feat: add Update Changelogs workflow with auto-changelog v6 --checkDeps#8443
feat: add Update Changelogs workflow with auto-changelog v6 --checkDeps#8443
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
cryptodev-2s
changed the title
- Add --checkDeps to validate-changelog.sh to catch missing dep entries - Add --checkDeps --fix to update-changelog.sh to auto-generate dep entries - Add fix-changelogs workflow to auto-fix changelogs on release branches
- --checkDeps/--fix are validate-only flags, revert from update-changelog.sh - Skip --checkDeps on main branch to avoid "HEAD is same as base" error - Workflow uses validate --checkDeps --fix with PR number for auto-fixing
Keep dependency bump validation opt-in via @metamaskbot check-deps only.
- Add missing --checkDeps flag to validate step - Fix shell quoting bug in fork detection - Narrow git add to **/CHANGELOG.md only - Report validation failures in PR comment instead of swallowing them - Use chore: prefix for automated commit message
- Add concurrency group to prevent racing on duplicate triggers - Add if: always() to comment step so users always get feedback - Add comment explaining branch checkout purpose - Remove -A flag from git add (only staging tracked CHANGELOG.md files) - Improve step name and commit message for clarity
- Add pull_request opened trigger for release/* branches targeting main - Use github.event.issue.number || github.event.pull_request.number for both triggers - Conditionally show reaction only for comment triggers
- Rename file from fix-changelogs.yml to update-changelogs.yml - Update workflow name, job names, and concurrency group - Rename bot command to @metamaskbot update-changelogs
- Add git fetch before branch checkout (shallow clone has no branch refs) - Handle partial fix case: report remaining errors when fixes are pushed - Handle skipped steps: detect when earlier steps fail and report accurately - Rename job ID from fix-changelogs to update-changelogs for consistency
cryptodev-2s
force-pushed
the
feat/auto-changelog-check-deps
branch
from
772928a to
f4aabbb
Compare
Shallow clone with fetch-depth: 1 doesn't include origin/main, causing --checkDeps to fail with "could not resolve base branch".
- Use fetch-depth: 0 so git merge-base can find common ancestor with main - Hide previous bot comments on rerun to reduce noise - Add emoji to comment messages for clarity
- Add --paginate to handle PRs with many comments - Use precise emoji-anchored regex to match only this workflow's comments - Add continue-on-error so comment hiding doesn't block core workflow
Use patroll-managed PAT so commits pushed by this workflow trigger subsequent CI workflows (GITHUB_TOKEN commits don't trigger workflows). Depends on: MetaMask/patroll#75
…OCTOU' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
| inputs: | ||
| commit-starts-with: | ||
| description: "Validate that the release commit starts with a string in this comma-separated list. Use '[version]' to refer to the current release version." | ||
| required: true |
There was a problem hiding this comment.
Actions don't have access to vars directly.
| set -euo pipefail | ||
|
|
||
| MERGE_BASE=$(git merge-base HEAD "refs/remotes/origin/$BASE_REF") | ||
| echo "merge-base=$MERGE_BASE" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
Merge base is needed to determine the before commit for action-is-release.
There was a problem hiding this comment.
Interesting. auto-changelog also takes a "before" commit via a --from option. If this is not given it will calculate its own merge base: https://github.com/MetaMask/auto-changelog/blob/902c1f9b54dd3c61f938475400da46ac1cb04e4c/src/get-dependency-changes.ts#L198. So now we have two places that perform this step (in two different ways). Maybe we should capture the result of this step and pass it to auto-changelog via --from so that we're using the same approach?
| run: | | ||
| git fetch --no-tags origin "$PR_HEAD_SHA" | ||
| git fetch --no-tags origin "$PR_BASE_REF" | ||
| git checkout --detach "$PR_HEAD_SHA" |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ccae16b. Configure here.
mcmire
left a comment
mcmire
left a comment
There was a problem hiding this comment.
This workflow is surprisingly complicated, but it does all make sense. I just had two more comments.
| set -euo pipefail | ||
|
|
||
| MERGE_BASE=$(git merge-base HEAD "refs/remotes/origin/$BASE_REF") | ||
| echo "merge-base=$MERGE_BASE" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
Interesting. auto-changelog also takes a "before" commit via a --from option. If this is not given it will calculate its own merge base: https://github.com/MetaMask/auto-changelog/blob/902c1f9b54dd3c61f938475400da46ac1cb04e4c/src/get-dependency-changes.ts#L198. So now we have two places that perform this step (in two different ways). Maybe we should capture the result of this step and pass it to auto-changelog via --from so that we're using the same approach?
@mcmire It definitely gets a lot more complicated because we need to support running it when opening a pull request and when leaving a comment. I rewrote some bash scripts to use |
4 participants
Explanation
Adds an Update Changelogs workflow that uses
@metamask/auto-changelogv6's--checkDeps --fixfeature to automatically validate and fix missing dependency bump changelog entries.Triggers:
release/*branch) is opened targetingmain@metamaskbot update-changelogson any non-fork PRWhat it does:
changelog:validate --checkDeps --fix --currentPr <PR#>across all packagesSecurity:
isCrossRepositorycheck${{ }}inrun:blocks)References
Checklist
Note
Medium Risk
Adds CI automation that runs with
contents: writeand can push commits to PR branches and post/minimize comments, so misconfiguration could affect contributor branches or spam PRs; code changes are limited to GitHub workflow logic.Overview
Adds a new
Update Changelogsworkflow that, for non-fork PRs, detects release PRs (or a@metamaskbot update-changelogscomment), runsyarn changelog:validate --checkDeps --fixfrom the PR’s merge-base, and auto-commits/pushes any**/CHANGELOG.mdfixes back to the PR branch with a status comment (minimizing prior bot comments).Makes release detection configurable by introducing a
commit-starts-withinput to thecheck-releasecomposite action and wiring bothcheck-releaseand theis-releasejob inmain.ymlto use${{ vars.RELEASE_COMMIT_PREFIX }}instead of a hardcoded prefix list.Reviewed by Cursor Bugbot for commit c6e02fe. Bugbot is set up for automated code reviews on this repo. Configure here.