From bafe1d62027d2e440cf1a18a6037f9b8a8de4520 Mon Sep 17 00:00:00 2001
From: Anurag Bandyopadhyay <angbpy@gmail.com>
Date: Mon, 30 Mar 2026 17:16:03 +0530
Subject: [PATCH 1/2] feat: release automation

---
 .../pr-title-conventional-commit.yml          |  20 ++++
 .github/workflows/release-please.yml          |  36 ++++++
 .release-please-manifest.json                 |   3 +
 RELEASE.md                                    | 103 ++++++++++++++++++
 internal/constants/constants.go               |   2 +-
 release-please-config.json                    |  27 +++++
 6 files changed, 190 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/pr-title-conventional-commit.yml
 create mode 100644 .github/workflows/release-please.yml
 create mode 100644 .release-please-manifest.json
 create mode 100644 RELEASE.md
 create mode 100644 release-please-config.json

diff --git a/.github/workflows/pr-title-conventional-commit.yml b/.github/workflows/pr-title-conventional-commit.yml
new file mode 100644
index 0000000..c60175c
--- /dev/null
+++ b/.github/workflows/pr-title-conventional-commit.yml
@@ -0,0 +1,20 @@
+name: PR Title Conventional Commit Check
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, edited]
+    branches:
+      - main
+
+jobs:
+  validate-pr-title:
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - name: PR Conventional Commit Validation
+        uses: ytanikin/pr-conventional-commits@fda730cb152c05a849d6d84325e50c6182d9d1e9 # v1.5.1
+        with:
+          task_types: '["feat","fix","docs","test","refactor","ci","perf","chore","revert"]'
+          add_label: 'false'
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
new file mode 100644
index 0000000..00c6d53
--- /dev/null
+++ b/.github/workflows/release-please.yml
@@ -0,0 +1,36 @@
+name: release-please
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      bump-type:
+        description: >
+          Version bump type. Select 'explicit' to supply an exact version via
+          the 'release-version' field below. Select 'auto' to let
+          conventional-commits determine the bump automatically.
+        required: false
+        type: choice
+        default: 'auto'
+        options:
+          - auto
+          - patch
+          - minor
+          - major
+          - explicit
+      release-version:
+        description: >
+          Explicit version to release (e.g. 1.2.3 or 1.4.0-beta.1).
+        required: false
+        type: string
+
+jobs:
+  release:
+    uses: openfga/sdk-generator/.github/workflows/release-please.yml@main
+    with:
+      bump-type: ${{ inputs.bump-type || 'auto' }}
+      release-version: ${{ inputs.release-version || '' }}
+    secrets:
+      APP_ID: ${{ secrets.APP_ID }}
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
new file mode 100644
index 0000000..bd90516
--- /dev/null
+++ b/.release-please-manifest.json
@@ -0,0 +1,3 @@
+{
+  ".": "0.7.5"
+}
diff --git a/RELEASE.md b/RELEASE.md
new file mode 100644
index 0000000..d31b64c
--- /dev/null
+++ b/RELEASE.md
@@ -0,0 +1,103 @@
+# Release guide
+
+This project uses [release-please](https://github.com/googleapis/release-please) via a
+`workflow_dispatch`-triggered GitHub Actions workflow. This document explains how to cut
+a release and what to watch out for.
+
+---
+
+## Versioning rules for this project
+
+We are pre-1.0.0. Semver conventions are relaxed:
+
+| Change type      | Bump                  | Example             |
+|---               |---                    |---                  |
+| Breaking change  | **Minor** (`0.x.0`)   | `0.7.0` → `0.8.0`  |
+| Everything else  | **Patch** (`0.0.x`)   | `0.7.5` → `0.7.6`  |
+
+Major bumps (`1.0.0`) are reserved for a deliberate stable-API graduation decision — not for
+routine breaking changes.
+
+---
+
+## Cutting a release
+
+1. Go to **Actions → release-please** and click **Run workflow**.
+2. Choose a bump type:
+   - `patch` — bugfixes, docs, small changes
+   - `minor` — breaking changes (see above)
+   - `explicit` — you specify the exact version string (e.g. `0.8.0` or `0.8.0-beta.1`)
+3. The workflow creates a release PR. Review it, then merge.
+4. The GitHub Release and tag are created automatically on merge.
+
+> **Note — release-please only understands `auto` or an explicit version string.**
+> The `patch`, `minor`, and `major` options in the workflow dropdown are conveniences
+> implemented in the workflow. The workflow reads the current manifest version, computes
+> the next version (e.g. `0.7.5` + patch = `0.7.6`), and passes that computed string
+> to release-please as an explicit `Release-As:` commit — exactly the same as choosing
+> `explicit` and typing it yourself. There is no native patch/minor/major mode in
+> release-please. This is why `explicit` is always the safest option when in doubt —
+> you are just skipping the arithmetic step.
+
+---
+
+## When to use `explicit`
+
+Use `explicit` and type the version yourself in any of these situations:
+
+**After a beta or non-conventional tag.**
+If the previous release was something like `0.7.5-beta.1`, release-please tracks the
+base semver (`0.7.5`) but cannot reliably decide whether the next release should be
+`0.7.5`, `0.7.6`, or `0.8.0`. It will often guess wrong.
+
+The rule of thumb: **if the last tag had a pre-release suffix, always use `explicit` for
+the next release.**
+
+**After a manually created tag.**
+Any tag created outside of the release-please workflow (e.g. hotfixes, manual git tags)
+is invisible to release-please's version logic. Use `explicit` to anchor the next version
+correctly.
+
+**When you want a beta.**
+Release-please does not increment pre-release suffixes automatically. Use `explicit` for
+every beta, incrementing the suffix manually:
+```
+0.8.0-beta.1  →  explicit: 0.8.0-beta.2  →  explicit: 0.8.0
+```
+
+---
+
+## What goes in the changelog
+
+Commit messages must follow [Conventional Commits](https://www.conventionalcommits.org/)
+for release-please to group them correctly:
+
+```
+feat: add support for batch check          → Added
+fix: correct retry logic for transient errors  → Fixed
+docs: update API reference                 → Documentation
+perf: cache DNS lookups                    → Changed
+refactor: extract auth helper              → (hidden)
+chore: bump dependencies                   → (hidden)
+```
+
+---
+
+## Troubleshooting
+
+**"Invalid previous_tag parameter" error.**
+The manifest version does not have a corresponding GitHub Release object. Reset the
+manifest to the last valid tag:
+```bash
+echo '{ ".": "0.x.y" }' > .release-please-manifest.json
+git commit -am "chore: reset manifest to v0.x.y"
+git push origin main
+```
+
+**Duplicate release PRs.**
+Close all stale ones. The workflow auto-closes stale open PRs on each dispatch, but
+merged duplicates need manual labelling with `autorelease: tagged`.
+
+**Changelog shows everything ungrouped.**
+Make sure `changelog-type` in `release-please-config.json` is set to `"default"`, not
+`"github"`.
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index d562faa..53449b4 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -14,7 +14,7 @@ package constants
 
 const (
 	// SdkVersion is the version of the OpenFGA Go SDK.
-	SdkVersion = "0.7.5"
+	SdkVersion = "0.7.5" // x-release-please-version
 
 	// UserAgent is the user agent used in HTTP requests.
 	UserAgent = "openfga-sdk go/0.7.5"
diff --git a/release-please-config.json b/release-please-config.json
new file mode 100644
index 0000000..6b02d32
--- /dev/null
+++ b/release-please-config.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "release-type": "go",
+  "packages": {
+    ".": {
+      "include-component-in-tag": false,
+      "changelog-path": "CHANGELOG.md",
+      "changelog-type": "default",
+      "bump-minor-pre-major": true,
+      "bump-patch-for-minor-pre-major": true,
+      "changelog-sections": [
+        { "type": "feat",     "section": "Added",         "hidden": false },
+        { "type": "fix",      "section": "Fixed",         "hidden": false },
+        { "type": "perf",     "section": "Changed",       "hidden": false },
+        { "type": "refactor", "section": "Changed",       "hidden": false },
+        { "type": "revert",   "section": "Removed",       "hidden": false },
+        { "type": "docs",     "section": "Documentation", "hidden": false },
+        { "type": "test",     "section": "Tests",         "hidden": true  },
+        { "type": "ci",       "section": "CI",            "hidden": true  },
+        { "type": "chore",    "section": "Miscellaneous", "hidden": true  }
+      ],
+      "extra-files": [
+        { "type": "generic", "path": "internal/constants/constants.go" }
+      ]
+    }
+  }
+}

From bde90a13ff60aa2ce08a9a2a3ab99f99c445af1f Mon Sep 17 00:00:00 2001
From: Anurag Bandyopadhyay <angbpy@gmail.com>
Date: Thu, 2 Apr 2026 11:59:01 +0530
Subject: [PATCH 2/2] feat: add top level perm block

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/release-please.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 00c6d53..cb6b8ef 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -1,5 +1,9 @@
 name: release-please
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
   push:
     branches: [main]