chore: add release-please for automated releases

[nicknisi]

Summary

• Adds release-please config and GitHub Actions workflow, matching the authkit-tanstack-start setup
• Updates release.yml to trigger via workflow_call (from release-please) instead of release: published (manual GitHub releases)
• Adds PR title linting via action-semantic-pull-request, matching authkit-nextjs
• Manifest seeded at current version 0.5.1

What changes

File	Change
release-please-config.json	New — node release type, bump-minor-pre-major
.release-please-manifest.json	New — seeded at 0.5.1
.github/workflows/release-please.yml	New — runs on push to main, uses SDK bot token, chains into release.yml on release
.github/workflows/release.yml	Trigger changed from release: published → workflow_call + workflow_dispatch
.github/workflows/lint-pr-title.yml	New — enforces conventional commit PR titles via action-semantic-pull-request v6

Pinned action versions

Action	Version	SHA
googleapis/release-please-action	v5.0.0	45996ed1...
actions/create-github-app-token	v3.2.0	bcd2ba49...
amannn/action-semantic-pull-request	v6.1.1	48f25628...

Prerequisites

• SDK_BOT_APP_ID var and SDK_BOT_PRIVATE_KEY secret must be configured in the repo settings (same as authkit-tanstack-start)

Test plan

• Verify SDK_BOT_APP_ID and SDK_BOT_PRIVATE_KEY are set in repo settings
• Merge this PR → release-please should create its first release PR on the next conventional commit
• Merging a release PR should trigger the publish workflow
• PR title linting should reject non-conventional titles

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

[greptile-apps]

Greptile Summary

This PR introduces automated releases via release-please, replacing the manual GitHub-release–triggered publish flow with a bot-driven PR workflow that chains into the existing release.yml reusable workflow.

• release-please.yml: Runs on every push to main, generates a GitHub App token for the SDK bot, invokes googleapis/release-please-action, and calls release.yml when a release is created.
• release.yml: Trigger changed from release: published to workflow_call + workflow_dispatch; the pre-release / latest tag conditional publish steps are collapsed into a single unconditional --tag latest publish.
• lint-pr-title.yml and release-please-config.json / .release-please-manifest.json: New support files seeding the version at 0.5.1 and enforcing conventional-commit PR title linting.

Confidence Score: 4/5

The release pipeline wiring is largely correct, but the publish job will not receive the npm authentication secret it needs when invoked via workflow_call, and the pre-release tagging guard has been removed — both of which affect the first real release attempt.

The core release orchestration is sound and the config files are correct. However, the reusable-workflow call in release-please.yml does not forward secrets to release.yml, so any secret-dependent publish step (e.g. NODE_AUTH_TOKEN) will be unavailable at runtime. Additionally, the explicit pre-release / latest conditional was dropped, meaning a manually dispatched run from a pre-release branch would publish under the latest dist-tag.

.github/workflows/release-please.yml and .github/workflows/release.yml — the secret-forwarding and dist-tag logic live here.

Important Files Changed

Filename	Overview
.github/workflows/release-please.yml	New workflow orchestrating release-please on push to main; chains into release.yml via workflow_call but does not pass secrets or inputs to the callee
.github/workflows/release.yml	Trigger changed from release:published+workflow_dispatch to workflow_call+workflow_dispatch; pre-release tag guard removed so all publishes land on the latest dist-tag
.github/workflows/lint-pr-title.yml	New workflow linting PR titles for conventional commits; uses pull_request_target safely (no code checkout, permissions restricted to pull-requests:read)
release-please-config.json	New release-please config; node release type with bump-minor-pre-major and default versioning — straightforward and correct
.release-please-manifest.json	Manifest seeded at current package version 0.5.1 — matches expected starting point

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub (main branch)
    participant RPW as release-please.yml
    participant RP as release-please-action
    participant RW as release.yml
    participant NPM as npm Registry

    Dev->>GH: Push conventional commit to main
    GH->>RPW: Trigger on push
    RPW->>RPW: Generate SDK bot GitHub App token
    RPW->>RP: Run release-please-action (with bot token)
    alt No release needed
        RP-->>RPW: "release_created = false"
        RPW-->>GH: Update/create Release PR
    else Release created
        RP-->>RPW: "release_created = true"
        RPW->>RW: workflow_call (publish job)
        RW->>RW: checkout, pnpm install, build
        RW->>NPM: pnpm publish --tag latest --provenance
    end

Loading

_{Reviews (2): Last reviewed commit: "chore: bump action SHAs to latest and ad..." | Re-trigger Greptile}

[greptile-apps]

Missing secrets: inherit in reusable workflow call

When a reusable workflow is invoked via workflow_call, GitHub does not automatically pass repository secrets to the callee — secrets must be explicitly forwarded with secrets: inherit (or enumerated in a secrets: block). If release.yml relies on any secret (e.g. an NPM_TOKEN / NODE_AUTH_TOKEN for npm authentication), the publish job will fail with an auth error on every release-please-triggered release, silently not publishing the package.

[nicknisi]

Not needed — this repo uses npm trusted publishing (OIDC) via the id-token: write permission + --provenance flag. There is no NPM_TOKEN secret to inherit. Same pattern as authkit-tanstack-start.

[greptile-apps]

Pre-release version always published as latest

The old workflow conditionally used --tag next when the triggering GitHub release was marked as a pre-release. That guard is now removed — every publish, including one triggered manually via workflow_dispatch on a branch that has a pre-release version string (e.g. 0.6.0-alpha.1), will land on npm as --tag latest. Users who run npm install authkit-session (or any tool that resolves latest) would receive the pre-release build.

Suggested change

	- name: Publish
	run: pnpm publish --tag latest --access=public --provenance --no-git-checks
	- name: Publish
	run: |
	VERSION=$(node -p "require('./package.json').version")
	if [[ "$VERSION" == *"-"* ]]; then
	pnpm publish --tag next --access=public --provenance --no-git-checks
	else
	pnpm publish --tag latest --access=public --provenance --no-git-checks
	fi

[nicknisi]

Release-please controls what versions get published — pre-release versions only land if explicitly configured in release-please. The workflow_dispatch path is a manual escape hatch, not a regular flow. This matches authkit-tanstack-start which also uses unconditional --tag latest.