chore(release): use protoLabsAI/release-tools@v1 for release notes

[mabry1985]

Replaces the local fork of `scripts/rewrite-release-notes.mjs` (210 LOC) with the upstream composite Action at `protoLabsAI/release-tools@v1`. The local script was a stale copy of the same logic already centralized in the release-tools repo — exactly the consolidation pattern we want.

Why

• Already using release-tools for code review (`code-review.yml` calls `npx -p github:protoLabsAI/release-tools review-code`). Auto-release was the last bit still on the local fork.
• Switches from raw `ANTHROPIC_API_KEY` to the LLM gateway (`protolabs/fast` by default). One fewer place we hand out direct Anthropic credentials.

What changes

• `.github/workflows/auto-release.yml` — replaces inline `node scripts/rewrite-release-notes.mjs` with `uses: protoLabsAI/release-tools@v1`.
• `scripts/rewrite-release-notes.mjs` — deleted (210 LOC).
• Docs updated:
  • `docs/self-hosting/ci-cd.md`
  • `docs/internal/dev/release.md`
  • `docs/internal/dev/versioning.md`

Existing repo secrets reused — no new secrets required. `DISCORD_DEV_WEBHOOK` is passed through the env-var mapping as `DISCORD_RELEASE_WEBHOOK` (the name the upstream Action expects).

Future consolidation opportunities

These would push more shared logic to release-tools so other protoLabs repos benefit:

• The "Pre-flight: format/lint/typecheck" pattern in `checks.yml` could become a reusable workflow (`workflow_call`).
• The "setup-node + install + build packages" pattern could become a composite action.
• `scripts/post-review-findings.mjs` (86 LOC) duplicates a "post sticky PR comment after review-code" pattern that could live alongside `review-code` in release-tools.

Test plan

• Merge → `auto-release.yml` fires on a subsequent release commit → confirm Discord embed posts via the gateway path with no `ANTHROPIC_API_KEY` required.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated internal release and versioning guides to reflect new release notes generation approach.

• Chores

  • Migrated release notes generation to use a centralized service.
  • Updated CI/CD workflow to use new release tools action.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates release notes generation from a local script to a centralized @protolabsai/release-tools package. The CI workflow step now resolves the previous git tag and invokes the shared GitHub Action instead of running the local script, while all documentation is updated to reflect the new npx CLI and Action-based approach with updated environment variables.

Changes

Release Notes Tool Centralization

Layer / File(s)	Summary
Auto-release workflow migration .github/workflows/auto-release.yml	Workflow step now resolves previous git tag as an output and calls protoLabsAI/release-tools@v1 action instead of executing the local script, wiring both current and previous versions, and updating environment variables from ANTHROPIC_API_KEY to GATEWAY_API_KEY and DISCORD_RELEASE_WEBHOOK.
Release procedure documentation docs/internal/dev/release.md	Main release documentation now describes the @protolabsai/release-tools composite Action and npx CLI, with updated usage patterns for auto-detect tags, explicit versions, --dry-run, and Discord posting; model selection revised to use Action model input or CLI --model <alias>.
Versioning and self-hosting documentation docs/internal/dev/versioning.md, docs/self-hosting/ci-cd.md	Documentation in versioning and self-hosting guides updated with npx @protolabsai/release-tools rewrite-release-notes CLI examples and descriptions of the centralized release-tools system.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Modernize post-discord.yml (uses dead Anthropic key + old inline script) protoCLI#227: Addresses the same migration of removing scripts/rewrite-release-notes.mjs and switching auto-release CI to the @protolabsai/release-tools action with GATEWAY_API_KEY environment variable updates.

Possibly related PRs

• protoLabsAI/protoMaker#3556: Directly aligned migration removing scripts/rewrite-release-notes.mjs usage and updating .github/workflows/auto-release.yml to delegate release-notes rewriting and Discord posting to the shared @protolabsai/release-tools action.

Suggested reviewers

• protoquinn

Poem

🐰 A toolbox shared across the land,
No more scripts tucked in hand,
Release notes now centralize,
The rabbit's toolkit modernize,
One action to rule them all so bright! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(release): use protoLabsAI/release-tools@v1 for release notes' accurately describes the main objective of the PR—replacing the local release notes script with the upstream release-tools action.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-notes-via-release-tools

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Code Review — ? finding(s)

Async review running parallel to CodeRabbit. Findings are advisory; not all are merge blockers.

protoLabs Code Review Report

• Generated: 2026-05-24T00:41:20Z
• Git head: 8ebf3cc0b3039093d65570d9e4aa226205067bd9
• Features mapped: 3
• Findings: 0

No findings recorded.

[github-actions]

Docs preview: https://chore-release-notes-via-rele.protolabs-docs.pages.dev

[protoquinn]

Auto-approved by Quinn: safe PR class (dependabot/renovate/promote/chore(deps)) with passing CI.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

docs/self-hosting/ci-cd.md (2)

283-290: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update secrets table to reflect gateway credentials.

The secrets table lists ANTHROPIC_API_KEY, but the workflow now uses GATEWAY_API_KEY (line 111 in auto-release.yml). Additionally, DISCORD_DEV_WEBHOOK is mapped to DISCORD_RELEASE_WEBHOOK in the Action inputs.

📝 Proposed fix

 ## Secrets
 
-| Secret              | Purpose                                                                    |
-| ------------------- | -------------------------------------------------------------------------- |
-| `GITHUB_TOKEN`      | Auto-provided, used for releases                                           |
-| `GH_PAT`            | PAT for `auto-release.yml` tag push (enables downstream workflow triggers) |
-| `ANTHROPIC_API_KEY` | LLM release notes rewriting (Haiku 4.5)                                    |
+| Secret                  | Purpose                                                                    |
+| ----------------------- | -------------------------------------------------------------------------- |
+| `GITHUB_TOKEN`          | Auto-provided, used for releases                                           |
+| `GH_PAT`                | PAT for `auto-release.yml` tag push (enables downstream workflow triggers) |
+| `GATEWAY_API_KEY`       | LiteLLM gateway access for release notes rewriting and code review         |
+| `GATEWAY_BASE_URL`      | LiteLLM gateway base URL (optional, has default)                          |
+| `DISCORD_DEV_WEBHOOK`   | Discord webhook for release notes and dev notifications                    |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/self-hosting/ci-cd.md` around lines 283 - 290, Update the Secrets table
to match the actual Action inputs: replace or add the `GATEWAY_API_KEY` entry
(used in auto-release.yml) instead of `ANTHROPIC_API_KEY`, and add/mirror the
webhook secret mapping by listing `DISCORD_DEV_WEBHOOK` →
`DISCORD_RELEASE_WEBHOOK` (or rename to `DISCORD_RELEASE_WEBHOOK`) so the docs
match the workflow's inputs referenced in `auto-release.yml` and the Action
input mapping.

---

203-237: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update requirements to reflect gateway-based authentication.

Line 237 lists ANTHROPIC_API_KEY as required, but the workflow at .github/workflows/auto-release.yml line 111 now uses GATEWAY_API_KEY to route through the LiteLLM gateway. The overview section should also mention that the centralized tool uses the gateway rather than direct Anthropic API access.

📝 Proposed fix

 ## Release Notes Rewriting
 
-An LLM-powered release notes rewriter transforms raw conventional commits into polished, user-facing release notes. Centralized in [`@protolabsai/release-tools`](https://github.com/protoLabsAI/release-tools) — exposed as both a composite GitHub Action (`protoLabsAI/release-tools@v1`) and an npm CLI (`npx `@protolabsai/release-tools` rewrite-release-notes`).
+An LLM-powered release notes rewriter transforms raw conventional commits into polished, user-facing release notes. Centralized in [`@protolabsai/release-tools`](https://github.com/protoLabsAI/release-tools) — exposed as both a composite GitHub Action (`protoLabsAI/release-tools@v1`) and an npm CLI (`npx `@protolabsai/release-tools` rewrite-release-notes`). The tool routes requests through the protoLabs LiteLLM gateway rather than calling Anthropic directly.
 
 ### How It Works
 
 1. Fetches commits between two git tags via `git log`
 2. Filters out merge, chore, and promote commits
-3. Sends the remaining commits to Claude (Haiku 4.5) with a system prompt enforcing brand voice
+3. Sends the remaining commits to the LiteLLM gateway (defaults to `protolabs/fast` model) with a system prompt enforcing brand voice
 4. Returns themed, grouped release notes in plain markdown
 5. Optionally posts to Discord `#dev` as an embed
 
 ### Requirements
 
-- `ANTHROPIC_API_KEY` — required for Claude API calls
+- `GATEWAY_API_KEY` — required for LiteLLM gateway access
+- `GATEWAY_BASE_URL` — optional, defaults to protoLabs gateway
 - Git tags must exist locally (`git fetch origin --tags` if needed)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/self-hosting/ci-cd.md` around lines 203 - 237, Update the requirements
and overview to reflect gateway-based auth: replace the mention of
ANTHROPIC_API_KEY with GATEWAY_API_KEY and state that `@protolabsai/release-tools`
(the rewrite-release-notes CLI / protoLabsAI/release-tools GitHub Action) uses
the LiteLLM gateway for requests rather than direct Anthropic API access; also
add a short note referencing the workflow auto-release.yml (the "Rewrite and
post release notes to Discord" step) as using GATEWAY_API_KEY so readers know
which env var to set.

docs/internal/dev/release.md (3)

64-68: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update environment variables to match the workflow implementation.

The documentation lists ANTHROPIC_API_KEY as required, but the workflow at .github/workflows/auto-release.yml line 111 now uses GATEWAY_API_KEY. This inconsistency will confuse users trying to configure the release-tools manually.

📝 Proposed fix

 ### Environment Variables
 
-| Variable            | Required | Description                        |
-| ------------------- | -------- | ---------------------------------- |
-| `ANTHROPIC_API_KEY` | Yes      | Anthropic API key for Claude calls |
+| Variable           | Required | Description                                    |
+| ------------------ | -------- | ---------------------------------------------- |
+| `GATEWAY_API_KEY`  | Yes      | LiteLLM gateway API key for model calls        |
+| `GATEWAY_BASE_URL` | No       | Gateway base URL (defaults to protoLabs gateway) |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/internal/dev/release.md` around lines 64 - 68, The docs list
ANTHROPIC_API_KEY as required but the release workflow actually uses
GATEWAY_API_KEY; update the Environment Variables table in
docs/internal/dev/release.md to reflect the workflow by replacing or adding
GATEWAY_API_KEY as the required variable (and remove or mark ANTHROPIC_API_KEY
as optional/legacy), and ensure the Description clearly states it is the API key
used by the auto-release workflow (match the name used in
.github/workflows/auto-release.yml).

---

132-137: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update manual run instructions to use gateway credentials.

Line 136 instructs users to set ANTHROPIC_API_KEY for manual runs, but the centralized tool uses GATEWAY_API_KEY to route through the LiteLLM gateway.

📝 Proposed fix

 ### Enabling/Disabling
 
 - **Enabled by default**: Wired into `auto-release.yml` — runs on every push to `main`
-- **Requires**: `ANTHROPIC_API_KEY` (Claude API)
-- **Manual runs**: `npx `@protolabsai/release-tools` rewrite-release-notes` locally with `ANTHROPIC_API_KEY` set
+- **Requires**: `GATEWAY_API_KEY` (LiteLLM gateway access)
+- **Manual runs**: `npx `@protolabsai/release-tools` rewrite-release-notes` locally with `GATEWAY_API_KEY` and optionally `GATEWAY_BASE_URL` set
 - **Disable in CI**: Remove or comment out the "Rewrite and post release notes" step in `auto-release.yml`; the GitHub Release body still contains the raw auto-generated notes from `gh release create`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/internal/dev/release.md` around lines 132 - 137, Update the manual-run
instruction to tell users to set the gateway credential instead of the direct
Claude key: replace the reference to ANTHROPIC_API_KEY with GATEWAY_API_KEY in
the "Manual runs" bullet so it reads that running npx `@protolabsai/release-tools`
rewrite-release-notes should be executed locally with GATEWAY_API_KEY set (the
gateway will route to the Claude backend); keep the rest of the sentence intact
and ensure the note still clarifies this is for local/manual runs.

---

118-130: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update CI integration example to match the workflow implementation.

The CI integration example still references ANTHROPIC_API_KEY, but the actual workflow uses GATEWAY_API_KEY. Additionally, the example shows a run: script with npx, but the actual workflow (lines 106-112) uses the composite Action with uses:.

📝 Proposed fix to match auto-release.yml implementation

 ## CI Integration
 
 The `auto-release.yml` workflow calls the rewriter script as the final step after creating the GitHub Release. The step auto-detects the previous tag and passes both versions to the script:
 
 ```yaml
-- name: Rewrite and post release notes to Discord
-  run: |
-    VERSION="v${{ steps.version.outputs.version }}"
-    PREV_TAG=$(git tag --sort=-v:refname | grep -v "^${VERSION}$" | head -1)
-    npx `@protolabsai/release-tools` rewrite-release-notes "$VERSION" "$PREV_TAG" --post-discord
+- name: Resolve previous tag
+  id: prev
+  run: |
+    VERSION="v${{ steps.version.outputs.version }}"
+    PREV_TAG=$(git tag --sort=-v:refname | grep -v "^${VERSION}$" | head -1)
+    echo "tag=$PREV_TAG" >> $GITHUB_OUTPUT
+
+- name: Rewrite and post release notes to Discord
+  uses: protoLabsAI/release-tools@v1
+  with:
+    version: v${{ steps.version.outputs.version }}
+    previous-version: ${{ steps.prev.outputs.tag }}
   env:
-    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+    GATEWAY_API_KEY: ${{ secrets.GATEWAY_API_KEY }}
+    DISCORD_RELEASE_WEBHOOK: ${{ secrets.DISCORD_DEV_WEBHOOK }}

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @docs/internal/dev/release.md around lines 118 - 130, Update the CI example
in docs/internal/dev/release.md to match the actual workflow: replace the
run:npx block with a two-step sequence — first add a "Resolve previous tag" step
(id: prev) that sets VERSION="v${{ steps.version.outputs.version }}" and writes
PREV_TAG to GITHUB_OUTPUT as tag, then use the composite action "uses:
protoLabsAI/release-tools@v1" for the "Rewrite and post release notes to
Discord" step with inputs version: v${{ steps.version.outputs.version }} and
previous-version: ${{ steps.prev.outputs.tag }}; also replace the env secret
ANTHROPIC_API_KEY with GATEWAY_API_KEY and add DISCORD_RELEASE_WEBHOOK as shown.

</details>

</blockquote></details>

</blockquote></details>

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-release.yml:
- Line 106: The workflow is using the mutable tag protoLabsAI/release-tools@v1
which is a supply-chain risk; update the step that currently says "uses:
protoLabsAI/release-tools@v1" to pin to the exact commit SHA for that v1 release
(e.g., protoLabsAI/release-tools@<commit-sha>). Find the v1 branch/tag in the
protoLabsAI/release-tools repository, copy the commit SHA for the intended v1
release, and replace the mutable tag with that SHA so the action is pinned to a
specific immutable revision.

---

Outside diff comments:
In `@docs/internal/dev/release.md`:
- Around line 64-68: The docs list ANTHROPIC_API_KEY as required but the release
workflow actually uses GATEWAY_API_KEY; update the Environment Variables table
in docs/internal/dev/release.md to reflect the workflow by replacing or adding
GATEWAY_API_KEY as the required variable (and remove or mark ANTHROPIC_API_KEY
as optional/legacy), and ensure the Description clearly states it is the API key
used by the auto-release workflow (match the name used in
.github/workflows/auto-release.yml).
- Around line 132-137: Update the manual-run instruction to tell users to set
the gateway credential instead of the direct Claude key: replace the reference
to ANTHROPIC_API_KEY with GATEWAY_API_KEY in the "Manual runs" bullet so it
reads that running npx `@protolabsai/release-tools` rewrite-release-notes should
be executed locally with GATEWAY_API_KEY set (the gateway will route to the
Claude backend); keep the rest of the sentence intact and ensure the note still
clarifies this is for local/manual runs.
- Around line 118-130: Update the CI example in docs/internal/dev/release.md to
match the actual workflow: replace the run:npx block with a two-step sequence —
first add a "Resolve previous tag" step (id: prev) that sets VERSION="v${{
steps.version.outputs.version }}" and writes PREV_TAG to GITHUB_OUTPUT as tag,
then use the composite action "uses: protoLabsAI/release-tools@v1" for the
"Rewrite and post release notes to Discord" step with inputs version: v${{
steps.version.outputs.version }} and previous-version: ${{
steps.prev.outputs.tag }}; also replace the env secret ANTHROPIC_API_KEY with
GATEWAY_API_KEY and add DISCORD_RELEASE_WEBHOOK as shown.

In `@docs/self-hosting/ci-cd.md`:
- Around line 283-290: Update the Secrets table to match the actual Action
inputs: replace or add the `GATEWAY_API_KEY` entry (used in auto-release.yml)
instead of `ANTHROPIC_API_KEY`, and add/mirror the webhook secret mapping by
listing `DISCORD_DEV_WEBHOOK` → `DISCORD_RELEASE_WEBHOOK` (or rename to
`DISCORD_RELEASE_WEBHOOK`) so the docs match the workflow's inputs referenced in
`auto-release.yml` and the Action input mapping.
- Around line 203-237: Update the requirements and overview to reflect
gateway-based auth: replace the mention of ANTHROPIC_API_KEY with
GATEWAY_API_KEY and state that `@protolabsai/release-tools` (the
rewrite-release-notes CLI / protoLabsAI/release-tools GitHub Action) uses the
LiteLLM gateway for requests rather than direct Anthropic API access; also add a
short note referencing the workflow auto-release.yml (the "Rewrite and post
release notes to Discord" step) as using GATEWAY_API_KEY so readers know which
env var to set.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 01c5a064-59ae-4942-a94e-c910d8800a6e

📥 Commits

Reviewing files that changed from the base of the PR and between 1d5a9e5 and cfc80a8.

📒 Files selected for processing (5)

• .github/workflows/auto-release.yml
• docs/internal/dev/release.md
• docs/internal/dev/versioning.md
• docs/self-hosting/ci-cd.md
• scripts/rewrite-release-notes.mjs

💤 Files with no reviewable changes (1)

• scripts/rewrite-release-notes.mjs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch the commit SHA for the v1 tag of protoLabsAI/release-tools
gh api repos/protoLabsAI/release-tools/git/ref/tags/v1 --jq '.object.sha'

Repository: protoLabsAI/protoMaker

Length of output: 107

---

Pin protoLabsAI/release-tools@v1 to a commit SHA in .github/workflows/auto-release.yml.

uses: protoLabsAI/release-tools@v1 is a mutable tag; pinning to the tag’s current commit reduces supply-chain risk.

🔒 Proposed fix

-        uses: protoLabsAI/release-tools@v1
+        uses: protoLabsAI/release-tools@79261c2b99472596cd5452e9ec1fd5c9648c12a6  # v1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: protoLabsAI/release-tools@v1
	uses: protoLabsAI/release-tools@79261c2b99472596cd5452e9ec1fd5c9648c12a6 # v1

🧰 Tools

🪛 zizmor (1.25.2)

[error] 106-106: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-release.yml at line 106, The workflow is using the
mutable tag protoLabsAI/release-tools@v1 which is a supply-chain risk; update
the step that currently says "uses: protoLabsAI/release-tools@v1" to pin to the
exact commit SHA for that v1 release (e.g.,
protoLabsAI/release-tools@<commit-sha>). Find the v1 branch/tag in the
protoLabsAI/release-tools repository, copy the commit SHA for the intended v1
release, and replace the mutable tag with that SHA so the action is pinned to a
specific immutable revision.