ci: update GHA workflows to support assisted publishing

[legobeat]

Borrowed and amended from https://github.com/MetaMask/detect-provider/ which is also a yarn v1 repo.

• Add create-release-pr workflow
• Add npm-publish workflow
  • Needs corresponding secrets configured in npm-publish GH repo environment
• Change image from ubuntu-20.04 to ubuntu-latest
• Add Nodejs versions 16, 18, 20 to test matrix
• Lint changelog for release using @metamask/auto-changelog
  • Note that due to this package still supporting node v12, the action is held back to the older (IMO much nicer and more readable) changelog format, so applying those changes. The formatting will be reversed to being newline-everywhere after support for node v12 and v14 have been dropped.

Blocked by

• Revert "2.0.1 (#26)" #53

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@metamask/auto-changelog	2.6.1	filesystem, environment	+11	695 kB	gudahtt

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: merge-stream@2.0.0

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

[legobeat]

@SocketSecurity ignore merge-stream@2.0.0

new author ok

[mcmire]

How urgent is this PR? I think it would be better if we could upgrade to Yarn v3 and bump the minimum Node version to 12. That would save us time in maintaining this package long-term, since we wouldn't have to manage it as differently as other libraries. But please let me know how this fits into the bigger picture on your end.

[legobeat]

How urgent is this PR? I think it would be better if we could upgrade to Yarn v3 and bump the minimum Node version to 12. That would save us time in maintaining this package long-term, since we wouldn't have to manage it as differently as other libraries. But please let me know how this fits into the bigger picture on your end.

I think release of merged #50 should happen before those two things and is more time-sensitive. This PR was intended to facilitate release and publish of it.

[mcmire]

Looks good.