chore!: migrate from release-please to semantic-release

[frankieyan]

Overview

We're standardizing on semantic-release across our non-product repositories (ref). release-please required merging a separate release PR before publishing, adding latency and a manual step. semantic-release collapses this into a single pipeline: push to main triggers CI validation, version analysis, changelog update, npm + GitHub Packages publish, and a GitHub release.

The setup follows Doist/typist as closely as possible, with three intentional differences: main only (no next prerelease branch), no CHANGELOG formatting step (Biome doesn't format Markdown), and doist-release-bot App tokens instead of a PAT, adopted from todoist-sdk-typescript #529/#530.

Breaking change

This PR drops Node 20 support, narrowing engines.node from ^20.0.0 || >=22.0.0 to ^22.14.0 || >=24.10.0. semantic-release@25 requires Node 22.14+, and with engine-strict=true in .npmrc, keeping Node 20 in the engine range would cause npm install to fail for contributors on Node 20. This aligns with typist, which made the same change.

Reference

• Tracking issue: https://github.com/Doist/todoist-web/issues/16941
• Cross-referenced against todoist-sdk-typescript #525, #529, #530

Pre-merge checklist

• doist-release-bot installed and added as bypass actor on both rulesets
• Bridge git tag created (v2.3.3 pointing to react-compiler-tracker-v2.3.3)
• npm trusted publisher config updated to reference publish-package-release.yml

Test plan

• After merge, verify the Package Release workflow runs on the merge commit
  • Exits cleanly with "no release" (merge commit is chore: type)
• Merge a feat: or fix: commit to main
  • CHANGELOG.md updated, package.json version bumped
  • npm package published with provenance
  • GitHub release created
  • GitHub Packages publish succeeds
• Old "Release Please" and "Publish" workflows no longer appear in Actions tab

[doistbot]

This PR transitions the release pipeline from release-please to semantic-release to streamline package publishing into a single, automated workflow. The implementation aligns well with other Doist repositories and will nicely reduce manual release steps. However, a few adjustments are needed before merging, specifically regarding restoring the npm version floor for provenance support, preventing potential secret exposure by reverting elevated fork PR workflow triggers, and resolving a Node engine compatibility conflict with the chosen semantic-release version.

_{Share Feedback • Review Logs}

[doistbot]

[P2] Avoid elevating this check to pull_request_target. That trigger runs on fork PRs with the base repository token, which goes against our public-repo secrets guidance for fork-triggered workflows because a later workflow change or third-party action issue can exfiltrate it: https://handbook.doist.com/doc/standard-secrets-management-. The previous pull_request trigger already had enough access to read PR titles, so this change grants more privilege than the job needs.

[frankieyan]

This workflow doesn't execute the fork PR's code. The only thing it is allowed to do is verify the PR title with amannn/action-semantic-pull-request. We also do this in our other public repos.

[frankieyan]

Rolled this back because it prevented the validate title job from being run for this PR. Even though it should work for subsequent PRs, the change wasn't worth temporarily stopping it from running here.