chore: migrate from Release Please to semantic-release

[gnapse]

• Resolves Use of non-approved third-party GitHub Actions #46
• Resolves Release-Please v4 publish workflow not triggering automatically - requires manual re-tagging #35

Summary

• Migrates from Release Please to semantic-release for automated releases
• Removes the non-approved third-party action amannn/action-semantic-pull-request (fixes Use of non-approved third-party GitHub Actions #46)
• Implements PR title validation using official GitHub Actions and commitlint

Changes

• ✅ Removed all Release Please configuration files and workflows
• ✅ Removed amannn/action-semantic-pull-request workflow
• ✅ Added semantic-release with conventionalcommits preset
• ✅ Added commitlint for PR title validation (uses only official GitHub Actions)
• ✅ Configured release workflow to trigger after CI validation passes
• ✅ Followed configuration patterns from the typist repository

Benefits

• Faster releases: Automatic release on every merge to main (no PR review needed)
• Tier 1 compliance: Uses only official GitHub Actions for PR validation
• Proven approach: Follows the same pattern used in typist repository
• Better automation: Releases happen immediately after CI passes

Test Plan

• PR title validation workflow runs successfully
• CI workflow completes successfully
• After merge, semantic-release workflow triggers and creates a release
• NPM package is published correctly

Migration Notes

After merging this PR:

1. Ensure the NPM_TOKEN secret is properly configured in the repository
2. Future PRs must use conventional commit format in their titles
3. Releases will happen automatically - no manual intervention needed

[rfgamaral]

We can remove this, it's not being used.

Suggested change

id: semantic-release

[rfgamaral]

In Typist we are using secrets.GH_REPO_TOKEN, which comes from organization secrets. I don't see that one in this repo's secrets. Not sure if I'm missing permissions, or it's just not there for some reason. But I would suggest use the same token to avoid issues.

[rfgamaral]

I would also suggest we add the following env vars:

GIT_AUTHOR_EMAIL: [email protected]
GIT_AUTHOR_NAME: Doist Bot
GIT_COMMITTER_EMAIL: [email protected]
GIT_COMMITTER_NAME: Doist Bot

[rfgamaral]

Just so it's clear what these are for.

Suggested change

	permissions:
	contents: write
	issues: write
	pull-requests: write
	packages: write
	id-token: write
	permissions:
	# Enable the use of OIDC for npm provenance
	id-token: write
	# Enable the use of GitHub Packages registry
	packages: write
	# Enable `semantic-release` to publish a GitHub release and post comments on issues/PRs
	contents: write
	issues: write
	pull-requests: write

[rfgamaral]

It's important we add this for the reasons mentioned in the comment (although we are not publishing this go GH Packages, I still think it's important to prevent a release in progress from being cancelled):

Suggested change

	jobs:
	# The release workflow involves many crucial steps that once triggered it shouldn't be cancelled
	# until it's finished, otherwise we might end up in an inconsistent state (e.g., a new release
	# published to npm but not GitHub Packages). To prevent this, concurrency is disabled with
	# `cancel-in-progress: false`, and new workflow runs will be queued to be started only when the
	# previous one has completely finished.
	concurrency:
	group: todoist-ai-package-release
	cancel-in-progress: false
	jobs:

[rfgamaral]

This is mentioned in the PR description:

Removes the non-approved third-party action amannn/action-semantic-pull-request

However, the version that Typist is using has been validated and approved, so I think we can safely use that one:

Suggested change

	name: PR Title Lint
	on:
	pull_request:
	types:
	- opened
	- edited
	- synchronize
	jobs:
	lint-pr-title:
	name: Lint PR Title
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 'lts/*'
	- name: Install commitlint
	run: npm install @commitlint/cli @commitlint/config-conventional
	- name: Lint PR title
	run: echo "${{ github.event.pull_request.title }}" | npx commitlint
	name: Semantic Pull Request
	on:
	pull_request_target:
	types:
	- edited
	- opened
	- synchronize
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	jobs:
	validate-title:
	name: Validate Title
	runs-on: ubuntu-latest
	timeout-minutes: 5
	steps:
	- name: Validate pull request title
	uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb

This keeps the workflow consistent with the Typist one, which doesn't need to check out the repo and setup Node (slower).

[rfgamaral]

This is only required if we are publishing to npm and GH Packages in the same GH workflow, which we are not currently doing in this repo.

Suggested change

	"@semantic-release/github",
	[
	"@semantic-release/exec",
	{
	"verifyConditionsCmd": "echo \"package-published=false\" >> $GITHUB_OUTPUT",
	"successCmd": "echo \"package-published=true\" >> $GITHUB_OUTPUT"
	}
	]
	"@semantic-release/github"

[rfgamaral]

Like I mentioned below, we are using the secrets.GH_REPO_TOKEN for this token in Typist, and I have a feeling these tokens are the difference between a successful release and a failed one. I would look into using GH_REPO_TOKEN from the organization secrets in both these instances.

[rfgamaral]

If we go with amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb as mentioned above, we can delete this file as it's no longer needed.

[rfgamaral]

If we go with amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb as mentioned above, we don't need these dependencies.

We do need conventional-changelog-conventionalcommits, which is missing from this file but need in the .releaserc.json configuration.

[rfgamaral]

If my suggestion to remove @semantic-release/exec from .releaserc.json, we can also remove this.