CI: Automatic changelog generation

[thomasttvo]

Summary by CodeRabbit

• Documentation

  • Added changelog link to README for easy access to version history and release notes.
  • Added contribution guidelines for labeling pull requests to control changelog organization.

• Chores

  • Configured automated changelog generation from pull request labels.
  • Added GitHub Actions workflow to enforce required PR labels.
  • Updated release configuration to auto-generate GitHub releases.
  • Removed build artifacts from version control.

[thomasttvo]

@claude please review this PR

[thomasttvo]

@claude review

[thomasttvo]

lib seems to be accidentally committed

[coderabbitai]

Walkthrough

This pull request removes the compiled library code from the repository, including all CommonJS and ES module implementations in lib/commonjs/ and lib/module/, along with their corresponding TypeScript declarations in lib/typescript/. The lib/ directory is now excluded via .gitignore. In parallel, release and CI/CD workflows are introduced with .github/release.yml defining changelog categories and .github/workflows/pr-labels.yml enforcing PR label requirements. Build dependencies and pre-commit hooks are simplified in package.json. Documentation is updated with changelog and release notes guidance in CONTRIBUTING.md and README.md.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/pr-labels.yml (1)

3-5: Consider removing synchronize trigger.

Label checks don't need to re-run on every push—only when labels change (labeled, unlabeled) or PR opens/reopens. The synchronize trigger causes unnecessary workflow runs on each commit.

⚡ Reduce workflow runs

 on:
   pull_request:
-    types: [opened, synchronize, reopened, labeled, unlabeled]
+    types: [opened, reopened, labeled, unlabeled]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-labels.yml around lines 3 - 5, The pull_request trigger
currently includes "synchronize", causing runs on every push; remove
"synchronize" from the types array in the workflow so it only triggers on
"opened", "reopened", "labeled", and "unlabeled" (update the types list in the
top-level `on: pull_request:` block to exclude "synchronize").

CONTRIBUTING.md (1)

91-102: Clarify that labels categorize release notes, not auto-bump versions.

Lines 95-97 state labels trigger "major/minor/patch version bump," but these labels only categorize release notes—they don't automatically bump semver. The maintainer still chooses the version during yarn release. Consider rewording to avoid confusion.

📝 Suggested rewording

 Release notes are automatically generated from merged pull requests. Please label your PRs with:

-- `breaking`: Breaking changes (major version bump)
-- `enhancement`: New features (minor version bump)
-- `bug`: Bug fixes (patch version bump)
+- `breaking`: Breaking changes
+- `enhancement`: New features
+- `bug`: Bug fixes
 - `documentation`: Documentation updates

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CONTRIBUTING.md` around lines 91 - 102, Update the "Changelog and Release
Notes" section so it's clear that PR labels (`breaking`, `enhancement`, `bug`,
`documentation`, `dependencies`) are used only to categorize release notes and
do not automatically bump semver; explicitly state that the maintainer selects
the version during the release process (e.g., when running `yarn release`) and
that `.github/release.yml` controls note organization, not automatic versioning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-labels.yml:
- Around line 7-27: The check-labels job currently enforces labels for all PRs
and will block Dependabot PRs; update the workflow to skip this job or the
"Extract valid labels from release.yml" step when the actor is Dependabot by
adding an if condition that checks github.actor != 'dependabot[bot]' (reference
the job name check-labels and the step id extract-labels), so Dependabot PRs
bypass the labels requirement; alternatively, if you prefer allowing Dependabot
to be validated, include 'dependencies' in the labels set, but the recommended
quick fix is to add the if guard to skip the job/step for Dependabot.

In `@package.json`:
- Around line 116-119: The package.json is missing a "prepare" script so
release-it's npm publish may run without building lib/; add a "prepare" script
that runs the bob build step (e.g., set "prepare": "bob build") to ensure
react-native-builder-bob generates the lib/ directory before publishing—update
package.json's scripts section to include the prepare entry so the package is
built prior to npm publish triggered by the "github" / release-it configuration.

---

Nitpick comments:
In @.github/workflows/pr-labels.yml:
- Around line 3-5: The pull_request trigger currently includes "synchronize",
causing runs on every push; remove "synchronize" from the types array in the
workflow so it only triggers on "opened", "reopened", "labeled", and "unlabeled"
(update the types list in the top-level `on: pull_request:` block to exclude
"synchronize").

In `@CONTRIBUTING.md`:
- Around line 91-102: Update the "Changelog and Release Notes" section so it's
clear that PR labels (`breaking`, `enhancement`, `bug`, `documentation`,
`dependencies`) are used only to categorize release notes and do not
automatically bump semver; explicitly state that the maintainer selects the
version during the release process (e.g., when running `yarn release`) and that
`.github/release.yml` controls note organization, not automatic versioning.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ee2e1582-fb27-407e-8396-8be57e3d0def

📥 Commits

Reviewing files that changed from the base of the PR and between 58f450c and ae88a40.

⛔ Files ignored due to path filters (27)

• lib/commonjs/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/commonjs/animations/index.js.map is excluded by !**/*.map
• lib/commonjs/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/commonjs/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/commonjs/components/StaticPin.js.map is excluded by !**/*.map
• lib/commonjs/components/index.js.map is excluded by !**/*.map
• lib/commonjs/debugHelper/index.js.map is excluded by !**/*.map
• lib/commonjs/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/commonjs/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/commonjs/helper/index.js.map is excluded by !**/*.map
• lib/commonjs/index.js.map is excluded by !**/*.map
• lib/commonjs/typings/index.js.map is excluded by !**/*.map
• lib/module/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/module/animations/index.js.map is excluded by !**/*.map
• lib/module/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/module/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/module/components/StaticPin.js.map is excluded by !**/*.map
• lib/module/components/index.js.map is excluded by !**/*.map
• lib/module/debugHelper/index.js.map is excluded by !**/*.map
• lib/module/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/module/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/module/helper/index.js.map is excluded by !**/*.map
• lib/module/index.js.map is excluded by !**/*.map
• lib/module/typings/index.js.map is excluded by !**/*.map
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock, !**/yarn.lock

📒 Files selected for processing (43)

• .github/release.yml
• .github/workflows/pr-labels.yml
• .gitignore
• CONTRIBUTING.md
• README.md
• lib/commonjs/ReactNativeZoomableView.js
• lib/commonjs/animations/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/commonjs/components/StaticPin.js
• lib/commonjs/components/index.js
• lib/commonjs/debugHelper/index.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/helper/coordinateConversion.js
• lib/commonjs/helper/index.js
• lib/commonjs/index.js
• lib/commonjs/typings/index.js
• lib/module/ReactNativeZoomableView.js
• lib/module/animations/index.js
• lib/module/components/AnimatedTouchFeedback.js
• lib/module/components/StaticPin.js
• lib/module/components/index.js
• lib/module/debugHelper/index.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/helper/coordinateConversion.js
• lib/module/helper/index.js
• lib/module/index.js
• lib/module/typings/index.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/typescript/__tests__/index.test.d.ts
• lib/typescript/animations/index.d.ts
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/typescript/components/StaticPin.d.ts
• lib/typescript/components/index.d.ts
• lib/typescript/debugHelper/index.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/helper/index.d.ts
• lib/typescript/index.d.ts
• lib/typescript/typings/index.d.ts
• package.json

💤 Files with no reviewable changes (36)

• lib/module/components/index.js
• lib/commonjs/components/index.js
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/module/animations/index.js
• lib/commonjs/typings/index.js
• lib/typescript/index.d.ts
• lib/typescript/helper/index.d.ts
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/commonjs/index.js
• lib/commonjs/animations/index.js
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/module/components/AnimatedTouchFeedback.js
• lib/commonjs/debugHelper/index.js
• lib/module/components/StaticPin.js
• lib/module/ReactNativeZoomableView.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/helper/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/commonjs/helper/index.js
• lib/commonjs/components/StaticPin.js
• lib/typescript/typings/index.d.ts
• lib/module/index.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/module/helper/coordinateConversion.js
• lib/typescript/components/index.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/components/StaticPin.d.ts
• lib/commonjs/helper/coordinateConversion.js
• lib/typescript/debugHelper/index.d.ts
• lib/module/typings/index.js
• lib/module/debugHelper/index.js
• lib/typescript/animations/index.d.ts
• lib/commonjs/ReactNativeZoomableView.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/helper/applyPanBoundariesToOffset.js

[thomasttvo]

Marking as draft — this PR is stacked on #158 (ci: move build to release workflow). Will be ready for review after #158 merges.

[thomasttvo]

@claude review

[claude]

LGTM — the two functional issues from the previous review (release-it version, label extraction) have been addressed. The remaining inline comments are documentation nits.

Extended reasoning...

Overview

This PR sets up automatic changelog generation via GitHub Releases' native PR-based notes, adds a required-labels workflow for PRs, upgrades release-it from v14 to v15, and removes the now-redundant @release-it/conventional-changelog plugin. Changes touch .github/release.yml, .github/workflows/pr-labels.yml, package.json, CONTRIBUTING.md, and README.md.

Security risks

None. This is a CI/CD configuration change with no auth, crypto, or permissions-sensitive code.

Level of scrutiny

Low-to-medium. The changes are CI infrastructure — workflow files and tooling config. The logic is straightforward and the critical correctness issues (version compatibility, label coverage) have been resolved in prior iterations.

Other factors

Both bugs I flagged in the previous review were promptly addressed: release-it was upgraded to ^15.0.0 (so autoGenerate: true is now recognized) and the label-extraction script was updated to include exclude labels. The outstanding inline comments in this pass are documentation nits in CONTRIBUTING.md with no functional impact.

[claude]

🔴 This PR gitignores lib/ but never adds a prepare script to package.json, so direct git URL installs (e.g. npm install github:openspacelabs/react-native-zoomable-view) will succeed but produce a broken package — lib/ is never built, causing require('@openspacelabs/react-native-zoomable-view') to fail since main/module/types all point into lib/. Fix by adding "prepare": "bob build" to the scripts section; prepublishOnly only runs during npm publish, not git installs.

Extended reasoning...

What the bug is

This PR removes lib/ from version control by adding it to .gitignore (the PR description confirms: "Removed build artifacts from version control"). However, the package.json scripts section contains only prepublishOnly: yarn build and no prepare script. The scripts section is: prepublishOnly, test, typescript, lint, build, release, example, pods, bootstrap — no prepare entry.

The specific code path that triggers it

When a developer installs directly from a git URL — npm install github:openspacelabs/react-native-zoomable-view — npm clones the repo, then runs the prepare lifecycle hook before completing installation. Because prepare is absent, no build runs, lib/ is never created, and the installed package is non-functional. The main field points to lib/commonjs/index, module to lib/module/index, and types to lib/typescript/index.d.ts — none of which exist.

Why existing code doesn't prevent it

prepublishOnly fires only during npm publish (and npm pack), not during git URL installs. The CI release workflow correctly relies on prepublishOnly for registry publishes, so those are unaffected. But the npm lifecycle hook for git installs is specifically prepare, which is missing.

Before this PR: lib/ was committed to git, so it was present after cloning — git installs worked. After this PR: lib/ is gitignored, cloning gives no lib/, no prepare hook builds it, and the install silently succeeds with a broken package.

The claimed fix was never applied

CodeRabbit flagged this as Critical (comment id 3019192531 on package.json line 121). The PR author thomasttvo responded: "Fixed — added prepare: bob build script to package.json". However, examining the actual package.json in this PR, the scripts section has no prepare entry. The fix was acknowledged in the timeline but never committed to the code.

Step-by-step proof

1. Developer runs: npm install github:openspacelabs/react-native-zoomable-view
2. npm clones the repo — lib/ is absent (gitignored, not committed)
3. npm runs lifecycle hooks: preinstall → install → postinstall → prepare
4. prepare is undefined in package.json — no build runs
5. Installation exits 0 (success), but lib/ does not exist
6. Consumer calls require('@openspacelabs/react-native-zoomable-view')
7. Node resolves main: "lib/commonjs/index" → MODULE_NOT_FOUND error

Fix: Add "prepare": "bob build" to the scripts section of package.json.

_{🔬 also observed by 3019192531}

[claude]

🟡 The authors exclude filter in .github/release.yml lists 'dependabot' but the GitHub bot's actual login is 'dependabot[bot]' (with the [bot] suffix), making the filter technically ineffective — though in practice Dependabot PRs are still excluded via the 'dependencies' label in exclude.labels.

Extended reasoning...

What the bug is

The authors field at line 7 of .github/release.yml lists '- dependabot', but GitHub bot accounts use the login format 'dependabot[bot]' (with the [bot] suffix). GitHub's release notes generator matches authors by exact login, so this filter would never match any real PR author.

The specific code path

When a Dependabot PR is merged and a new GitHub release is created, the automatic release notes generator reads .github/release.yml to determine which PRs to include/exclude. The exclude.authors field is matched against the PR author's GitHub login. Dependabot's actual login is 'dependabot[bot]', not 'dependabot', so the filter never fires.

Why existing code doesn't fully prevent it

The same PR correctly uses 'dependabot[bot]' in pr-labels.yml line 10: 'if: github.actor != dependabot[bot]'. The inconsistency is evident when comparing the two files in this PR. Three refutations raised the argument that GitHub's release.yml documentation may show 'dependabot' (without [bot]) as the canonical format — this is a valid counter-argument since the release notes generator is a different system from GitHub Actions context variables. However, all confirming verifiers agree that the GitHub login for the Dependabot app is 'dependabot[bot]', and the sister file in this very PR proves the author knows the correct format.

What the impact would be

The practical impact is nil. Dependabot PRs automatically receive the 'dependencies' label from GitHub, and 'dependencies' is already listed under exclude.labels. So Dependabot PRs are excluded from release notes via the label filter regardless of whether the authors filter works. The broken authors filter is dead code. Step-by-step: (1) Dependabot opens a dependency update PR; (2) GitHub auto-applies the 'dependencies' label; (3) release notes generator checks labels — the PR matches exclude.labels: [dependencies]; (4) the PR is excluded from release notes. The authors filter adds nothing.

How to fix

Change '- dependabot' to '- dependabot[bot]' in .github/release.yml line 7. This makes the filter consistent with the correct login format used in pr-labels.yml and aligns with the actual GitHub bot login. The fix is cosmetic — the label-based exclusion already works — but removes confusing dead code.