fix(release): generate per-release changelog in release notes (#191)

[michaelweber]

Summary

Closes #191.

The "Generate release notes" step previously wrote a hardcoded static body for every release, so subscribers had no idea what changed between versions.

Changes:

• Call gh api .../releases/generate-notes with the previous tag to produce a GitHub-formatted "What's Changed" section (linked PRs, contributors, full-changelog link)
• Emit changelog first in the release body, followed by the download table and installation instructions
• Remove the now-redundant generic "Titus Secret Scanner" header (the release title already identifies the product)

Test plan

• Push a test tag to a fork / run the workflow via workflow_dispatch and verify the release body contains "What's Changed" with actual PR links
• Verify the download table and installation section still appear after the changelog
• Verify the workflow handles a first-ever release (no previous tag) without erroring — changelog.md will be empty, only the download table is emitted

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[github-actions]

Gemini review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @gemini on a review comment to force a review.

[github-actions]

Codex review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @codex on a review comment to force a review.

[github-actions]

Claude review skipped — non-code PR (only changed files matching docs/**, .github/**, .claude-plugin/**, *.md, *.txt, images, or license-like files). Post @claude on a review comment to force a review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f4e22bbb-4abd-4282-8233-d2f7c603e3d5

📥 Commits

Reviewing files that changed from the base of the PR and between 64cc17d and 3ffc6df.

📒 Files selected for processing (1)

• .github/workflows/release-new.yml

---

Walkthrough

The release workflow's "Generate release notes" step was rewritten to dynamically generate changelog content using the GitHub CLI (gh api repos/.../releases/generate-notes). Previously, release notes were static. Now the step sets GH_TOKEN, fetches repository tags, determines the previous tag, and calls the GitHub API to generate a changelog. The generated changelog is conditionally embedded in release_notes.md, followed by structured sections for Downloads, Extensions, Installation, and Checksums. The previous static heredoc content and sed-based cleanup were removed.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-notes-191

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-new.yml:
- Around line 482-483: Update the release-notes printf lines that reference
static filenames 'titus-burp.jar' and 'titus-browser-extension.zip' to use the
versioned artifact names 'titus-burp-${VERSION}.jar' and
'titus-browser-extension-${VERSION}.zip' (using whatever VERSION variable is
defined in the workflow) so the README/release notes match the actual produced
artifacts.
- Around line 459-463: The release step currently silences failures by appending
"2>/dev/null || true" to the gh api call that generates changelog.md; change
this so the gh api repos/.../releases/generate-notes call fails the job on error
(remove the stderr discard and the "|| true") and propagate the non‑zero exit
(for example let the command exit non‑zero or explicitly check its exit status
and exit 1), so failures to generate notes produce a visible CI error instead of
an empty changelog.md.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 82503568-6e0e-48b6-8350-c7565735fdc2

📥 Commits

Reviewing files that changed from the base of the PR and between c1aa36a and 64cc17d.

📒 Files selected for processing (1)

• .github/workflows/release-new.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the workflow currently suppresses generate-notes failures.
rg -n -C2 'releases/generate-notes|2>/dev/null|\|\| true' .github/workflows/release-new.yml

Repository: praetorian-inc/titus

Length of output: 1496

---

Fail fast on changelog API errors.

The 2>/dev/null || true at line 462 hides failures silently, risking releases without "What's Changed" content and no CI signal.

Suggested fix

-        if [ -n "$PREV_TAG" ]; then
-          gh api repos/${{ github.repository }}/releases/generate-notes \
-            -f tag_name="${{ env.VERSION }}" \
-            -f previous_tag_name="$PREV_TAG" \
-            --jq '.body' > changelog.md 2>/dev/null || true
-        fi
+        if [ -n "$PREV_TAG" ]; then
+          if ! gh api repos/${{ github.repository }}/releases/generate-notes \
+            -f tag_name="${{ env.VERSION }}" \
+            -f previous_tag_name="$PREV_TAG" \
+            --jq '.body' > changelog.md; then
+            echo "::error::Failed to generate changelog for ${VERSION} from ${PREV_TAG}"
+            exit 1
+          fi
+        fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	gh api repos/${{ github.repository }}/releases/generate-notes \
	-f tag_name="${{ env.VERSION }}" \
	-f previous_tag_name="$PREV_TAG" \
	--jq '.body' > changelog.md 2>/dev/null || true
	fi
	if [ -n "$PREV_TAG" ]; then
	if ! gh api repos/${{ github.repository }}/releases/generate-notes \
	-f tag_name="${{ env.VERSION }}" \
	-f previous_tag_name="$PREV_TAG" \
	--jq '.body' > changelog.md; then
	echo "::error::Failed to generate changelog for ${VERSION} from ${PREV_TAG}"
	exit 1
	fi
	fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-new.yml around lines 459 - 463, The release step
currently silences failures by appending "2>/dev/null || true" to the gh api
call that generates changelog.md; change this so the gh api
repos/.../releases/generate-notes call fails the job on error (remove the stderr
discard and the "|| true") and propagate the non‑zero exit (for example let the
command exit non‑zero or explicitly check its exit status and exit 1), so
failures to generate notes produce a visible CI error instead of an empty
changelog.md.