Releases automated via conventional commit titles
Maintainers no longer manually type version numbers. A bot now reads conventional commit titles, computes the bump, and opens a release PR for review—CHANGELOG included.
Release bookkeeping is now automated. Maintainers previously had to manually type version numbers into a GitHub Actions form to trigger a release. In this new flow, conventional commit titles do the work: a feat: commit bumps the minor version, a fix: bumps the patch, and a BREAKING CHANGE: triggers a major bump. A separate workflow validates PR titles against the conventional commit spec, surfacing non-conforming titles as a visible warning since they would otherwise silently skip the changelog. When enough conventional commits land on main, release-please opens a PR titled "chore(main): release vX.Y.Z" containing the updated package.json version and a generated CHANGELOG.md. The maintainer reviews and merges, which triggers tag creation, a GitHub Release, and automatic movement of the major-version pointer so consumers pinning @v1 automatically receive non-breaking upgrades. For hotfixes or edge cases where maintainers need explicit control, the previous manual release workflow remains available as an escape hatch. Third-party GitHub Actions are pinned to immutable commit SHAs rather than mutable tags, with Dependabot opening weekly PRs to rotate them—this balances security with automated updates. The change lives entirely in the release pipeline and CI configuration.