ci: add release-please, dependabot, and PR title validation

[FBumann]

Summary

• release-please: Replace manual tag-based release workflow with automated changelog generation and version bumps via conventional commits
• Manual prerelease tags: git push origin v6.2.0rc1 triggers the full test → build → publish → verify pipeline and creates a GitHub prerelease
• Dependabot: Weekly dependency scanning for GitHub Actions and pip packages, with auto-merge for minor/patch updates
• PR title validation: Enforce conventional commit format on PR titles (feat:, fix:, refactor:, etc.)

Architecture

Follows the python-project-blueprint pattern with two workflows:

• release.yaml — Runs on push to main. release-please creates/updates a release PR; on merge, calls publish.yaml via workflow_call, then updates CITATION.cff date and deploys docs.
• publish.yaml — Reusable workflow with two triggers:
  • workflow_call: called by release-please for stable releases
  • push: tags: ["v*"]: manual tag push for prereleases
  • Pipeline: test → build → publish to PyPI → verify PyPI → create GitHub release (tag push only, with PEP 440 prerelease detection)

Other changes

• .github/dependabot.yml — Weekly scans for Actions + pip
• .github/workflows/dependabot-auto-merge.yaml — Auto-squash-merge minor/patch Dependabot PRs
• .github/workflows/pr-title.yaml — Conventional commit validation (includes revert and style types)
• .release-please-config.json / .release-please-manifest.json — release-please config with release-type: "simple" (compatible with setuptools_scm)
• CITATION.cff — Added x-release-please-version marker for automatic version updates
• Removed renovate.json and scripts/extract_release_notes.py

Setup required

• The existing Release Bot GitHub App (RELEASE_BOT_APP_ID / RELEASE_BOT_PRIVATE_KEY) is reused for release-please
• Consider adding "PR Title" and "CI Success" as required status checks on main

Test plan

• Verify release-please creates a release PR after merging conventional commits to main
• Verify Dependabot opens dependency update PRs
• Verify PR title validation rejects non-conventional titles
• Verify a full stable release cycle: merge release PR → tests → PyPI publish → docs deploy
• Verify a prerelease cycle: git tag v6.2.0rc1 && git push origin v6.2.0rc1 → tests → PyPI publish → GitHub prerelease

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enabled weekly automated dependency checks with conditional auto-merge for safe updates.
  • Added PR title validation to enforce conventional commit types.
  • Revamped release automation to run from main, orchestrate publishing, update release metadata, and deploy docs.
  • Adjusted packaging to include previously excluded metadata and removed legacy Renovate configuration.
  • Removed an old release-notes extraction script and added release tooling configuration and manifest.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds Dependabot configuration and auto-merge, enforces conventional PR titles, replaces tag-based release flow with Release Please-driven automation (including publish workflow), updates CITATION handling, removes Renovate and a release-notes extraction script, and adjusts packaging exclusions for renovate.json.

Changes

Cohort / File(s)	Summary
Dependabot & auto-merge ​.github/dependabot.yml, ​.github/workflows/dependabot-auto-merge.yaml	Adds weekly Dependabot scans for github-actions and pip; workflow auto-merges Dependabot PRs unless the update is version-update:semver-major.
PR title validation ​.github/workflows/pr-title.yaml	Adds workflow enforcing conventional PR titles using amannn/action-semantic-pull-request@v6 with an explicit allowed types list.
Release orchestration ​.github/workflows/release.yaml, ​.github/workflows/publish.yaml, .release-please-config.json, .release-please-manifest.json	Replaces tag-triggered release with Release Please-driven flow, introduces release detection outputs (release_created, tag_name), adds a reusable publish workflow that builds, publishes to PyPI, verifies package, and creates GitHub release notes.
CITATION & packaging CITATION.cff, MANIFEST.in, pyproject.toml	Annotates CITATION.cff for release-please; removes explicit renovate.json exclusion from packaging manifests so it may be included in distributions.
Renovate removal renovate.json	Deletes Renovate configuration and all its grouped rules, schedules, and automerge behaviors.
Removed tooling script scripts/extract_release_notes.py	Removes script that extracted release notes from CHANGELOG.md.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dependabot as Dependabot
  participant GH_Actions as GitHub Actions
  participant FetchMeta as dependabot/fetch-metadata
  participant GH_CLI as gh CLI
  participant Repo as Repository

  Note over Dependabot,Repo: Dependabot opens PR
  Dependabot->>GH_Actions: pull_request event
  GH_Actions->>FetchMeta: run fetch-metadata
  FetchMeta-->>GH_Actions: outputs.update-type
  alt update-type != version-update:semver-major
    GH_Actions->>GH_CLI: gh pr merge "$PR" --auto --squash
    GH_CLI-->>Repo: merge PR
  else semver-major
    GH_Actions-->>Repo: no auto-merge (manual review)
  end

Loading

sequenceDiagram
  autonumber
  participant Dev as Developer Push
  participant GH as GitHub Actions
  participant RP as release-please
  participant Publish as Publish workflow
  participant PyPI as PyPI
  participant Verify as Verify step
  participant Docs as Docs Deploy
  participant Repo as Repository

  Dev->>GH: push to main (or release-please triggers)
  GH->>RP: run release-please action
  RP-->>GH: outputs (release_created, tag_name, version)
  alt release_created == "true"
    GH->>Publish: call publish workflow (tag_name)
    Publish->>PyPI: build & upload package
    PyPI-->>Verify: release available
    Verify-->>Publish: install & import check
    Publish-->>GH: publish success
    GH->>Repo: update CITATION.cff (date-released) and push to main
    GH->>Docs: deploy docs for tag_name
  else
    GH-->>Repo: no release-triggered downstream jobs
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Added Zenodo to repository for citations #433: touches CITATION.cff metadata (related to citation/release metadata handling).

Suggested labels

v3.0.0

Suggested reviewers

• PStange
• baumbude

Poem

🐇 I hopped through YAMLs in moonlit code,
Dependabot danced and checked each node,
Release Please chimed tags tidy and bright,
Renovate gone — CI hums through the night,
A carrot merge — hop, publish, and abode! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding release-please, dependabot, and PR title validation to the CI workflow.
Description check	✅ Passed	The description is comprehensive and well-structured, covering architecture, implementation details, and a detailed test plan, exceeding the template requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-please-dependabot-pr-title

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/pr-title.yaml (2)

3-5: The synchronize trigger is unnecessary for title validation.

PR titles don't change when new commits are pushed. Removing synchronize would avoid redundant workflow runs.

Proposed change

 on:
   pull_request:
-    types: [opened, edited, synchronize, reopened]
+    types: [opened, edited, reopened]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-title.yaml around lines 3 - 5, The pull_request
workflow currently lists types: [opened, edited, synchronize, reopened] in the
pull_request trigger; remove the unnecessary "synchronize" event from that array
so the trigger becomes types: [opened, edited, reopened] under the pull_request
block to avoid redundant runs for new commits.

---

16-25: Consider adding revert and style types.

The conventional commits specification also includes revert (for reverting previous commits) and style (for formatting/whitespace changes). If contributors use these, the PR will be rejected.

Proposed addition

         types: |
           feat
           fix
           refactor
           test
           docs
           chore
           ci
           build
           perf
+          revert
+          style

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-title.yaml around lines 16 - 25, Update the PR title
workflow's types list to include the missing conventional commit types by adding
"revert" and "style" to the existing types block (the YAML key "types" in the
workflow). Modify the list under the types multi-line string where values like
"feat", "fix", "refactor", etc. are declared so that "revert" and "style" appear
alongside them, ensuring PRs using these conventional commit types won’t be
rejected.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 145-150: The shell command using `git diff --staged --quiet || git
commit -m "chore: update CITATION.cff date-released" && git push origin main`
has operator precedence that causes `git push` to run even when no commit
occurs; change the logic to group the commit-and-push together so push only runs
when a commit was created, for example replace that pipeline with `git diff
--staged --quiet || (git commit -m "chore: update CITATION.cff date-released" &&
git push origin main)` or equivalently use an if-check around `git commit`/`git
push` so the commit-and-push are executed atomically (reference the `git diff
--staged --quiet`, `git commit -m "chore: update CITATION.cff date-released"`,
and `git push origin main` commands).

In @.release-please-config.json:
- Around line 1-14: Update the release-please config by changing the
release-type value in the package entry for "." from "python" to "simple":
locate the "release-type" key in the JSON (the package block that includes
"package-name": "flixopt", "changelog-path": "CHANGELOG.md", and "extra-files":
["CITATION.cff"]) and replace "python" with "simple" so Release Please will
create git tags and update CHANGELOG.md compatible with setuptools_scm-driven
versioning.

---

Nitpick comments:
In @.github/workflows/pr-title.yaml:
- Around line 3-5: The pull_request workflow currently lists types: [opened,
edited, synchronize, reopened] in the pull_request trigger; remove the
unnecessary "synchronize" event from that array so the trigger becomes types:
[opened, edited, reopened] under the pull_request block to avoid redundant runs
for new commits.
- Around line 16-25: Update the PR title workflow's types list to include the
missing conventional commit types by adding "revert" and "style" to the existing
types block (the YAML key "types" in the workflow). Modify the list under the
types multi-line string where values like "feat", "fix", "refactor", etc. are
declared so that "revert" and "style" appear alongside them, ensuring PRs using
these conventional commit types won’t be rejected.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de0d0630-661c-4250-9a3e-964926e5c604

📥 Commits

Reviewing files that changed from the base of the PR and between 27cce42 and edfefc0.

📒 Files selected for processing (7)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yaml
• .github/workflows/pr-title.yaml
• .github/workflows/release.yaml
• .release-please-config.json
• .release-please-manifest.json
• CITATION.cff

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 142-143: The VERSION shell assignment in the GitHub Actions run
step should use a quoted expansion to avoid word-splitting or surprises when
needs.release-info.outputs.version is empty or contains special characters;
update the run step so the VERSION variable assignment uses a quoted expansion
of needs.release-info.outputs.version (refer to VERSION and
needs.release-info.outputs.version in the run block).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3bc0fd01-9e67-4e58-95c1-04f9fcb3a3ec

📥 Commits

Reviewing files that changed from the base of the PR and between 63a37a5 and 29d99d0.

📒 Files selected for processing (3)

• .github/workflows/pr-title.yaml
• .github/workflows/release.yaml
• .release-please-config.json

✅ Files skipped from review due to trivial changes (1)

• .release-please-config.json

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pr-title.yaml