ci: add conventional commits and improve release process (#49)

* ci: add conventional commits enforcement

      - Add commitlint with husky git hooks for local validation
      - Add GitHub Action to lint commits on PRs
      - Add GitHub Action to enforce conventional PR titles
      - Configure allowed types: feat, fix, docs, style, refactor, etc.
      - Configure optional scopes: cli, docker, squid, proxy, ci, deps

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>

* chore: add eslint configuration and fix linting errors

- Add .eslintrc.js with TypeScript support
- Fix unnecessary escape character in regex
- Fix no-prototype-builtins error with Object.prototype.hasOwnProperty.call
- Add eslint-disable comments for intentionally unused code
- Remove unused imports

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* ci: improve release notes generation with template system

- Add release.yml config for GitHub auto-generated release notes
- Add RELEASE_TEMPLATE.md with customizable release notes format
- Add generate-release-notes.js script for safe template substitution
- Auto-generate changelog from GitHub API with git log fallback
- Include CLI help output in release notes
- Support placeholder substitution for version, repository, etc.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: add lint to pre-commit hook

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Signed-off-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: Mossaka

.eslintrc.js

@@ -0,0 +1,21 @@
+module.exports = {
+  parser: '@typescript-eslint/parser',
+  plugins: ['@typescript-eslint'],
+  extends: [
+    'eslint:recommended',
+    'plugin:@typescript-eslint/recommended',
+  ],
+  env: {
+    node: true,
+    es2020: true,
+  },
+  parserOptions: {
+    ecmaVersion: 2020,
+    sourceType: 'module',
+  },
+  rules: {
+    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+    '@typescript-eslint/no-explicit-any': 'warn',
+  },
+  ignorePatterns: ['dist/', 'node_modules/'],
+};

.github/release.yml

@@ -0,0 +1,32 @@
+# Configuration for GitHub's auto-generated release notes
+# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
+
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+      - dependencies
+    authors:
+      - dependabot
+      - dependabot[bot]
+  categories:
+    - title: "Breaking Changes"
+      labels:
+        - breaking-change
+        - breaking
+    - title: "New Features"
+      labels:
+        - feature
+        - enhancement
+    - title: "Bug Fixes"
+      labels:
+        - bug
+        - bugfix
+        - fix
+    - title: "Documentation"
+      labels:
+        - documentation
+        - docs
+    - title: "Other Changes"
+      labels:
+        - "*"

.github/workflows/commitlint.yml

@@ -0,0 +1,24 @@
+name: Lint Commits
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint commits
+        run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose

.github/workflows/pr-title.yml

@@ -0,0 +1,42 @@
+name: PR Title Check
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, edited, synchronize, reopened]
+
+jobs:
+  pr-title:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Configure which types are allowed
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+          # Require lowercase subject
+          subjectPattern: ^[a-z].+$
+          subjectPatternError: |
+            The subject "{subject}" must start with a lowercase letter.
+          # Don't require a scope
+          requireScope: false
+          # Scopes that are allowed (if scope is provided)
+          scopes: |
+            cli
+            docker
+            squid
+            proxy
+            ci
+            deps

.github/workflows/release.yml

@@ -106,57 +106,109 @@ jobs:
           cd release
           sha256sum * > checksums.txt
 
-      - name: Create Release Notes
-        id: release_notes
+      - name: Get previous release tag
+        id: previous_tag
         run: |
-          cat > release_notes.md << 'EOF'
-          ## Installation
+          set -euo pipefail
+          CURRENT_TAG="${{ steps.version_early.outputs.version }}"
 
-          ### Binary Installation (Recommended)
+          # Use git tags directly (more reliable than gh release list)
+          # Get the most recent tag that is not the current tag
+          PREVIOUS_TAG=$(git tag --sort=-version:refname | grep -v "^${CURRENT_TAG}$" | head -n1 || echo "")
 
-          **Linux (x64):**
-          ```bash
-          curl -L https://github.com/${{ github.repository }}/releases/download/${{ steps.version_early.outputs.version }}/awf-linux-x64 -o awf
-          chmod +x awf
-          sudo mv awf /usr/local/bin/
-          ```
+          echo "previous_tag=$PREVIOUS_TAG" >> $GITHUB_OUTPUT
+          echo "Previous tag: $PREVIOUS_TAG (current: $CURRENT_TAG)"
+
+      - name: Generate changelog from commits
+        id: changelog
+        run: |
+          set -euo pipefail
+          CURRENT_TAG="${{ steps.version_early.outputs.version }}"
+          PREVIOUS_TAG="${{ steps.previous_tag.outputs.previous_tag }}"
+
+          echo "Generating changelog from $PREVIOUS_TAG to $CURRENT_TAG"
+
+          # Generate changelog using GitHub's API
+          if [ -n "$PREVIOUS_TAG" ]; then
+            CHANGELOG=$(gh api repos/${{ github.repository }}/releases/generate-notes \
+              -f tag_name="$CURRENT_TAG" \
+              -f previous_tag_name="$PREVIOUS_TAG" \
+              --jq '.body' 2>/dev/null || echo "")
+          else
+            # First release - try API without previous tag
+            CHANGELOG=$(gh api repos/${{ github.repository }}/releases/generate-notes \
+              -f tag_name="$CURRENT_TAG" \
+              --jq '.body' 2>/dev/null || echo "")
+          fi
 
-          ### NPM Installation (Alternative)
+          # If API call failed, fall back to git log
+          if [ -z "$CHANGELOG" ]; then
+            echo "GitHub API failed, falling back to git log"
+            if [ -n "$PREVIOUS_TAG" ]; then
+              CHANGELOG=$(git log --oneline --pretty=format:"* %s (%h)" "$PREVIOUS_TAG..HEAD" 2>/dev/null || echo "* Initial release")
+            else
+              # First release - get all commits (no arbitrary limit)
+              CHANGELOG=$(git log --oneline --pretty=format:"* %s (%h)" 2>/dev/null || echo "* Initial release")
+            fi
+          fi
 
-          ```bash
-          # Install from tarball
-          npm install -g https://github.com/${{ github.repository }}/releases/download/${{ steps.version_early.outputs.version }}/awf.tgz
-          ```
+          # Write changelog to file for multiline handling
+          echo "$CHANGELOG" > changelog_body.md
 
-          ### Requirements
+          # Validate changelog was generated
+          if [ ! -s changelog_body.md ]; then
+            echo "Error: Changelog generation failed or produced empty output"
+            exit 1
+          fi
 
-          - Docker and Docker Compose must be installed
-          - For iptables manipulation, run with sudo: `sudo awf ...`
-          - Container images will be pulled automatically from GHCR on first run
+          echo "Changelog generated successfully ($(wc -l < changelog_body.md) lines)"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-          ## Verification
+      - name: Generate CLI help output
+        id: cli_help
+        run: |
+          set -euo pipefail
 
-          Verify checksums after download:
-          ```bash
-          sha256sum -c checksums.txt
-          ```
+          # Generate CLI help from the built binary
+          node dist/cli.js --help > cli_help.txt
 
-          ## Usage
+          # Validate CLI help was generated
+          if [ ! -s cli_help.txt ]; then
+            echo "Error: CLI help generation failed or produced empty output"
+            exit 1
+          fi
 
-          ```bash
-          sudo awf --allow-domains github.com,api.github.com 'curl https://api.github.com'
-          ```
+          echo "CLI help generated ($(wc -l < cli_help.txt) lines):"
+          cat cli_help.txt
 
-          See [README.md](https://github.com/${{ github.repository }}/blob/${{ steps.version_early.outputs.version }}/README.md) for full documentation.
+      - name: Create Release Notes
+        id: release_notes
+        env:
+          VERSION: ${{ steps.version_early.outputs.version }}
+          VERSION_NUMBER: ${{ steps.version_early.outputs.version_number }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+
+          # Use Node.js script for safe template substitution
+          # (avoids shell injection issues with special characters)
+          node scripts/generate-release-notes.js \
+            changelog_body.md \
+            cli_help.txt \
+            release_notes.md
+
+          # Validate output was generated
+          if [ ! -s release_notes.md ]; then
+            echo "Error: Release notes generation failed"
+            exit 1
+          fi
 
-          ## Container Images
+          # Cleanup temp files
+          rm -f changelog_body.md cli_help.txt
 
-          Published to GitHub Container Registry:
-          - `ghcr.io/${{ github.repository }}/squid:${{ steps.version_early.outputs.version_number }}`
-          - `ghcr.io/${{ github.repository }}/copilot:${{ steps.version_early.outputs.version_number }}`
-          - `ghcr.io/${{ github.repository }}/squid:latest`
-          - `ghcr.io/${{ github.repository }}/copilot:latest`
-          EOF
+          echo "Release notes preview (first 20 lines):"
+          head -20 release_notes.md
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v1

.husky/commit-msg

@@ -0,0 +1 @@
+npx --no -- commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1 @@
+npm run lint && npm run build

commitlint.config.js

@@ -0,0 +1,13 @@
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    // Enforce lowercase for type
+    'type-case': [2, 'always', 'lower-case'],
+    // Enforce lowercase for subject
+    'subject-case': [2, 'always', 'lower-case'],
+    // No period at end of subject
+    'subject-full-stop': [2, 'never', '.'],
+    // Max 72 chars for subject (git best practice)
+    'header-max-length': [2, 'always', 72],
+  },
+};

docs/RELEASE_TEMPLATE.md

@@ -0,0 +1,87 @@
+# Release Notes Template
+
+This file is used to generate release notes automatically during the release workflow.
+Edit this file to change the format of release notes for all future releases.
+
+## Available Placeholders
+
+| Placeholder | Description | Example |
+|-------------|-------------|---------|
+| `{{CHANGELOG}}` | Auto-generated changelog from GitHub API or git log | PR list or commit list |
+| `{{CLI_HELP}}` | Output of `awf --help` command | CLI usage and options |
+| `{{REPOSITORY}}` | GitHub repository path | `githubnext/gh-aw-firewall` |
+| `{{VERSION}}` | Full version tag with 'v' prefix | `v0.3.0` |
+| `{{VERSION_NUMBER}}` | Version number without 'v' prefix | `0.3.0` |
+
+## Template Content
+
+Everything below the `---` separator becomes the release notes.
+
+---
+
+## What's Changed
+
+{{CHANGELOG}}
+
+## CLI Options
+
+```
+{{CLI_HELP}}
+```
+
+## Installation
+
+### Binary Installation (Recommended)
+
+**Linux (x64):**
+```bash
+curl -L https://github.com/{{REPOSITORY}}/releases/download/{{VERSION}}/awf-linux-x64 -o awf
+chmod +x awf
+sudo mv awf /usr/local/bin/
+```
+
+### NPM Installation (Alternative)
+
+```bash
+# Install from tarball
+npm install -g https://github.com/{{REPOSITORY}}/releases/download/{{VERSION}}/awf.tgz
+```
+
+### Requirements
+
+- Docker and Docker Compose must be installed
+- For iptables manipulation, run with sudo: `sudo awf ...`
+- Container images will be pulled automatically from GHCR on first run
+
+## Verification
+
+Verify checksums after download:
+```bash
+sha256sum -c checksums.txt
+```
+
+## Quick Start
+
+```bash
+# Basic usage with domain whitelist
+sudo awf --allow-domains github.com,api.github.com -- curl https://api.github.com
+
+# Pass environment variables
+sudo awf --allow-domains api.github.com -e GITHUB_TOKEN=xxx -- gh api /user
+
+# Mount additional volumes
+sudo awf --allow-domains github.com -v /my/data:/data:ro -- cat /data/file.txt
+
+# Set working directory in container
+sudo awf --allow-domains github.com --container-workdir /workspace -- pwd
+```
+
+See [README.md](https://github.com/{{REPOSITORY}}/blob/{{VERSION}}/README.md) for full documentation.
+
+## Container Images
+
+Published to GitHub Container Registry:
+- `ghcr.io/{{REPOSITORY}}/squid:{{VERSION_NUMBER}}`
+- `ghcr.io/{{REPOSITORY}}/copilot:{{VERSION_NUMBER}}`
+- `ghcr.io/{{REPOSITORY}}/squid:latest`
+- `ghcr.io/{{REPOSITORY}}/copilot:latest`