed.
+2. Map changed files to **publishable** packages (skip private packages and docs-only
+   changes — see the skill's `references/bump-rules.md`).
+3. Choose a bump per package (`feat:` → minor, `fix:` → patch, breaking → major) and
+   write `.changeset/<short-name>.md` in the format from the skill's
+   `references/format.md`.
+
+Only declare the packages you actually changed — dependents bump automatically via the
+internal-dependency cascade.
+
+$ARGUMENTS

.claude/settings.json

@@ -0,0 +1,17 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(pnpm changeset status:*)",
+      "Bash(pnpm changeset --help:*)",
+      "Bash(pnpm exec changeset status:*)",
+      "Bash(git status:*)",
+      "Bash(git diff:*)",
+      "Bash(git log:*)",
+      "Bash(git branch:*)",
+      "Bash(git fetch:*)",
+      "Bash(npm view:*)",
+      "Bash(ls .changeset:*)",
+      "Bash(cat .changeset/*)"
+    ]
+  }
+}

.claude/skills/changeset/SKILL.md

@@ -0,0 +1,55 @@
+---
+name: changeset
+description: >-
+  Author a Changesets changeset (a `.changeset/*.md` file) for the current
+  changes. Use this whenever a change touches publishable library source under
+  `packages/` and is about to be committed or opened as a PR, or whenever the
+  user mentions a changeset, a version bump, release notes, or asks "what bump
+  should this be". This repo uses Changesets (not Lerna/conventional-commit
+  bumps), and CI fails any PR that changes a publishable package without a
+  changeset — so adding one is part of finishing a change, even if the user
+  didn't say "changeset" explicitly.
+---
+
+# Authoring a changeset
+
+This repo releases with **Changesets**: every PR that changes a publishable package
+carries a small `.changeset/*.md` file declaring which packages bump and by how much.
+`changeset version` later consumes those files into per-package `CHANGELOG.md`s and
+version bumps. No changeset → no release for that change; `changeset-bot` comments a
+reminder on the PR (a nudge, not a hard block — the maintainer-reviewed Version PR is the
+real gate). Your job here is to write a correct changeset for the work in progress.
+
+## Steps
+
+1. **See what changed.** Fetch and diff against the base branch:
+   ```bash
+   git fetch origin main
+   git diff --name-only origin/main...HEAD
+   ```
+   (Use the working tree too if changes aren't committed yet: `git status`.)
+
+2. **Map files → packages.** A file under `packages/<dir>/` belongs to that package.
+   Read `references/bump-rules.md` for this repo's **publishable** vs **private/ignored**
+   package list and the dependency graph. Only publishable packages need a changeset.
+
+3. **Decide the bump per package.** `feat:` → **minor**, `fix:` → **patch**, a breaking
+   change → **major**. See `references/bump-rules.md` for the nuances (and why you should
+   *not* list cascade-only dependents).
+
+4. **Write the file.** Create `.changeset/<short-kebab-name>.md` in the exact frontmatter
+   format from `references/format.md`. The summary becomes the changelog line, so write it
+   for a reader of the release notes, not a commit log.
+
+5. **Confirm.** Run `pnpm changeset status` to verify Changesets sees your file and the
+   intended packages bump (including the automatic dependent cascade).
+
+## Key rules (full detail in `references/`)
+
+- **Only declare packages you intentionally changed.** Internal dependents re-release
+  automatically (`updateInternalDependencies: minor`); authoring changesets for them
+  double-counts and produces noisy changelogs.
+- **Skip** docs-only, chore-only, test-only, and private-package-only changes. For a
+  deliberately release-less change, `pnpm changeset --empty`.
+- One changeset can cover multiple packages; use multiple changesets if different parts of
+  the work deserve different changelog entries.

.claude/skills/changeset/references/bump-rules.md

@@ -0,0 +1,49 @@
+# Bump rules — widget
+
+## Bump level
+
+- **`feat:`** (new capability, backwards-compatible) → **minor**
+- **`fix:`** (bug fix, backwards-compatible) → **patch**
+- **breaking change** (removed/renamed export, changed signature, behavior break) → **major**
+
+While the repo is in **pre-beta** (see the `release` skill's `channels.md`), every bump
+lands as `4.0.0-beta.N` regardless of level — but still pick the level that *would* apply
+on the stable line, because it determines the eventual stable bump on `pre exit`.
+
+## Publishable packages (these need a changeset when changed)
+
+- `@lifi/widget`
+- `@lifi/wallet-management`
+- `@lifi/widget-light`
+- `@lifi/widget-provider`
+- `@lifi/widget-provider-bitcoin`
+- `@lifi/widget-provider-ethereum`
+- `@lifi/widget-provider-solana`
+- `@lifi/widget-provider-sui`
+- `@lifi/widget-provider-tron`
+
+> `@lifi/widget-checkout` and `@lifi/widget-provider-mesh` arrive with PR #727; add them
+> here when that lands.
+
+## Private / ignored (NEVER need a changeset)
+
+`@lifi/widget-embedded`, `@lifi/widget-playground`, `@lifi/widget-playground-next`,
+`@lifi/widget-playground-vite`, everything under `examples/` and `e2e/`. These are
+`private: true` and listed in `.changeset/config.json` `ignore`.
+
+## Dependency graph — don't author cascade-only changesets
+
+```
+@lifi/widget-provider
+  ↑ @lifi/widget-provider-{bitcoin,ethereum,solana,sui,tron}
+  ↑ @lifi/wallet-management
+  ↑ @lifi/widget
+@lifi/widget-light   (standalone, zero deps)
+```
+
+`updateInternalDependencies: minor` means when you bump a package, every dependent
+**re-releases automatically** with an updated range. So if you change only
+`@lifi/widget-provider`, declare a changeset for **just** `@lifi/widget-provider` —
+`wallet-management` and `widget` bump on their own. Authoring changesets for those
+dependents double-counts and creates noisy, misleading changelogs. Declare only the
+packages whose *source* you actually edited.

.claude/skills/changeset/references/format.md

@@ -0,0 +1,66 @@
+# Changeset file format
+
+A changeset is a markdown file in `.changeset/` with a YAML frontmatter block mapping
+package names to bump types, followed by a summary that becomes the changelog entry.
+
+## Shape
+
+```markdown
+---
+"@scope/package-a": minor
+"@scope/package-b": patch
+---
+
+A human-readable summary of the change. This text is copied verbatim into each listed
+package's CHANGELOG.md and its GitHub Release, so write it for someone reading release
+notes — what changed and why it matters, not "fix bug".
+```
+
+- **Bump values:** `major`, `minor`, or `patch`.
+- **Filename:** any unique name ending in `.md`. `pnpm changeset` generates a random one
+  (e.g. `fenced-stories-add.md`); a descriptive kebab-case name like
+  `fix-solana-balance-race.md` is also fine.
+- **Multiple packages:** list each on its own frontmatter line. Use **separate** changeset
+  files when distinct changes deserve distinct changelog entries.
+- **Summary:** the first paragraph is the changelog line. Markdown is allowed; keep it
+  tight. Reference a PR/issue if useful — the changelog generator
+  (`@svitejs/changesets-changelog-github-compact`) adds the PR/author links automatically.
+
+## Worked examples
+
+**A fix in one package:**
+```markdown
+---
+"@scope/core": patch
+---
+
+Fix a race where rapid reconnects could drop the active session.
+```
+
+**A feature touching two packages:**
+```markdown
+---
+"@scope/client": minor
+"@scope/react": minor
+---
+
+Add `useFoo()` and the underlying `getFoo()` action for querying foo state.
+```
+
+**A breaking change:**
+```markdown
+---
+"@scope/core": major
+---
+
+Rename `connect()` to `connectWallet()` and drop the deprecated `autoConnect` option.
+Migration: replace `connect(opts)` with `connectWallet(opts)`.
+```
+
+## Lifecycle (why `.changeset/` looks empty on main)
+
+`changeset version` (run by the bot's "chore: version packages" PR) **consumes and
+deletes** every `*.md` changeset, rolling them into version bumps and per-package
+`CHANGELOG.md`s. So between releases, `.changeset/` holds only `config.json`, `README.md`,
+and (if the repo is in pre-mode) `pre.json` — no leftover changeset files. An empty
+`.changeset/` is the normal resting state, not a sign that something was lost.

.github/actions/canary-publish/action.yml

@@ -0,0 +1,73 @@
+name: Canary publish
+description: >-
+  Snapshot-publish changed workspace packages to the npm `canary` dist-tag,
+  comment the install command on the PR, and remove the `release-canary` label.
+
+runs:
+  using: composite
+  steps:
+    # Snapshots are disallowed in Changesets pre mode — exit it in THIS throwaway
+    # checkout only (never committed/pushed). Stable-line repos have no pre.json.
+    - name: Exit pre mode if active (ephemeral)
+      shell: bash
+      run: |
+        if [ -f .changeset/pre.json ]; then
+          echo "Exiting Changesets pre mode for the snapshot (ephemeral, not committed)."
+          pnpm changeset pre exit
+        fi
+
+    - name: Version changed packages as canary
+      shell: bash
+      run: pnpm changeset version --snapshot canary
+
+    - name: Detect canary packages
+      id: detect
+      shell: bash
+      run: |
+        # Every non-private package that `changeset version --snapshot` bumped to a
+        # 0.0.0-canary version — i.e. exactly what will be published.
+        jq -r 'select((.private // false) | not) | select(.version | test("-canary-")) | "\(.name)@\(.version)"' \
+          packages/*/package.json > "$RUNNER_TEMP/canary-pkgs.txt"
+        if [ -s "$RUNNER_TEMP/canary-pkgs.txt" ]; then
+          echo "publish=true" >> "$GITHUB_OUTPUT"
+          echo "Canary versions to publish:"; cat "$RUNNER_TEMP/canary-pkgs.txt"
+        else
+          echo "::warning::No changeset in this PR — nothing to publish as canary."
+          echo "publish=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Build + prerelease transform
+      if: steps.detect.outputs.publish == 'true'
+      shell: bash
+      run: pnpm changeset:prepublish
+
+    - name: Publish canary to npm
+      if: steps.detect.outputs.publish == 'true'
+      shell: bash
+      run: pnpm changeset publish --tag canary --no-git-tag
+      env:
+        NPM_CONFIG_PROVENANCE: true
+
+    - name: Comment the install command on the PR
+      if: steps.detect.outputs.publish == 'true'
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: |
+        {
+          echo "📦 **Canary published** under the \`canary\` dist-tag."
+          echo
+          echo "Install the exact version(s) — \`@canary\` moves with the newest canary across PRs:"
+          echo
+          echo '```bash'
+          while IFS= read -r pkg; do echo "npm i $pkg"; done < "$RUNNER_TEMP/canary-pkgs.txt"
+          echo '```'
+        } > "$RUNNER_TEMP/canary-comment.md"
+        gh pr comment "${{ github.event.pull_request.number }}" --body-file "$RUNNER_TEMP/canary-comment.md"
+
+    - name: Remove the release-canary label (one-shot)
+      if: always()
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
+      run: gh pr edit "${{ github.event.pull_request.number }}" --remove-label release-canary || true

.github/actions/pnpm-install/action.yaml

@@ -1,5 +1,12 @@
 name: 'PNPM install'
-description: 'Run pnpm install with pnpm store cache'
+description: 'Run pnpm install (pnpm store cache on by default)'
+
+inputs:
+  cache:
+    description: >-
+      Use the pnpm store cache. Set "false" in privileged jobs (publish / version
+      PR / canary) so a poisoned cache can't reach a context with publish/write perms.
+    default: 'true'
 
 runs:
   using: 'composite'
@@ -11,7 +18,8 @@ runs:
       with:
         node-version: '24'
         registry-url: 'https://registry.npmjs.org'
-        cache: 'pnpm' # https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#caching-packages-dependencies
+        # '' disables caching entirely (no restore, no save) for privileged jobs.
+        cache: ${{ inputs.cache == 'true' && 'pnpm' || '' }}
     - name: Install dependencies
       env:
         HUSKY: '0' # By default do not run HUSKY install

.github/workflows/deploy.yaml

@@ -5,6 +5,14 @@ on:
     branches:
       - main
 
+# The Changesets release job pushes a "chore: version packages" commit and a
+# publish commit to main, each of which also triggers this deploy. Collapse
+# rapid back-to-back main pushes onto one deploy and supersede any in-flight
+# run so we never race two S3 syncs.
+concurrency:
+  group: deploy-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     permissions:
@@ -15,7 +23,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+        uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
         with:
           role-to-assume: arn:aws:iam::403372804574:role/github-actions
           role-session-name: github-actions-role-session