feat(build): integrate release-please bot with GitHub App auth and CI gating (#139)

* feat(build): add release-please bot with GitHub App auth and CI gating

- merge release-please into main.yml gated behind all 6 CI jobs
- add publish-release job to promote draft releases
- upgrade release-please-action from v4.1.0 to v4.4.0
- add draft mode, search depths, emoji changelog headers to config
- delete standalone release-please.yml

🤖 - Generated by Copilot

* fix(build): add concurrency group and use App token for publish-release

- add concurrency group to release-please and publish-release jobs

- replace GITHUB_TOKEN with App token in publish-release job

- downgrade publish-release permissions from contents:write to contents:read

🔧 - Generated by Copilot

Author: WilliamBerryiii

.github/instructions/commit-message.instructions.md

@@ -37,6 +37,7 @@ Scopes MUST be one of the following:
 - `(scripts)`
 - `(src)`
 - `(deploy)`
+- `(build)`
 
 ## Description
 

.github/workflows/main.yml

@@ -52,3 +52,77 @@ jobs:
     uses: ./.github/workflows/markdown-link-check.yml
     permissions:
       contents: read
+
+  # Automated release PR management via release-please
+  release-please:
+    needs:
+      - spell-check
+      - markdown-lint
+      - table-format
+      - psscriptanalyzer
+      - link-lang-check
+      - markdown-link-check
+    name: Release Please
+    runs-on: ubuntu-latest
+    concurrency:
+      group: release-please-${{ github.ref }}
+      cancel-in-progress: false
+    permissions:
+      contents: read
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+      version: ${{ steps.release.outputs.version }}
+      major: ${{ steps.release.outputs.major }}
+      minor: ${{ steps.release.outputs.minor }}
+      patch: ${{ steps.release.outputs.patch }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2  # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf  # v2.0.0
+        with:
+          app-id: ${{ vars.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
+      - name: Run release-please
+        id: release
+        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38  # v4.4.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          config-file: release-please-config.json
+          manifest-file: release-please-manifest.json
+
+  # Promote draft release to published
+  publish-release:
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    needs: [release-please]
+    name: Publish Release
+    runs-on: ubuntu-latest
+    concurrency:
+      group: release-please-${{ github.ref }}
+      cancel-in-progress: false
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2  # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf  # v2.0.0
+        with:
+          app-id: ${{ vars.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
+      - name: Publish draft release
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
+        run: gh release edit "$TAG_NAME" --draft=false --repo "$GITHUB_REPOSITORY"

.github/workflows/release-please.yml

@@ -1,5 +1,8 @@
 {
   "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "draft": true,
+  "release-search-depth": 800,
+  "commit-search-depth": 1000,
   "packages": {
     ".": {
       "release-type": "node",
@@ -12,14 +15,14 @@
         }
       ],
       "changelog-sections": [
-        {"type": "feat", "section": "Features", "hidden": false},
-        {"type": "fix", "section": "Bug Fixes", "hidden": false},
-        {"type": "docs", "section": "Documentation", "hidden": false},
-        {"type": "refactor", "section": "Code Refactoring", "hidden": false},
-        {"type": "perf", "section": "Performance", "hidden": false},
-        {"type": "build", "section": "Build System", "hidden": false},
-        {"type": "ops", "section": "Operations", "hidden": false},
-        {"type": "chore", "section": "Miscellaneous", "hidden": false}
+        {"type": "feat", "section": "✨ Features", "hidden": false},
+        {"type": "fix", "section": "🐛 Bug Fixes", "hidden": false},
+        {"type": "docs", "section": "📚 Documentation", "hidden": false},
+        {"type": "refactor", "section": "♻️ Code Refactoring", "hidden": false},
+        {"type": "perf", "section": "⚡ Performance", "hidden": false},
+        {"type": "build", "section": "📦 Build System", "hidden": false},
+        {"type": "ops", "section": "🔧 Operations", "hidden": false},
+        {"type": "chore", "section": "🔧 Miscellaneous", "hidden": false}
       ],
       "bump-minor-pre-major": true,
       "bump-patch-for-minor-pre-major": false,