feat: autoversioned releases via release-please

[znat]

Replaces "type a version number" with conventional-commits-driven version computation. Maintainer keeps the merge gate; bot does the bookkeeping.

How the loop changes

	Before (PR #9 manual flow)	After (this PR)
To release	Actions → Release → enter `1.0.0` → Run	Merge PRs with conventional titles → bot opens "release PR" → review → merge
Version chosen by	You typing a number	release-please reading commit titles since the last tag
CHANGELOG	None	Auto-generated, lives at `CHANGELOG.md`, updated each release

Both paths can coexist. PR #9's `release.yml` (manual) stays as a hotfix escape hatch.

What's added

File	Purpose
`.github/workflows/release-please.yml`	release-please-action v4 + a follow-up job that force-pushes the `v` moving tag (the action doesn't move it by default)
`.github/workflows/lint-pr-title.yml`	`amannn/action-semantic-pull-request@v5` as a non-blocking status check — non-conventional titles surface visibly so they don't silently skip the CHANGELOG
`release-please-config.json`	Single-package config (root is source of truth; workspaces stay at `0.0.0` since they're private and never published). `bump-minor-pre-major: true` keeps `0.x` until the explicit graduation commit
`.release-please-manifest.json`	Bootstrap state at `"0.0.0"`; the bot writes the released version back here on each release

What gets bumped

`package.json` (root) — `version` field updated by the bot in its release PR. Workspaces (`action/package.json`, `site/package.json`) intentionally stay at `0.0.0` because they're `private: true` and never published. CHANGELOG.md is created on first release.

Conventional commit prefixes

Prefix	Effect
`feat:`	Minor bump
`fix:`	Patch bump
`feat!:` or `BREAKING CHANGE:` in body	Major bump
`chore:` `docs:` `test:` `refactor:` `perf:` `ci:` `build:` `style:` `revert:`	No version change, but appears in CHANGELOG sections

Going from 0.x to 1.0.0

Add a commit on `main` whose body contains `Release-As: 1.0.0`. Next release-please run uses that exact version.

Test plan

• `yarn typecheck` clean
• `yarn test` — 94/94 pass
• CI green
• After merge: release-please opens its first "release: vX.Y.Z" PR within ~30s. Diff should show `package.json` version bump + new `CHANGELOG.md`
• Merge that release PR → `vX.Y.Z` tag + `vX` moving tag + GitHub Release all created
• Self-deploy fires on the merge of the release PR; `release: published` event also fires (if PR chore: event-driven self-deploy; README documents both cadences #8 lands first)

Summary by CodeRabbit

• Chores

  • Enabled automated release management with Release Please (automated release PRs, tagging, and major-tag updates)
  • Added PR title validation to enforce conventional commit/PR naming
  • Configured automatic changelog/versioning behavior and weekly Dependabot updates for GitHub Actions

• Documentation

  • Expanded maintainer-facing release instructions detailing the two release flows, versioning rules, tag behavior, and migration to 1.0.0

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Adds CI/CD infrastructure: a release-please automated release workflow (with tag management), a PR-title linting workflow, Release Please config/manifest, Dependabot config for GitHub Actions, and expanded "Releasing (maintainers)" docs in README.

Changes

Release Infrastructure Setup

Layer / File(s)	Summary
Release Manifest & Config .release-please-manifest.json, release-please-config.json	Adds .release-please-manifest.json mapping "." -> "0.0.0" and release-please-config.json for a Node release (package-name gitpulse, CHANGELOG.md, pre-major bump rules).
Release Workflow .github/workflows/release-please.yml	Adds release-please workflow triggered on push to main, sets workflow permissions and concurrency, runs googleapis/release-please-action (pinned) and exposes outputs release_created, tag_name, major.
Tag Management Job .github/workflows/release-please.yml	Adds move-major-tag job gated on release_created == 'true'; checks out full history and force-moves v<major> to the new tag_name, then force-pushes the updated major tag to origin.
PR Title Linting Workflow .github/workflows/lint-pr-title.yml	Adds PR title lint workflow triggered on PR opened, edited, synchronize; runs pinned amannn/action-semantic-pull-request configured with allowed conventional-commit types.
Dependabot .github/dependabot.yml	Adds Dependabot config (version: 2) to update github-actions weekly, using commit-message prefix chore and include: scope.
Documentation README.md	Replaces prior release docs with a “Releasing (maintainers)” section describing automated release-please flow, release PR expectations, Release-As: 1.0.0 guidance, manual hotfix workflow, and branch-protection/tagging notes.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer
  participant GH as GitHub Actions
  participant RP as release-please action
  participant Repo as Repository

  Dev->>GH: merge PR / push to main
  GH->>RP: run release-please with config & manifest
  RP->>GH: outputs (release_created, tag_name, major)
  alt release_created == "true"
    GH->>Repo: checkout full history (move-major-tag)
    GH->>Repo: force-update `v<major>` -> `tag_name`
    Repo->>GH: push updated `v<major>` tag to origin
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I nudged a title, pushed a tag anew,
release-please whispers what the changelog knew.
Dependabot tidies, actions hum on cue,
a small rabbit hops—versions sorted, true. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: autoversioned releases via release-please' clearly and accurately summarizes the primary change: introducing automated versioning and releases through the release-please bot.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/release-please

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-please.yml:
- Around line 13-15: The workflow's permissions block is missing the required
issues permission; update the permissions mapping by adding the key "issues:
write" alongside "contents: write" and "pull-requests: write" under the
permissions section so the release-please action can create/link issues
correctly (modify the permissions block to include the "issues" entry).

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 920c092d-2a6c-49ad-be93-0250868d8f77

📥 Commits

Reviewing files that changed from the base of the PR and between 61a6717 and 575887b.

📒 Files selected for processing (5)

• .github/workflows/lint-pr-title.yml
• .github/workflows/release-please.yml
• .release-please-manifest.json
• README.md
• release-please-config.json

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-please.yml:
- Line 33: Replace the use of the built-in GITHUB_TOKEN in the release-please
job by using a dedicated bot token secret (e.g., change the token entry that
currently reads token: ${{ secrets.GITHUB_TOKEN }} to reference a repo secret
like token: ${{ secrets.RELEASE_PLEASE_TOKEN }}), ensure that the specified
secret exists and contains a Personal Access Token or app token with repo
permissions, and keep the job name/uses (release-please) intact so downstream CI
can be triggered by the created release PRs.
- Line 30: Replace the loose tag "uses: googleapis/release-please-action@v4"
with an immutable commit SHA for the release-please action in both occurrences
so the workflow is pinned to a specific commit (find the latest commit SHA on
the googleapis/release-please-action repo and substitute it into the "uses:"
value); update both instances of the string
"googleapis/release-please-action@v4" and add/ensure Dependabot or Renovate is
configured to automatically propose updates when you want to rotate the pinned
SHAs.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bc97a45a-0cf0-4f24-a38a-0a63e37394b0

📥 Commits

Reviewing files that changed from the base of the PR and between 575887b and 9bc7b6e.

📒 Files selected for processing (1)

• .github/workflows/release-please.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is GitHub’s current guidance on pinning third-party GitHub Actions by full-length commit SHA versus major tags (e.g., @v4) for supply-chain security?

💡 Result:

GitHub's current guidance strongly recommends pinning third-party GitHub Actions to full-length commit SHAs for optimal supply-chain security, rather than using major version tags like @v4. This is because SHAs provide immutability, preventing attacks where tags are rewritten to point to malicious commits (e.g., incidents like tj-actions/changed-files and aquasecurity/trivy-action). Tags are mutable and can be force-pushed by maintainers or attackers with repo access. For first-party GitHub actions (e.g., actions/checkout), major tags may be acceptable if the creator is trusted, but SHA pinning is still the most secure and recommended practice universally. GitHub provides org/repo policies to enforce SHA pinning, and tools like Dependabot for updates. Add version comments (e.g., # v4) for maintainability. Example: uses: actions/checkout@93cb6ef # v5

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?learn=getting_started&learnProduct=actions
• 3: https://github.blog/security/supply-chain-security/securing-the-open-source-supply-chain-across-github
• 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 5: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions

---

🏁 Script executed:

cat -n .github/workflows/release-please.yml | head -50

Repository: znat/gitpulse

Length of output: 1803

---

🏁 Script executed:

rg "uses:" .github/workflows/release-please.yml

Repository: znat/gitpulse

Length of output: 141

---

Pin GitHub Actions to immutable commit SHAs.

On lines 30 and 44, actions are pinned only to @v4. This leaves the release pipeline exposed to upstream tag retargeting risk, where tags can be rewritten to point to malicious commits. Pin to full commit SHAs and rotate via Dependabot/Renovate for automatic updates.

Suggested fix

-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@<full_commit_sha>
...
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-please.yml at line 30, Replace the loose tag
"uses: googleapis/release-please-action@v4" with an immutable commit SHA for the
release-please action in both occurrences so the workflow is pinned to a
specific commit (find the latest commit SHA on the
googleapis/release-please-action repo and substitute it into the "uses:" value);
update both instances of the string "googleapis/release-please-action@v4" and
add/ensure Dependabot or Renovate is configured to automatically propose updates
when you want to rotate the pinned SHAs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For github.com/googleapis/release-please-action@v4, does using GITHUB_TOKEN prevent workflows from triggering on release PR create/update events, and is a PAT/app token recommended when CI must run on release PRs?

💡 Result:

Yes, using the default GITHUB_TOKEN with github.com/googleapis/release-please-action@v4 prevents workflows from triggering on events from the release PRs (create/update) that it creates. This is due to GitHub's default behavior where events triggered by GITHUB_TOKEN do not create new workflow runs to prevent recursive loops. A Personal Access Token (PAT) is recommended in the official documentation if CI workflows must run on those release PRs. Configure the PAT as a repository secret and pass it to the action via the token input (e.g., token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}). GitHub App tokens are also an option (similar to PATs for triggering workflows), though the docs primarily highlight PATs.

Citations:

• 1: http://github.com/GoogleCloudPlatform/release-please-action
• 2: https://github.com/googleapis/release-please-action
• 3: https://github.com/marketplace/actions/release-please-action
• 4: https://github.com/googleapis/release-please-action?tab=readme-ov-file

---

Use a non-GITHUB_TOKEN bot token for release-please PR creation.

On line 33, release-please uses ${{ secrets.GITHUB_TOKEN }}. GitHub prevents workflows from triggering on events created by GITHUB_TOKEN (a default anti-recursion behavior), which will block downstream CI workflows that need to run on release PRs.

Suggested fix

-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}

Use a Personal Access Token or GitHub App token configured as a repository secret instead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	token: ${{ secrets.GITHUB_TOKEN }}
	token: ${{ secrets.RELEASE_PLEASE_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-please.yml at line 33, Replace the use of the
built-in GITHUB_TOKEN in the release-please job by using a dedicated bot token
secret (e.g., change the token entry that currently reads token: ${{
secrets.GITHUB_TOKEN }} to reference a repo secret like token: ${{
secrets.RELEASE_PLEASE_TOKEN }}), ensure that the specified secret exists and
contains a Personal Access Token or app token with repo permissions, and keep
the job name/uses (release-please) intact so downstream CI can be triggered by
the created release PRs.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission.

[greptile-apps]

Greptile Summary

This PR introduces release-please-driven automated versioning — replacing the manual version-entry workflow with a conventional-commits-based bot that opens, maintains, and tags release PRs. The implementation is well-structured: third-party actions are SHA-pinned, permissions are scoped tightly, and the GITHUB_TOKEN downstream-trigger trade-off is clearly documented inline.

Confidence Score: 5/5

Safe to merge — one P2 style finding (unpinned actions/checkout@v4) that Dependabot will auto-resolve.

All findings are P2. The only gap is actions/checkout@v4 not yet being SHA-pinned in the move-major-tag job, inconsistent with the PR's own stated policy. Dependabot is already configured to open a follow-up PR for it. No logic, security, or data-correctness issues were found.

release-please.yml — actions/checkout@v4 should be pinned to a SHA for consistency with the rest of the PR's security posture.

Important Files Changed

Filename	Overview
.github/workflows/release-please.yml	Introduces release-please automation with two jobs; third-party action is SHA-pinned but actions/checkout@v4 in move-major-tag (which has contents: write) is still a mutable tag.
.github/workflows/lint-pr-title.yml	Adds PR title linting via amannn/action-semantic-pull-request SHA-pinned; minimal permissions (pull-requests: read); clean.
.github/dependabot.yml	Configures weekly Dependabot updates for GitHub Actions with chore prefix; straightforward and correct.
release-please-config.json	Single-package node config with bump-minor-pre-major: true and bump-patch-for-minor-pre-major: true; correctly matches README docs for pre-1.0 versioning behavior.
.release-please-manifest.json	Bootstrap manifest at "0.0.0"; correct starting point for release-please to track version state.
README.md	Replaces manual release steps with dual-path release docs (release-please + hotfix manual flow); accurately describes both paths and the GITHUB_TOKEN downstream-trigger trade-off.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub (main)
    participant RP as release-please-action
    participant Bot as release-please bot
    participant Tag as move-major-tag job

    Dev->>GH: Push feat:/fix: commit to main
    GH->>RP: Trigger release-please workflow
    RP->>Bot: Compute version bump from commits
    Bot->>GH: Open/update "chore(main): release vX.Y.Z" PR
    Dev->>GH: Review & merge release PR
    GH->>RP: Trigger release-please workflow (merge commit)
    RP->>GH: Create vX.Y.Z tag + GitHub Release
    RP-->>Tag: release_created=true → trigger move-major-tag
    Tag->>GH: git tag -f vX vX.Y.Z && git push --force

Loading

_{Reviews (3): Last reviewed commit: "Merge remote-tracking branch 'origin/mai..." | Re-trigger Greptile}

[znat]

Pushed 7125c2b addressing both reviews:

CodeRabbit (review):

• ✅ Pinned both actions to immutable commit SHAs (5c625bf… for release-please, e32d7e6… for action-semantic-pull-request).
• ✅ Added .github/dependabot.yml watching the github-actions ecosystem weekly so the pins get rotated by PR.
• 💬 On the dedicated bot-token suggestion: kept GITHUB_TOKEN for setup simplicity, documented the trade-off inline in the workflow. The cost is that the release PR's merge / GH Release event won't recursively trigger downstream push / release: published workflows. Acceptable for our setup; a follow-up PAT swap is one line if it ever matters.

Greptile (summary):

• ✅ P1 — flipped bump-patch-for-minor-pre-major from false → true so fix: commits actually trigger patch bumps in 0.x. The README claim was right; the config was the inaccurate one.
• 💬 P2 (issues: write) — kept it; release-please writes the autorelease: pending / autorelease: tagged labels via the issues API. Added a comment in the workflow noting why. CodeRabbit and Greptile gave conflicting advice here; both have a point but issues: write is required for label management even in a minimal config.
• ✅ P2 (action pinning) — same fix as above.

Tests still 94/94 green; no code changed.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/release-please.yml (1)

37-43: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

GITHUB_TOKEN at Line 43 blocks downstream release-triggered workflows.

If you need self-deploy/CI to run from release-please-created push/release events, switch to a PAT/App token secret; otherwise the current setup won’t trigger those workflows.

Suggested fix

-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}

References:

• https://docs.github.com/en/actions/how-tos/writing-workflows/choosing-when-your-workflow-runs/triggering-a-workflow
• https://github.com/googleapis/release-please-action

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-please.yml around lines 37 - 43, The workflow is
using the default GITHUB_TOKEN which prevents downstream workflows from being
triggered; replace token: ${{ secrets.GITHUB_TOKEN }} with a repository secret
holding a fine-grained PAT or App token (e.g. token: ${{ secrets.RELEASE_PAT
}}), ensure that secret has the required scopes/permissions (contents: write and
pull-requests: write or equivalent app permissions), and document the secret
name and required scopes in the workflow comment so maintainers can create the
token in repo settings.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/release-please.yml:
- Around line 37-43: The workflow is using the default GITHUB_TOKEN which
prevents downstream workflows from being triggered; replace token: ${{
secrets.GITHUB_TOKEN }} with a repository secret holding a fine-grained PAT or
App token (e.g. token: ${{ secrets.RELEASE_PAT }}), ensure that secret has the
required scopes/permissions (contents: write and pull-requests: write or
equivalent app permissions), and document the secret name and required scopes in
the workflow comment so maintainers can create the token in repo settings.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 81771b26-1f76-445d-b982-9fa6b2e7a90a

📥 Commits

Reviewing files that changed from the base of the PR and between 9bc7b6e and 7125c2b.

📒 Files selected for processing (4)

• .github/dependabot.yml
• .github/workflows/lint-pr-title.yml
• .github/workflows/release-please.yml
• release-please-config.json