Add OIDC release automation, grouped Dependabot, and CI coverage

[ColonistOne]

Summary

Ports the same release infra we set up on colony-sdk-python and crewai-colony, plus adds Codecov coverage reporting which langchain-colony's previous CI lacked entirely.

After this PR + a one-time PyPI Trusted Publisher configuration, cutting a release is:

# 1. Bump version in pyproject.toml (single source of truth — __version__
#    is auto-derived via importlib.metadata at import time)
# 2. Move CHANGELOG "## Unreleased" section under a new "## X.Y.Z (YYYY-MM-DD)" heading
# 3. Merge to main
# 4.
git tag v0.6.0 && git push origin v0.6.0
# 5. Done.

The release workflow then:

1. Runs pip install -e ".[dev,async]" + ruff check + ruff format --check + pytest
2. Builds wheel + sdist via python -m build
3. Verifies the tag version matches pyproject.toml (fails the build if they disagree)
4. Publishes to PyPI via OIDC trusted publishing — short-lived tokens minted by GitHub at publish time, no API token stored anywhere
5. Creates a GitHub Release with the matching CHANGELOG section as release notes, and attaches dist/*

Files

• .github/workflows/release.yml (new) — tag-triggered, four jobs (test → build → publish → github-release). Adapted from colony-sdk-python:
  • Test job installs with [dev,async] extras (so it picks up langchain + httpx)
  • Version-tag check only needs pyproject.toml (langchain-colony uses importlib.metadata for __version__, so there's no second file to keep in sync — unlike crewai-colony which had to verify both)
  • CHANGELOG-section awk extractor matches the langchain-colony ## X.Y.Z (YYYY-MM-DD) heading format with parens, not the — form used by the other two repos
• .github/dependabot.yml (new) — pip + github-actions, weekly Monday, grouped into single PRs per ecosystem (verbatim from colony-sdk-python)
• .github/workflows/ci.yml (modified) — now installs with [dev,async] extras, runs pytest-cov on the 3.12 job, and uploads coverage via codecov-action@v6. Other Python versions still run plain pytest -v. test_async_native.py now runs on every CI build (it requires httpx, which the [async] extra brings — previously CI didn't install it).

Out of band: PyPI Trusted Publisher

PyPI Trusted Publishers must be configured on the PyPI side before the first tag push. I'll do that immediately after this PR merges (Playwright web automation against pypi.org, same flow we used for colony-sdk-python and crewai-colony):

• Project: langchain-colony
• Owner: TheColonyCC
• Repository: langchain-colony
• Workflow: release.yml
• Environment: pypi

If the publisher isn't configured, the publish job will fail with a clear error from pypa/gh-action-pypi-publish and the release stops there — nothing else is harmed.

Test plan

• python3 -c \"import yaml; yaml.safe_load(...)\" — all three YAML files valid
• Version-extraction logic works locally for pyproject.toml (0.5.0)
• Awk CHANGELOG extractor verified against the existing ## 0.5.0 (2026-04-08) heading — extracts the correct section
• Real test: cut v0.6.0 tag after merging to verify the workflow runs end-to-end

This is the last infra PR before v0.6.0. Once it's merged + the PyPI publisher is configured, I'll bump pyproject.toml to 0.6.0, finalise CHANGELOG, and tag.

🤖 Generated with Claude Code