Reintroduce changelog tool automation #2721
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sugmanue
approved these changes
Jul 28, 2025
This adds github automation to ensure that PRs contain staged changelog entries by calling the `amend` command of the changelog tool. This command will check the diff of the PR's head against the base branch. If no staged changelog entry is present, it will post a comment reminding the requester to add one and instructing them on how to do so. If a staged changelog entry is present but lacks a PR link (since it's a chicken-and-egg problem), it will post a review comment with a commitable suggestion to add the PR link. This was previously introduced, but had to be reverted after some security concerns were brought up. There were two core issues with the previous iteration: - The workflow job was given `write-all` permissions, which is well beyond the scope of what it needed. The new workflow only has write permissions to issues and pull requests, which it needs to post comments, as well as rights to read the contents of the repo. - The workflow job was checking out the PR branch and running the changelog tool from it. This is a problem because a malicious actor could modify the changelog tool to do whatever they want and it would be run without review. This is made much worse by the permissions issue above. The new workflow now checks out the base branch to run the changelog tool from. The PR's branch is checked out separately for the changelog tool to inspect. Both copies of the repo are checked out shallowly - only the `.changes` dir of the base branch is pulled and only the `.changes/next-release` dir of the pr branch is pulled.
JordonPhillips
force-pushed
the
changelog-automation
branch
from
3a3d022 to
013b4a4
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+41
to
+57
| - name: Pull the PR | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| path: pr | ||
| ref: ${{ github.head_ref }} | ||
| repository: ${{ github.event.pull_request.head.repo.full_name }} | ||
|
|
||
| # The changelog tool only needs to know about staged changelog | ||
| # entries in the PR branch, so ONLY check out those. This makes | ||
| # the checkout faster, but also makes it harder to accidentally | ||
| # run code from the PR branch. | ||
| sparse-checkout: .changes/next-release | ||
|
|
||
| # This is needed so that the changelog tool can check the diff for | ||
| # newly-introduced changes by comparing its head against that of | ||
| # the base. We still won't actually run code from that copy. | ||
| - name: Fetch base from PR copy |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in trusted context High
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds github automation to ensure that PRs contain staged changelog entries by calling the
amendcommand of the changelog tool.This command will check the diff of the PR's head against the base branch. If no staged changelog entry is present, it will post a comment reminding the requester to add one and instructing them on how to do so. If a staged changelog entry is present but lacks a PR link (since it's a chicken-and-egg problem), it will post a review comment with a commitable suggestion to add the PR link.
This was previously introduced, but had to be reverted after some security concerns were brought up. There were two core issues with the previous iteration:
The workflow job was given
write-allpermissions, which is well beyond the scope of what it needed. The new workflow only has write permissions to issues and pull requests, which it needs to post comments, as well as rights to read the contents of the repo.The workflow job was checking out the PR branch and running the changelog tool from it. This is a problem because a malicious actor could modify the changelog tool to do whatever they want and it would be run without review. This is made much worse by the permissions issue above. The new workflow now checks out the base branch to run the changelog tool from. The PR's branch is checked out separately for the changelog tool to inspect. Both copies of the repo are checked out shallowly - only the
.changesdir of the base branch is pulled and only the.changes/next-releasedir of the pr branch is pulled.You can see how these automated comments look in this pr to my fork
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.