ci: migrate release-please to CLI + accept LABELER_PAT fallback

[InstaZDLL]

Why

`googleapis/release-please-action@v5.0.0` is deprecated and bundles an old release-please library. Since 2026-05 it has been returning persistent 401 "Bad credentials" on multiple endpoints (commit backfill, snoozed-PR lookup). Reruns sometimes succeed but the failures recur on every push to main, so the release PR isn't being updated with the latest merges.

`actions/labeler` + `actions/github-script` (in `label-pr.yml`) hit the same class of 401 on label POSTs — less often, but the documented workaround is the same: bypass the auto-generated `GITHUB_TOKEN` with a PAT.

What

`release-please.yml`

• Drop `googleapis/release-please-action@v5.0.0`.
• Add `actions/setup-node@v5` + `npx release-please@17` for both phases (`release-pr` and `github-release`) on every push.
• Same release PR branch (`release-please--branches--main--components--waveflow`) → companion `release-please-lockfile-build.yml` keeps working untouched.

`label-pr.yml`

• Add a job-level `env: LABEL_TOKEN: ${{ secrets.LABELER_PAT || secrets.GITHUB_TOKEN }}` ternary.
• Pass `LABEL_TOKEN` to `actions/labeler` via `repo-token` and to both `github-script` steps via `github-token`.
• Empty secrets are falsy so unset → fallback transparently. No-op if you don't add the PAT.

Required action from the maintainer

Create a fine-grained PAT scoped to this repo, with these permissions:

• Repository access: only `InstaZDLL/WaveFlow`
• Repository permissions:
  • `Metadata` — Read (auto)
  • `Issues` — Read and write (for `addLabels` / `removeLabel`)
  • `Pull requests` — Read and write (for the labeler action)
• Expiration: ≤ 90 days (rotate when prompted)

Then add it to the repo as a secret named `LABELER_PAT`:
`Settings → Secrets and variables → Actions → New repository secret`

Without this secret the workflow falls back to `GITHUB_TOKEN` — exactly today's behaviour, so nothing breaks if you postpone it.

Test plan

• CI on this PR runs the new `label-pr.yml` shape (with `GITHUB_TOKEN` fallback since `LABELER_PAT` isn't set yet on this branch's run)
• After merge, push to main triggers the new `release-please.yml` CLI flow
• Existing release PR chore(main): release 1.3.0 #111 gets updated in place with the recent merges (`fix/playlist-cover-modal-freeze`, `fix/artist-grid-violet-halo`, `fix/onboarding-1080p-and-profile-step`)
• Once `LABELER_PAT` is added, the next PR's label workflow uses it (verified by the absence of any future 401 on `addLabels`)

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (5)

• chore: bump
• chore(main): release
• release-please
• dependabot
• [bot]

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 0cfe9a14-963a-4e2a-9696-0809ae1df780

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/release-please-cli-and-labeler-pat

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}