Adopt changesets for versioning and a consolidated release workflow

[drewda]

Summary

Adopt changesets to track per-PR changes and drive releases, while keeping full continuity with the existing vX.Y.Z git tags. Changesets uses the v-prefixed tag format for single-package repos, and package.json is seeded at the current 1.3.3, so the series simply continues (v1.3.4, v1.4.0, ...). version.go is untouched — the build still embeds the version from the git tag via -ldflags -X main.tag=....

Consolidated release workflow

• .github/workflows/release.yml is rewritten from a release: created trigger into a single workflow triggered on Test Suite success on main (so a release never races ahead of tests).
• One workflow does everything: a changesets step opens/updates the "Version Packages" PR; once that PR merges, the same workflow builds + signs the Linux/macOS binaries, creates the vX.Y.Z tag and GitHub Release (notes pulled from CHANGELOG.md, binaries attached), and dispatches the Homebrew formula update.
• Because there is no cross-workflow trigger, the built-in GITHUB_TOKEN covers all in-repo steps. No new token and no permission changes are required — the existing GitHub App token is used only for the cross-repo Homebrew dispatch, exactly as before.
• Removes the old check-tests job (replaced by the workflow_run gate) and the separate release-notes job (notes now come from the curated changelog).

Supply-chain hardening

• All GitHub Actions pinned to commit SHAs (new: changesets/action v1.9.0, pnpm/action-setup v6.0.8, actions/setup-node v6.4.0).
• Exact dependency versions in package.json with a committed pnpm-lock.yaml; CI installs with pnpm install --frozen-lockfile --ignore-scripts.
• Install cooldown via minimumReleaseAge (3 days, strict) in pnpm-workspace.yaml keeps freshly published versions out of the lockfile.
• No dependency lifecycle scripts (onlyBuiltDependencies: [] + .npmrc ignore-scripts=true).

New files

• package.json, pnpm-workspace.yaml, .npmrc, pnpm-lock.yaml
• .changeset/config.json, .changeset/README.md
• RELEASING.md

Test plan

• Verified locally that pnpm install resolves under the cooldown and produces the committed lockfile.
• Verified pnpm changeset:version bumps 1.3.3 → 1.3.4 and writes CHANGELOG.md; confirmed the resulting tag name would be v1.3.4 (continuous with history). Test mutations reverted.
• Confirmed version.go is unchanged and go build ./... still succeeds.
• Validated all workflow YAML / config JSON parse cleanly and that the GitHub App token is referenced only in the Homebrew job.

Note: the workflow_run trigger only takes effect once this is on main. After merge, the next feature PR with a changeset will generate the first "Version Packages" PR, and merging that performs the first automated release. The auto-generated "Version Packages" PR does not get its own Test Suite run (GITHUB_TOKEN pushes don't trigger workflows); it only edits package.json/CHANGELOG.md/.changeset/*, and the suite still runs on main before any build.

🤖 Generated with Claude Code

---

Update: build provenance, checksums, trimpath, v2 docs

Following a review of Go release best practices, this PR also adds:

• SLSA build provenance for every released binary via actions/attest-build-provenance (keyless, GitHub OIDC + Sigstore), attested over a checksums file. Verify with gh attestation verify <file> --repo interline-io/transitland-lib.
• SHA256SUMS attached as a release asset (sha256sum -c SHA256SUMS).
• -trimpath + -s -w on all three builds for reproducibility and smaller binaries.
• RELEASING.md now documents Go v2+ module-path discipline (a changesets major bump requires moving the module path to /vN — not just a tag) and provenance/checksum verification.

These don't change artifact names, so the Homebrew formula is unaffected.

Deferred to future PRs / issues (noted from the same review, need product or coordination decisions):

• Pure-Go SQLite (modernc.org/sqlite) to drop the CGO_ENABLED=1 requirement and unlock cross-compilation.
• Additional platforms (linux/arm64, windows/amd64) — costly under CGO until the above.
• Versioned tar.gz/zip archives + coordinated Homebrew formula update.
• SBOM generation (anchore/sbom-action + attest-sbom).
• Evaluate GoReleaser (most attractive only after pure-Go SQLite).
• Revive Dependabot (currently open-pull-requests-limit: 0) and add the npm/pnpm ecosystem, or switch to Renovate for native cooldown + SHA-pin bumps.

[Copilot]

Pull request overview

This PR introduces Changesets + pnpm-based release tooling to manage version bumps and changelog generation for this Go project, and rewires the GitHub Actions release pipeline to run only after the “Test Suite” workflow succeeds on main, preserving the existing vX.Y.Z tag series.

Changes:

• Adds Changesets configuration and documentation, plus an initial changeset entry to seed the new process.
• Introduces a pinned pnpm toolchain (package.json, pnpm-lock.yaml, workspace + .npmrc) to harden dependency installation for the release tooling.
• Replaces the prior release trigger with a consolidated workflow_run-gated release workflow that opens/updates the “Version Packages” PR and, on merge, builds/signs binaries and creates the GitHub Release.

Reviewed changes

Copilot reviewed 8 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
RELEASING.md	Documents the new Changesets-driven, CI-managed release process and supply-chain policies.
pnpm-workspace.yaml	Adds pnpm workspace + hardening settings (cooldown, no lifecycle scripts).
pnpm-lock.yaml	Commits an exact dependency lockfile for the release tooling.
package.json	Adds a private JS package solely for versioning/changelog automation (Changesets + scripts).
.npmrc	Enforces ignore-scripts=true as defense-in-depth.
.gitignore	Ignores node_modules/ for the newly introduced Node tooling.
.github/workflows/release.yml	Consolidates release automation behind successful Test Suite runs and adds Changesets PR + release creation logic.
.changeset/release-tooling-changesets.md	Adds the initial changeset describing adoption of the new release tooling.
.changeset/README.md	Provides contributor guidance for creating changesets.
.changeset/config.json	Configures Changesets behavior and changelog generation.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.