fix(release): include lockfile changes in has_changes()

[Will-hxw]

Summary

• has_changes() in scripts/release.py now also checks for lockfile changes (uv.lock, package-lock.json, pnpm-lock.yaml, yarn.lock) in addition to .py and .ts files

Why

Issue #3870: When a package only has lockfile changes between release tags, has_changes() returned False because it only checked .py and .ts suffixes. This caused pyproject.toml versions to be skipped during version bump (e.g., src/git/ stayed at 0.6.2 instead of the CalVer tag), breaking SBOM/CVE scanners that key off the version field.

Fix

# Before
relevant_files = [f for f in changed_files if f.suffix in [".py", ".ts"]]

# After
relevant_files = [
    f
    for f in changed_files
    if f.suffix in [".py", ".ts"]
    or f.name in ("uv.lock", "package-lock.json", "pnpm-lock.yaml", "yarn.lock")
]

Validation

• Python syntax check passed
• Only affects release script (scripts/release.py), no runtime code changes

Related

• Fixes Release script skips version bump for packages with only lockfile changes #3870

🤖 Generated with Claude Code