Switch to herald for releasing

[carbolymer]

Changelog

- description: |
    Switch to `herald` for releasing.
# uncomment types applicable to the change:
  type:
  # - feature        # introduces a new feature
  # - breaking       # the API has changed in a breaking way
  # - compatible     # the API has changed but is non-breaking
  # - optimisation   # measurable performance improvements
  # - refactoring    # QoL changes
  # - bugfix         # fixes a defect
  # - test           # fixes/modifies tests
  # - maintenance    # not directly related to the code
  # - release        # related to a new release preparation
  # - documentation  # change in code docs, haddocks...
# uncomment at least one main project this PR is associated with
  projects:
   - cardano-api
   - cardano-api-gen
   - cardano-rpc
   - cardano-wasm

Context

This PR makes cardano-api use herald for releasing. See PR introducing herald:

• Add herald: a release aid tool input-output-hk/cardano-dev#22

Checklist

• Commit sequence broadly makes sense and commits have useful messages
• New tests are added if needed and existing tests are updated. See Running tests for more details
• Self-reviewed the diff

To fix the problem, add an explicit permissions block that restricts the GITHUB_TOKEN to the least privileges required. In this workflow, the steps only need to read repository contents (for actions/checkout) and run tooling; they do not need to push, modify issues, or interact with other resources, so contents: read is sufficient as a minimal baseline.

The best fix with minimal functional impact is to add a workflow-level permissions block right after the name: (or before on:), e.g.:

permissions:
  contents: read

This applies to all jobs in the workflow that do not override permissions (there is only check-changelog here), and keeps behavior the same while documenting and constraining the token. No additional imports or methods are needed; this is a pure YAML configuration change within .github/workflows/check-pr-changelog.yml.

[Copilot]

Pull request overview

Switches the repository’s release and changelog workflow from the legacy cardano-updates/PR-body YAML approach to herald, with new CI enforcement and updated contributor/release documentation.

Changes:

• Added herald configuration and a .changes/ fragment template; updated PR template to require fragments.
• Introduced GitHub Actions workflows for running releases and validating changelog fragments.
• Simplified/updated RELEASING.md and removed the old .cardano-dev.yaml config.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
RELEASING.md	Replaces legacy release steps with a herald/GHA-driven release process.
.herald.yml	Adds repository-wide herald configuration (kinds + projects).
.github/workflows/release.yml	New manual “Release” workflow invoking the shared herald release action.
.github/workflows/haskell.yml	Removes the old tag-based “create GitHub release” job and leaves a pointer comment.
.github/workflows/check-pr-changelog.yml	Replaces PR-body YAML validation with herald fragment validation action.
.github/copilot-instructions.md	Adds reviewer guidance emphasizing breaking-change classification and fragments.
.github/PULL_REQUEST_TEMPLATE.md	Updates PR template to instruct creating .changes/ fragments.
.changes/_TEMPLATE.yml	Adds a changelog fragment template for contributors.
.cardano-dev.yaml	Removes legacy config used by the old changelog tooling.

[Copilot]

uses: ...@mgalazyn/release-tool and the with: version: github:.../mgalazyn/release-tool input both point at a mutable branch/ref. Pin these to an immutable tag/commit SHA to make CI deterministic and reduce supply-chain risk.

Suggested change

	- uses: input-output-hk/cardano-dev/herald/.github/actions/validate@mgalazyn/release-tool
	with:
	version: github:input-output-hk/cardano-dev/mgalazyn/release-tool
	- uses: input-output-hk/cardano-dev/herald/.github/actions/validate@0123456789abcdef0123456789abcdef01234567
	with:
	version: github:input-output-hk/cardano-dev/mgalazyn/release-tool?rev=0123456789abcdef0123456789abcdef01234567

[Copilot]

The comment says the tag-triggered release was moved to release.yml, but release.yml is workflow_dispatch (manual) and not triggered by tag pushes. Either update this comment to reflect the new behavior or add/keep a tag-triggered workflow if GitHub Releases should still be created automatically on tags.

Suggested change

	# Tag-triggered release moved to .github/workflows/release.yml
	# Release workflow is defined in .github/workflows/release.yml and is triggered manually (workflow_dispatch),
	# not automatically on tag pushes from this CI workflow.

[Copilot]

This PR updates the process to require .changes/ fragments (and adds CI validation for them), but the PR itself doesn’t add any non-template fragment under .changes/. Adding a fragment for this change (e.g., maintenance/release) helps ensure the new validation workflow is exercised and passes on this PR.

[Copilot]

The heading uses "Github"; project docs elsewhere use "GitHub". Consider renaming this to "GitHub Action"/"GitHub Actions" for correct branding and searchability.

Suggested change

	### Using Github Action
	### Using GitHub Action

[Copilot]

This backporting step links to ./RELEASING.md#version-bumping, but the "Version bumping" section was removed earlier in this PR, so the link is now broken. Update the text/link to point to the new herald-based version calculation (e.g., herald next) or reintroduce a short versioning section.

Suggested change

	1. Generate a new patch versions for each of the affected releases. New versions are typically calculated by incrementing the third digit of the latest release in each affected series (see the [Version bumping](./RELEASING.md#version-bumping) section for more information). By increasing the third or fourth digit, we ensure dependencies automatically pick up the fix.
	1. Generate new patch versions for each of the affected releases. New versions are typically calculated by incrementing the third digit of the latest release in each affected series; you can also use `herald next` to compute the next version from `.changes/` fragments. By increasing the third or fourth digit, we ensure dependencies automatically pick up the fix.

[Copilot]

The workflow passes base-branch: ${{ github.ref_name }}, but workflow_dispatch can be run from non-default branches. This can cause the release PR to target an arbitrary branch, contradicting RELEASING.md which says it opens against the default branch. Consider using the repository default branch (or restricting dispatch to the default branch) so behavior matches the documented process.

Suggested change

	base-branch: ${{ github.ref_name }}
	base-branch: ${{ github.event.repository.default_branch }}

[Copilot]

uses: ...@mgalazyn/release-tool and herald-ref: .../mgalazyn/release-tool reference a mutable branch. For supply-chain safety and reproducibility, pin GitHub Actions and Nix flake refs to an immutable tag or commit SHA (and update intentionally when needed).

Suggested change

	- uses: input-output-hk/cardano-dev/herald/.github/actions/release@mgalazyn/release-tool
	with:
	package: ${{ inputs.package }}
	version: ${{ inputs.version }}
	base-branch: ${{ github.ref_name }}
	herald-ref: github:input-output-hk/cardano-dev/mgalazyn/release-tool
	- uses: input-output-hk/cardano-dev/herald/.github/actions/release@0123456789abcdef0123456789abcdef01234567
	with:
	package: ${{ inputs.package }}
	version: ${{ inputs.version }}
	base-branch: ${{ github.ref_name }}
	herald-ref: github:input-output-hk/cardano-dev/0123456789abcdef0123456789abcdef01234567

[Copilot]

This job is skipped entirely for merge_group events. If you rely on GitHub merge queue, this means changelog fragments won’t be validated on the merge-group commit. Consider either running validation on merge_group too (if the action supports it) or removing the merge_group trigger to avoid a permanently-skipped required check.