chore: add release-please automation and replace coana with socket

[nicknisi]

Summary

• Add release-please workflow to automate versioning, changelogs, and GitHub releases on push to main
• Update release workflow to be callable from release-please (replaces manual GitHub release trigger)
• Add PR title linting to enforce conventional commits (required for release-please)
• Configure pre-major bump settings for 0.x semver (bump-minor-pre-major, bump-patch-for-minor-pre-major)
• Replace coana vulnerability analysis workflows with Socket Tier 1 reachability analysis (matches authkit-nextjs)

Test plan

• Verify SDK_BOT_APP_ID var and SDK_BOT_PRIVATE_KEY secret are available in this repo
• Verify NODE_AUTH_TOKEN secret is configured for NPM publishing
• Verify SOCKET_API_KEY secret is configured
• Merge and confirm release-please creates a release PR on next conventional commit

[greptile-apps]

Greptile Summary

This PR wires up a fully automated release pipeline for authkit-react by adding release-please (versioning, changelog, GitHub releases), PR title linting (conventional commits enforcement), and replacing Coana vulnerability scanning with Socket Tier 1 reachability analysis.

Key changes:

• release-please.yml: Runs on push to main, uses a GitHub App token (SDK Bot) to create/update release PRs, and calls release.yml via workflow_call when a release is created. secrets: inherit is correctly included.
• release.yml: Now supports workflow_call in addition to workflow_dispatch; simplifies the publish step to always use --tag latest. The previous conditional pre-release logic (--tag next) has been removed.
• release-please-config.json / .release-please-manifest.json: Correctly configured for a 0.x package with bump-minor-pre-major and bump-patch-for-minor-pre-major; initial version 0.16.0 matches package.json.
• lint-pr-title.yml: Uses pull_request_target with minimal pull-requests: read permissions and no code checkout, which is the correct safe pattern for this action.
• socket-tier1-analysis.yml: Runs a daily socket scan create --reach scan; mirrors the setup in authkit-nextjs.

Confidence Score: 4/5

• Safe to merge after verifying the required secrets/vars are provisioned; automation is well-structured.
• Both previously flagged concerns (secrets: inherit and job ID) are resolved in the current file state. The only remaining item is a P2 design note about hardcoding --tag latest, which removes pre-release publishing capability but is not a blocking issue given that release-please is not configured for pre-releases.
• release.yml — worth a final read to confirm the hardcoded --tag latest aligns with the team's future release strategy.

Important Files Changed

Filename	Overview
.github/workflows/release-please.yml	Adds release-please automation triggered on push to main; uses GitHub App token for bot identity, passes secrets to the called release workflow, and exposes release_created/tag_name outputs.
.github/workflows/release.yml	Refactored to support workflow_call in addition to workflow_dispatch; upgrades action versions, simplifies run commands, and consolidates publish step to always use --tag latest, removing separate pre-release handling.
.github/workflows/lint-pr-title.yml	New workflow enforcing conventional commit-style PR titles via amannn/action-semantic-pull-request@v5 using pull_request_target with minimal pull-requests:read permission.
.github/workflows/socket-tier1-analysis.yml	Replaces coana-analysis.yml with Socket Tier 1 reachability scan; runs daily on schedule or on-demand; distinct_id input marked required but only matters for API dispatch, not schedule triggers.
.release-please-manifest.json	Sets initial tracked version to 0.16.0, correctly matching the version field in package.json.
release-please-config.json	Configures release-please for a node package at the repo root with bump-minor-pre-major and bump-patch-for-minor-pre-major set, appropriate for a 0.x semver package.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub (main branch)
    participant RP as release-please-action
    participant Bot as SDK Bot (GitHub App)
    participant Release as release.yml
    participant NPM as npm registry

    Dev->>GH: Push conventional commit to main
    GH->>RP: Trigger release-please.yml
    RP->>Bot: Generate GitHub App token
    Bot-->>RP: Token
    RP->>GH: Create/update Release PR (changelog + version bump)
    Note over GH: Developer merges Release PR
    GH->>RP: Trigger release-please.yml again
    RP->>GH: Detect merged release PR → create GitHub Release + tag
    RP-->>RP: release_created = true
    RP->>Release: Call release.yml (secrets: inherit)
    Release->>GH: actions/checkout@v6
    Release->>Release: npm install + npm run build
    Release->>NPM: npm publish --tag latest --provenance --no-git-checks

Loading

_{Reviews (2): Last reviewed commit: "fix: add secrets inherit and fix publish..." | Re-trigger Greptile}

[nicknisi]

@greptileai

[gjtorikian]

Same comment as elsewhere:

• we should add renovate.json here (a la node) to update deps. I think the bot is already installed?
• I think we absolutely need to run pinact run to pin all the GitHub Actions to a specific SHA. Yet another GitHub Actions tag attack occurred and pinning to a SHA is no longer a best practice, but outright necessary.