feat: add changesets, oxfmt, renovate

[stipsan]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8fa17d1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​changesets/​changelog-github@​0.5.1
	oxfmt@​0.14.0
	typescript@​5.9.3
	@​changesets/​cli@​2.29.7

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm typescript License: LicenseRef-W3C-Community-Final-Specification-Agreement (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@5.9.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• safer-buffer@2.1.2

View full report

[Copilot]

Pull Request Overview

This PR sets up tooling infrastructure for a monorepo, including changesets for version management, oxfmt for code formatting, and Renovate for automated dependency updates.

Key Changes:

• Added changesets configuration for managing releases and changelogs
• Configured oxfmt as the code formatter with custom formatting rules
• Set up Renovate bot with GitHub Actions workflows for automated dependency updates

Reviewed Changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pnpm-workspace.yaml	Configures pnpm workspace with TypeScript catalog, release age policies, and trust policies for dependencies
package.json	Adds root package configuration with oxfmt and changesets dependencies, format and release scripts
.oxfmtrc.jsonc	Configures oxfmt formatter settings including print width, quotes, and ignore patterns
.github/workflows/renovate.yml	Workflow to automatically add changesets to Renovate dependency update PRs
.github/workflows/release.yml	Workflow to handle releases using changesets on main branch pushes
.github/workflows/format-if-needed.yml	Workflow to automatically format code when pushed to main
.github/renovate.json	Configures Renovate bot with extended presets and ignored rules
.editorconfig	Sets editor configuration for consistent formatting across IDEs
.changeset/config.json	Configures changesets behavior including changelog format and internal dependency handling

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Missing space before the equals sign. Should be charset = utf8 to follow standard EditorConfig formatting.

[Copilot]

The trust policy exclusion uses an OR operator ('||') in the version specification, which is unusual syntax for this context. Verify this is valid pnpm trust policy syntax. Consider splitting into separate entries if this doesn't work as intended.

Suggested change

	- semver@5.7.2 || 6.3.1
	- semver@5.7.2
	- semver@6.3.1

[stipsan]

This is incorrect

[stipsan]

@SocketSecurity ignore npm/safer-buffer@2.1.2

[Copilot]

Pull Request Overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 2 comments.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The trust policy exclude pattern uses '||' which is not standard YAML syntax for version ranges. This should likely be separate entries or use pnpm's version range syntax.

Suggested change

	- semver@5.7.2 || 6.3.1
	- semver@5.7.2
	- semver@6.3.1

[Copilot]

The release workflow requires write permissions to contents to create releases and update changelogs, but only has read permissions specified. This will prevent the workflow from completing its intended release operations.

Suggested change

	contents: read # for checkout
	contents: write # for release creation and changelog updates