Umm, sorry about not looking at it sooner. Looks good to me. What I don't understand is why it requires token. How will Github workflow get the token? Obv we can't make it part of the repository itself, as its supposed to be private (the token gives access to all private repos as well).

It appears there is GITHUB_TOKEN which is automatically generated and can be used here instead, and if I understand correctly, it just has current repository in its scope instead of wider scoped private token I can create. However, I'm still little anxious about PRs/CI being able to change things (from security pov) which you don't see in the diff itself.

Oh, you're right. But let separate two different issues:

1. The first one is about potential access to private repos. This issue can be solved by creating an organization in Github for RacketScript. Since we'll have in that organization only public repos we won't need to care about private repositories and (looks like) we'll be able to better control keys (because in organization settings it's possible to specify repositories for tokens). And moreover, it'll be useful for some additional repositories in the future like a website repository for RacketScript or some additional tools.
2. The second issue is about trust in Github Release Notes actions. So here we can only analyze the source code of a particular version of the project and check that it doesn't do anything else except generating release notes.

If we aren't ready or don't want to do that right now, we can get rid of that github action and write changelogs manually (or don't write them at all) and use tags for releases.

I'm not sure which option is better. @vishesh what do you think?

I'm just gonna let this PR sit around for some time, until we can get to thinking a bit more about it. Apart from the points you mentioned, another problem is that none of us are following any specific commit guidelines (log message conventions, squashing commits, when to do releases etc...). I totally would love to have all that, along with proper processes, but once we have some pace and features/fixes in.

But if everyone else feels strongly about having this sooner, we can get this in.

I think we can add this automation later when we'll be ready. It's not a problem at all