Release tooling: full TabPFN-pattern pipeline + Towncrier

Ports TabPFN's complete release stack to tabpfn-extensions:

- release-create-pr.yml: workflow_dispatch -> opens release/v* PR with
  version bump and Towncrier-assembled CHANGELOG.
- release-tag-on-merge.yml: merge of release/v* -> auto-tags merge
  commit, triggering release-publish.yml.
- release-publish.yml: tag push -> build, TestPyPI publish + install
  verify, gated PyPI publish (manual approval at `pypi` env), auto
  GitHub Release with notes extracted from CHANGELOG.
- check-changelog.yml: enforces every PR adds a changelog fragment via
  scientific-python/action-towncrier-changelog.
- pull_request.yml: adds a build_verify job that runs `uv build` and
  `twine check` so packaging regressions fail PR CI.
- pyproject.toml: adds [tool.towncrier] with 5 categories matching
  TabPFN (breaking, added, changed, fixed, deprecated).
- CHANGELOG.md: drops the empty Added/Changed subsections under
  [Unreleased] (Towncrier inserts the new release section directly
  after the Unreleased heading at release time).
- changelog/README.md: contributor docs for the per-PR fragment
  convention.

Trusted Publishing replaces all API tokens. No secrets are required for
publish steps. The tag-on-merge step uses RELEASE_BOT_TOKEN (a fine
scoped PAT) because the default GITHUB_TOKEN can't push tags that
trigger another workflow.

Author: adrian-prior

.github/workflows/check-changelog.yml

@@ -0,0 +1,47 @@
+name: Check Changelog
+
+on:
+  pull_request:
+    types: [opened, synchronize, labeled, unlabeled]
+  merge_group:
+
+jobs:
+  check:
+    name: Changelog entry
+    if: >-
+      github.event_name == 'pull_request' &&
+      github.actor != 'dependabot[bot]' &&
+      !startsWith(github.head_ref, 'release/v')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Check changelog entry
+        id: changelog_check
+        uses: scientific-python/action-towncrier-changelog@v2.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BOT_USERNAME: changelog-bot
+
+      - name: Show instructions on failure
+        if: failure() && steps.changelog_check.outcome == 'failure'
+        run: |
+          cat << EOF
+
+          ─────────────────────────────────────────────────────────────
+          Missing changelog entry!
+
+          Add a file: changelog/${{ github.event.pull_request.number }}.<category>.md
+          Categories: breaking, added, changed, fixed, deprecated
+
+          Example:
+            towncrier create ${{ github.event.pull_request.number }}.added.md --content "Your change description"
+
+          Or request the "no changelog needed" label from a maintainer.
+          See changelog/README.md for details.
+          ─────────────────────────────────────────────────────────────
+
+          EOF
+          exit 1

.github/workflows/pull_request.yml

@@ -137,3 +137,23 @@ jobs:
           path: ${{ github.workspace }}/model_cache
           key: model-cache-${{ hashFiles('model_cache/**') }}
           enableCrossOsArchive: true
+
+  build_verify:
+    name: Build wheel + sdist
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+
+      - name: Build sdist + wheel
+        run: uv build
+
+      - name: Check artifacts
+        run: uvx twine check dist/*

.github/workflows/release-create-pr.yml

@@ -0,0 +1,111 @@
+name: Create Release PR
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to release (e.g. 0.3.1)"
+        required: true
+      base_ref:
+        description: "Commit SHA to release from"
+        required: true
+      base_branch:
+        description: "Branch to open the PR against"
+        required: false
+        default: "main"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release_pr:
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - name: Guard base_ref, must be a full 40-char commit SHA
+        run: |
+          echo "${{ inputs.base_ref }}" | grep -Eq '^[0-9a-f]{40}$' || {
+              echo "base_ref must be a full 40-char commit SHA (got: ${{ inputs.base_ref }})"
+              exit 1
+          }
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+
+      - name: Install Towncrier
+        run: uv pip install --system towncrier
+
+      - name: Set variables
+        run: |
+          echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
+          echo "BASE_REF=${{ inputs.base_ref }}" >> $GITHUB_ENV
+          echo "BASE_BRANCH=${{ inputs.base_branch }}" >> $GITHUB_ENV
+          echo "RELEASE_BRANCH=release/v${{ inputs.version }}" >> $GITHUB_ENV
+
+      - name: Create release branch from base ref
+        run: |
+          git fetch --all --tags
+          git checkout --detach "${BASE_REF}"
+          git checkout -b "${RELEASE_BRANCH}"
+
+      - name: Bump version in pyproject.toml
+        run: |
+          python - <<'PY'
+          import os
+          import re
+          from pathlib import Path
+
+          version = os.environ["VERSION"]
+          p = Path("pyproject.toml")
+          s = p.read_text(encoding="utf-8")
+
+          pat = r'(?ms)(^\[project\]\s*\n.*?^\s*version\s*=\s*")([^"]+)(")'
+          m = re.search(pat, s)
+          if not m:
+            raise SystemExit("Could not find [project].version in pyproject.toml")
+
+          out = s[:m.start(2)] + version + s[m.end(2):]
+          p.write_text(out, encoding="utf-8")
+          print("Bumped [project].version to", version)
+          PY
+
+      - name: Towncrier build (updates CHANGELOG.md, deletes fragments)
+        run: towncrier build --version "${VERSION}" --yes
+
+      - name: Commit release changes
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git add pyproject.toml CHANGELOG.md changelog || true
+
+          if git diff --cached --quiet; then
+            echo "No changes staged. Are there changelog fragments to release?"
+            exit 1
+          fi
+
+          git commit -m "Release v${VERSION}"
+
+      - name: Push branch
+        run: git push --set-upstream origin "${RELEASE_BRANCH}"
+
+      - name: Create Pull Request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create \
+          --base "${BASE_BRANCH}" \
+          --head "${RELEASE_BRANCH}" \
+          --title "Release v${VERSION}" \
+          --body "Automated release PR for v${VERSION}."

.github/workflows/release-publish.yml

@@ -0,0 +1,191 @@
+name: Release to PyPI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: release
+    outputs:
+      version: ${{ steps.ver.outputs.version }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Extract version from tag
+        id: ver
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Verify tag matches pyproject.toml version
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: |
+          python - <<'PY'
+          import os, re
+          from pathlib import Path
+
+          v_tag = os.environ["VERSION"]
+          s = Path("pyproject.toml").read_text(encoding="utf-8")
+          m = re.search(r'(?ms)^\[project\]\s*\n.*?^\s*version\s*=\s*"([^"]+)"', s)
+          if not m:
+              raise SystemExit("Could not find [project].version in pyproject.toml")
+          v_file = m.group(1).strip()
+          if v_tag != v_file:
+              raise SystemExit(f"Version mismatch: tag={v_tag} pyproject={v_file}")
+          print("OK: tag matches pyproject version:", v_tag)
+          PY
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+
+      - name: Install build tool
+        run: uv tool install build
+
+      - name: Clean previous builds
+        run: git clean -xfd dist build *.egg-info || true
+
+      - name: Build package
+        run: uv tool run --from build pyproject-build
+
+      - name: Extract release notes from CHANGELOG.md
+        env:
+          VERSION: ${{ env.VERSION }}
+        run: |
+          python - <<'PY'
+          import os, re, pathlib
+
+          v = os.environ["VERSION"]
+          text = pathlib.Path("CHANGELOG.md").read_text(encoding="utf-8")
+
+          # Matches: ## [X.Y.Z] - YYYY-MM-DD
+          pat = rf"(?ms)^##\s+\[{re.escape(v)}\]\s+-\s+\d{{4}}-\d{{2}}-\d{{2}}\s*\n(.*?)(?=^##\s+\[|\Z)"
+          m = re.search(pat, text)
+          if not m:
+              raise SystemExit(f"Could not find Towncrier section for version {v} in CHANGELOG.md")
+
+          notes = m.group(1).strip() + "\n"
+          pathlib.Path("release_notes.md").write_text(notes, encoding="utf-8")
+          print("Wrote to release_notes.md")
+          PY
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7
+
+      - name: Upload release notes
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: release_notes
+          path: release_notes.md
+          retention-days: 7
+
+  publish-testpypi:
+    needs: build
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref_name, 'v')
+    environment:
+      name: testpypi
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@6733eb7d741f0b11ec6a39b58540dab7590f9b7d # v1.14.0
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          print-hash: true
+          skip-existing: true
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: true
+
+      - name: Wait for TestPyPI propagation
+        run: |
+          echo "⏳ Waiting for package to be available on TestPyPI..."
+          sleep 30
+
+      - name: Test installation from TestPyPI
+        env:
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          echo "🧪 Testing installation of tabpfn-extensions==${VERSION} from TestPyPI..."
+
+          TEST_DIR=$(mktemp -d)
+          cd "$TEST_DIR"
+
+          uv venv
+          source .venv/bin/activate
+
+          uv pip install \
+            --index-url https://test.pypi.org/simple/ \
+            --extra-index-url https://pypi.org/simple/ \
+            --index-strategy unsafe-best-match \
+            tabpfn-extensions==${VERSION}
+
+          python -c "import tabpfn_extensions; print('imported tabpfn_extensions OK, version:', tabpfn_extensions.__version__)"
+
+          echo "✅ Installation test completed."
+
+  publish-pypi:
+    needs: [build, publish-testpypi]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref_name, 'v')
+    environment:
+      name: pypi
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@6733eb7d741f0b11ec6a39b58540dab7590f9b7d # v1.14.0
+        with:
+          print-hash: true
+          skip-existing: true
+
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Download release notes
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: release_notes
+          path: .
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ needs.build.outputs.version }}
+        run: |
+          # Create release if it doesn't exist; if it exists, just fail fast
+          gh release create "v$VERSION" \
+            --title "v$VERSION" \
+            --notes-file release_notes.md