YPE-2486: harden and document the release procedure

[Kyleasmth]

Ports the release-hardening work from YPE-2486 to the React SDK.

What's here

• RELEASE-RUNBOOK.md — 10 npm/Changesets failure modes with state-check + recovery commands.
• docs/release-hardening-plan.md — engineering plan; records the keep-Changesets decision and per-AC status.
• Commit-lint (AC6) — CI workflow anchored at the origin/main tip, husky commit-msg hook, and config (allows the YPE-#### prefix, ignores the release commit). Ported from the Kotlin SDK.
• PUBLISHING.md — cross-links the runbook.

Greptile Summary

This PR adds release-hardening documentation and commit message linting. The main changes are:

• A new release runbook with npm and Changesets recovery steps.
• A release-hardening plan documenting the Changesets-based approach.
• A Commitlint GitHub Actions workflow and Husky commit-msg hook.
• Commitlint dependencies and publishing guide cross-links.

Confidence Score: 4/5

The release documentation is low risk, but the new commit message linting path needs Node runtime alignment before the check is safe to rely on.

The changed files are focused and the main behavior change is isolated to commitlint CI and Husky setup. The remaining concern is a concrete toolchain compatibility mismatch that can block contributors or checks using the advertised runtime.

.github/workflows/commitlint.yml and package.json need the Node version support and commitlint dependency requirements brought into agreement.

T-Rex Logs

What T-Rex did

• Ran a workflow-equivalent test on Node 20.9.0 with Corepack pnpm 9.0.0, confirmed the workflow uses Node 20 while the locked commitlint requires Node >=22.12.0, and observed the install completed with exit code 0 and commitlint --version printed @commitlint/cli@21.1.0.
• Ran a Node 20.9.0 reproduction harness that installs from the lockfile and exercises the Husky-equivalent commitlint path against a generated commit message file, and observed that an engine-strict install fails on the locked @commitlint/cli@21.1.0 requiring Node >=22.12.0, while the project advertises Node >=20.0.0.
• Compared the base-tree (before) and head-tree (after) images to document changes, noting that the head evidence used Node 22.12.0 to bypass the existing Node 20 / commitlint compatibility issue.

_{Ran code and verified through T-Rex}

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
.github/workflows/commitlint.yml:21-25
**Use compatible Node**

This workflow installs `@commitlint/cli@21.1.0`, whose locked package metadata requires Node `>=22.12.0`, but the job runs on Node 20. When a pull request runs this new check, dependency install or `pnpm exec commitlint` can fail before any commit message is linted, blocking every PR. The release workflow already uses Node 24, so this check should use a compatible Node version too.

### Issue 2 of 2
package.json:39-40
**Align local Node support**

The repo still advertises Node `>=20.0.0`, but the new Husky `commit-msg` hook runs `pnpm exec commitlint`, and the locked `@commitlint/*@21.1.0` packages require Node `>=22.12.0`. A contributor using an allowed Node 20 runtime can hit a failing commit hook on every commit. Either the engine range should be raised with the CI runtime, or these commitlint dependencies should be pinned to a Node-20-compatible major.

_{Reviews (1): Last reviewed commit: "YPE-2486: chore: add release runbook, ha..." | Re-trigger Greptile}

Greptile also left 2 inline comments on this PR.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4f4d343

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

Use compatible Node

This workflow installs @commitlint/cli@21.1.0, whose locked package metadata requires Node >=22.12.0, but the job runs on Node 20. When a pull request runs this new check, dependency install or pnpm exec commitlint can fail before any commit message is linted, blocking every PR. The release workflow already uses Node 24, so this check should use a compatible Node version too.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/commitlint.yml
Line: 21-25

Comment:
**Use compatible Node**

This workflow installs `@commitlint/cli@21.1.0`, whose locked package metadata requires Node `>=22.12.0`, but the job runs on Node 20. When a pull request runs this new check, dependency install or `pnpm exec commitlint` can fail before any commit message is linted, blocking every PR. The release workflow already uses Node 24, so this check should use a compatible Node version too.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Align local Node support

The repo still advertises Node >=20.0.0, but the new Husky commit-msg hook runs pnpm exec commitlint, and the locked @commitlint/*@21.1.0 packages require Node >=22.12.0. A contributor using an allowed Node 20 runtime can hit a failing commit hook on every commit. Either the engine range should be raised with the CI runtime, or these commitlint dependencies should be pinned to a Node-20-compatible major.

Artifacts

Repro: Node 20 commitlint hook reproduction harness

• Contains supporting evidence from the run (text/x-shellscript; charset=utf-8).

Repro: generated commit message file used by commitlint

• Contains supporting evidence from the run (text/plain; charset=utf-8).

Repro: Node 20 install and Husky-equivalent commitlint command output

• Keeps the command output available without making the summary code-heavy.

Repro: Node 20 engine-strict install failure showing @commitlint requires Node >=22.12.0

• Keeps the command output available without making the summary code-heavy.

_{Ran code and verified through T-Rex}

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 39-40

Comment:
**Align local Node support**

The repo still advertises Node `>=20.0.0`, but the new Husky `commit-msg` hook runs `pnpm exec commitlint`, and the locked `@commitlint/*@21.1.0` packages require Node `>=22.12.0`. A contributor using an allowed Node 20 runtime can hit a failing commit hook on every commit. Either the engine range should be raised with the CI runtime, or these commitlint dependencies should be pinned to a Node-20-compatible major.

How can I resolve this? If you propose a fix, please make it concise.