Release-drafter template and resilient pnpm audit

Add a release-drafter template to format release notes with "What's Changed" and "Contributors" sections. Update the CI security workflow's pnpm audit step to run under bash, capture output and exit status, and treat ERR_PNPM_AUDIT_BAD_RESPONSE as a transient upstream outage (skip failing the job). Real audit findings and other errors still cause the job to fail.

Author: samhu1

.github/release-drafter.yml

@@ -1,5 +1,14 @@
 name-template: 'v$RESOLVED_VERSION'
 tag-template: 'v$RESOLVED_VERSION'
+template: |
+  ## What's Changed
+
+  $CHANGES
+
+  ## Contributors
+
+  $CONTRIBUTORS
+
 change-template: '- $TITLE (#$NUMBER)'
 no-changes-template: '- No user-facing changes in this release.'
 version-resolver:

.github/workflows/security.yml

@@ -40,4 +40,25 @@ jobs:
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - name: pnpm audit
-        run: pnpm audit --audit-level moderate
+        shell: bash
+        run: |
+          set +e
+          output="$(pnpm audit --audit-level moderate 2>&1)"
+          status=$?
+          set -e
+
+          echo "$output"
+
+          if [ "$status" -eq 0 ]; then
+            exit 0
+          fi
+
+          # npm audit API occasionally returns 500 and pnpm surfaces it as
+          # ERR_PNPM_AUDIT_BAD_RESPONSE. Do not fail CI for transient upstream outages.
+          if echo "$output" | grep -q "ERR_PNPM_AUDIT_BAD_RESPONSE"; then
+            echo "Skipping failure due to transient npm audit endpoint outage."
+            exit 0
+          fi
+
+          # Preserve failures for real audit findings or other errors.
+          exit "$status"