chore: replace release-please with changesets

[joshuaellis]

Summary

Replace release-please with Changesets for version management and publishing. Uses OIDC-based npm trusted publishing (provenance) — matching the pattern from sanity-io/next-sanity and the shared sanity-io/.github workflows.

Why Changesets?

Feature	release-please	Changesets
Version bumps	Derived from conventional commit messages	Explicit changeset files (auto-generated or manual)
Changelog control	Auto-generated from commits	Author-written summaries or auto from conventional commits
Monorepo support	✅	✅ (purpose-built for monorepos)
Manual overrides	Limited	Full control via pnpm changeset
npm provenance	❌	✅ OIDC trusted publishing
Snapshot releases	❌	✅ On-demand via workflow_dispatch
Prerelease mode	❌	✅ Built-in alpha/beta/rc support
Emergency publishing	❌	✅ Force bump all packages without changesets
Ecosystem adoption	Google projects	Pnpm, Turborepo, Radix, sanity-io/next-sanity, etc.

How It Works

Changesets are auto-generated from conventional commits — no manual steps required. The same workflow as before: write conventional commit messages (feat:, fix:, etc.) and the system handles the rest.

The changesets-from-conventional-commits workflow (using mscharley/dependency-changesets-action) automatically:

1. Parses conventional commit messages on bot PRs (Renovate, Dependabot)
2. Generates .changeset/*.md files with the correct bump type
3. Commits them back to the PR branch (signed)

For human PRs, you can optionally run pnpm changeset for more control over changelog entries.

Publishing

Standard releases — on push to main, the release workflow (changesets/action@v1.6.0):

1. Creates a "Version Packages" PR that bumps versions, updates changelogs, and removes consumed changesets
2. Merging that PR publishes to npm with OIDC provenance and creates GitHub Releases
3. Post-release marks Linear issues as done

Snapshot releases — on-demand via workflow_dispatch:

• Publishes ephemeral timestamp-based versions (e.g., 0.0.0-20260327120000) under a custom dist tag
• forceBump option generates changesets for all packages when none exist (patch/minor/major)
• When forceBump is used: creates real versions, publishes to latest, commits version changes to main, and creates GitHub Releases

Prerelease mode — for sustained alpha/beta/rc cycles:

• pnpm pre:enter alpha / pnpm pre:exit to enter and exit prerelease mode
• While in pre mode, changeset version produces versions like 1.0.0-alpha.0, -alpha.1, etc.

Release type	Dist tag	Install command
Standard	latest	npm install @sanity/cli
Snapshot	snapshot (or custom)	npm install @sanity/cli@snapshot
Prerelease	alpha, beta, etc.	npm install @sanity/cli@alpha

Related issues

• closes chore: replace release-please with changesets #572

[claude]

Claude finished @joshuaellis's task in 1m 37s —— View job

---

Review

• Read changed files
• Review workflow files
• Review configuration files
• Post findings

---

.github/workflows/snapshot-release.yml:24 — cancel-in-progress: true is unsafe for a publish workflow. If a second snapshot is triggered while one is mid-publish, the first job gets cancelled leaving packages partially published with no cleanup.

# Change to:
cancel-in-progress: false

---

.github/workflows/snapshot-release.yml:74 — The hardcoded filename .changeset/force-snapshot.md will cause conflicts on re-runs or concurrent runs. If the workflow fails after creating the file but before changeset version consumes it, all subsequent runs fail because the file already exists.

# Use a unique filename, e.g.:
} > .changeset/force-snapshot-${{ github.run_id }}.md

---

.github/workflows/snapshot-release.yml (non-forceBump path) — There is no guard for the case where no changesets exist when forceBump == 'false'. pnpm changeset version --snapshot will fail with an error if there are no changesets. Consider adding a check:

- name: Check for changesets
  if: ${{ inputs.forceBump == 'false' }}
  run: |
    if [ -z "$(ls .changeset/*.md 2>/dev/null | grep -v README)" ]; then
      echo "No changesets found. Either add a changeset or use forceBump."
      exit 1
    fi

---

.github/workflows/release.yml — Socket Security flagged changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 as 98% likely obfuscated. This is almost certainly minified bundle code (standard for GitHub Actions), not malicious obfuscation — but worth verifying the SHA matches the expected v1.6.0 tag on the changesets/action repo before merging.

[github-actions]

Coverage Delta

No covered files changed in this PR.

Overall Coverage

Metric	Coverage
Statements	83.1% (±0%)
Branches	72.8% (±0%)
Functions	83.2% (±0%)
Lines	83.5% (±0%)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​changesets/​changelog-github@​0.6.0
	github/​changesets/​action@​c48e67d110a68bc90ccf1098e9646092baacaa87
	npm/​@​changesets/​cli@​2.30.0
	github/​actions/​create-github-app-token@​fee1f7d63c2ff003460e3d139729b119787bc349
	github/​mscharley/​dependency-changesets-action@​e704c89dbc4e284d055aa520308291690f645a4f
	github/​sanity-io/​mark-issues-done-action@​88e6a3e6bc5a9c86d45873c4dba3302a4cafcb65

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: github changesets/action is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: .github/workflows/release.yml → github/changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report