feat: add semantic-release automation

[SamuelSSalazar]

By submitting a PR to this repository, I agree to the terms within the Auth0 Code of Conduct.

Description

This PR implements an automated release process to replace manual npm publishing. It modernizes the release process with a fully automated process using semantic-release, GitHub Actions, and OIDC authentication

Key Benefits

Automated Release Pipeline

• Semantic versioning: Commit messages determine version bumps
• Git tags and GitHub releases: Created for every version

Security-First Publishing

• OIDC authentication: No npm tokens stored in repository secrets
• SLSA provenance: Cryptographic proof of package origin

Developer Experience

• Conventional commits: Commit format enforced locally via git hooks and in CI via workflow

Changes

• Updated dependencies to include semantic-release, commitlint, and Husky packages
• Added semantic-release configuration (.releaserc.json) to automate versioning and npm publishing
• Added commitlint configuration (.commitlintrc.json) to enforce conventional commit format
• Configured Husky pre-commit hook (.husky/commit-msg) for local commit message validation
• Created GitHub Actions workflows:
  • prepare-release.yml - Computes next semantic version and creates release PR with changes to package.json and updated CHANGELOG.
  • release.yml - Publishes to npm using OIDC Auth and creates Github tag + relase.
  • commitlint.yml - Validates commit messages on PRs
  • test.yml: - Multi-NodeJS test matrix (Node 20, 22, 24)
• Removed legacy CI configuration (.travis.yml)

Breaking Changes: None. This is an infrastructure change that doesn't affect the library's public API.

Links

• Semantic Release Documentation
• NPM Trusted Publishing Documentation
• Conventional Commits Specification
• SLSA Provenance

Testing

• Clone this branch

• Test commit lint

  • Run npm install to install dependencies (triggers Husky setup)
  • Attempt to commit with invalid message: git commit -m "bad message" (should fail)
  • Attempt to commit with valid message: git commit -m "feat: test" (should succeed)

• Fork repo. Merge this PR into master in fork, check executed actions.

  • Release PR should be created and upon merging Release action should trigger and fail with NPM error due to NPM trusted publisher mismatch.

• This change adds test coverage for new/changed/fixed functionality

  • Note: This is infrastructure-only; existing test coverage remains unchanged

Post-Merge Testing Plan:

• After merge to master, verify release workflow triggers automatically
• Verify semantic-release analyzes commits and determines correct version bump
• Verify package is published to npm with provenance
• Verify CHANGELOG.md is automatically updated and committed
• Verify GitHub release and git tag are created
• Verify package.json and package-lock.json are updated with new version
• Check that Github Actions (Test + Commitlint) are triggered on new PRs.

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

Additional Notes

• Before merging, ensure that NPM Trusted Publisher is configured for this repository in npm package settings