ci(release): add release-connector workflow and git-cliff changelog config (#6693)

[jabesq]

Proposed changes

• Add release-connector.yml — a workflow_dispatch workflow that releases a single connector independently, decoupled from the current monorepo-wide release train. The workflow takes a connector name, auto-discovers its directory across type dirs (external-import, internal-enrichment, etc.), computes a CalVer version (7.YYMMDD.PATCH), builds multi-arch Docker images (amd64 + arm64) for DockerHub and GHCR (with optional FIPS variant), generates scoped release notes via git-cliff, and creates a Git tag + GitHub Release — all behind a dry_run toggle that defaults to on for safety.
• Add cliff.toml — git-cliff configuration for conventional-commit parsing and Tera-based changelog rendering, with commit grouping (Features, Bug Fixes, Dependencies, etc.), preprocessors to strip issue numbers, and a footer that auto-generates compare links.
• Add CHANGELOG.md — initial changelog seed generated by git-cliff for version 7.260609.0, establishing the baseline for future per-connector release notes.
• Follow CI hardening best practices: all third-party actions are pinned to full commit SHAs, permissions use least-privilege (contents: read by default, contents: write / packages: write only where needed), and a concurrency group prevents parallel releases of the same connector.

Related issues

• Close [Decoupling] Chunk 1: POC with workflow_dispatch #6693

Checklist

• I consider the submitted work as finished
• I have signed my commits using GPG key.
• I tested the code for its functionality using different use cases
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

This is a proof-of-concept (POC) and the first chunk of the connector release decoupling effort (#6693). The goal is to move from a single monolithic release that tags and publishes every connector at once toward independent, per-connector releases with their own CalVer version, changelog, and Docker images.

The workflow is intentionally workflow_dispatch-only (manual trigger) with dry_run: true as the default, so it can be validated on real connectors without side effects before wiring it into automated triggers (e.g., push-to-trunk or label-based dispatch) in subsequent chunks.

Key design decisions:

• CalVer 7.YYMMDD.PATCH — preserves the existing major-version alignment with the OpenCTI platform while making release dates immediately visible. The patch counter auto-increments from existing tags when multiple releases happen on the same day.
• Tag format connector-name/version — namespaces tags per connector so git-cliff can scope changelogs and tags never collide across connectors.
• git-cliff with --include-path and --tag-pattern — ensures each connector's changelog only contains commits that touched its directory, even though all connectors share one repository.
• Sparse checkout in the resolve job — keeps the checkout fast by only fetching the type directories needed for connector discovery.

[jabesq]

For testing, I've forked the repo and ran the workflow there:

• Workflow run: https://github.com/jabesq/connectors/actions/runs/27357519498
• Generated Release https://github.com/jabesq/connectors/releases/tag/mitre%2F7.260611.0

[Copilot]

Pull request overview

This PR introduces a proof-of-concept GitHub Actions workflow to release a single connector independently (manual workflow_dispatch, with dry_run: true by default), alongside initial git-cliff configuration and a seeded repository changelog to support scoped release notes generation.

Changes:

• Add release-connector.yml workflow to resolve a connector directory, compute a CalVer version, build multi-arch images (plus optional FIPS), generate scoped release notes, and (when not dry-run) tag + publish a GitHub Release.
• Add cliff.toml to configure git-cliff parsing/grouping and release note rendering for per-connector tags.
• Add a generated CHANGELOG.md seed for baseline changelog content.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
.github/workflows/release-connector.yml	Adds the manual, per-connector release workflow (resolve/versioning, notes generation, build/push, tag+release).
cliff.toml	Adds git-cliff configuration for conventional-commit parsing and release note templating.
CHANGELOG.md	Seeds an initial generated changelog baseline for future release notes.