From 61175c24d27205e8fabc5f248ed31ecd2cb088a8 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Mon, 13 Apr 2026 23:18:23 +0200 Subject: [PATCH 01/34] feat: adopt auto-changelog v6 --checkDeps for dependency bump validation - Add --checkDeps to validate-changelog.sh to catch missing dep entries - Add --checkDeps --fix to update-changelog.sh to auto-generate dep entries - Add fix-changelogs workflow to auto-fix changelogs on release branches --- .github/workflows/fix-changelogs.yml | 45 ++++++++++++++++++++++++++++ scripts/update-changelog.sh | 4 +-- scripts/validate-changelog.sh | 4 +-- 3 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/fix-changelogs.yml diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml new file mode 100644 index 0000000000..1f8c33f665 --- /dev/null +++ b/.github/workflows/fix-changelogs.yml @@ -0,0 +1,45 @@ +name: Fix Changelogs + +on: + push: + branches: + - 'release/*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: write + +jobs: + fix-changelogs: + name: Fix changelogs + runs-on: ubuntu-latest + steps: + - name: Checkout and setup environment + uses: MetaMask/action-checkout-and-setup@v2 + with: + is-high-risk-environment: false + cache-node-modules: true + node-version: 22.x + + - name: Checkout branch by name + run: git checkout "${GITHUB_REF#refs/heads/}" + + - name: Run changelog update + run: yarn changelog:update + + - name: Commit and push if changed + run: | + if git diff --quiet; then + echo "No changelog changes detected." + exit 0 + fi + echo "Changelog changes detected:" + git diff --stat + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add -A '*.md' + git commit -m "fix: auto-update changelogs for release" + git push diff --git a/scripts/update-changelog.sh b/scripts/update-changelog.sh index 7cd5639010..f281c58114 100755 --- a/scripts/update-changelog.sh +++ b/scripts/update-changelog.sh @@ -15,7 +15,7 @@ shift # remove package name from arguments branch=$(git rev-parse --abbrev-ref HEAD) if [[ $branch =~ ^release/ ]]; then - yarn auto-changelog update --prettier --tag-prefix "${package_name}@" --rc "$@" + yarn auto-changelog update --prettier --tag-prefix "${package_name}@" --rc --checkDeps --fix "$@" else - yarn auto-changelog update --prettier --tag-prefix "${package_name}@" "$@" + yarn auto-changelog update --prettier --tag-prefix "${package_name}@" --checkDeps --fix "$@" fi diff --git a/scripts/validate-changelog.sh b/scripts/validate-changelog.sh index 19dabb3620..74d4320e92 100755 --- a/scripts/validate-changelog.sh +++ b/scripts/validate-changelog.sh @@ -11,7 +11,7 @@ package_name="$1" shift # remove package name from arguments if [[ "${GITHUB_REF:-}" =~ '^release/' ]]; then - yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --rc "$@" + yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --rc --checkDeps "$@" else - yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" "$@" + yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --checkDeps "$@" fi From a83983a847c3e5a42c0c260b539cf6aa0a444253 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Mon, 13 Apr 2026 23:41:37 +0200 Subject: [PATCH 02/34] fix: correct --checkDeps usage and handle main branch - --checkDeps/--fix are validate-only flags, revert from update-changelog.sh - Skip --checkDeps on main branch to avoid "HEAD is same as base" error - Workflow uses validate --checkDeps --fix with PR number for auto-fixing --- .github/workflows/fix-changelogs.yml | 20 ++++++++++++++++++++ scripts/update-changelog.sh | 4 ++-- scripts/validate-changelog.sh | 12 ++++++++++-- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index 1f8c33f665..617111ad58 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -30,6 +30,26 @@ jobs: - name: Run changelog update run: yarn changelog:update + - name: Get PR number for this branch + id: pr + run: | + PR_NUMBER=$(gh pr list --head "${GITHUB_REF#refs/heads/}" --json number --jq '.[0].number') + if [ -n "$PR_NUMBER" ]; then + echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT" + echo "Found PR #$PR_NUMBER" + else + echo "No PR found for this branch" + fi + env: + GH_TOKEN: ${{ github.token }} + + - name: Fix missing dependency bump entries + if: steps.pr.outputs.number != '' + run: > + yarn workspaces foreach --all --no-private --parallel --interlaced --verbose + run changelog:validate --fix --currentPr "${{ steps.pr.outputs.number }}" + continue-on-error: true + - name: Commit and push if changed run: | if git diff --quiet; then diff --git a/scripts/update-changelog.sh b/scripts/update-changelog.sh index f281c58114..7cd5639010 100755 --- a/scripts/update-changelog.sh +++ b/scripts/update-changelog.sh @@ -15,7 +15,7 @@ shift # remove package name from arguments branch=$(git rev-parse --abbrev-ref HEAD) if [[ $branch =~ ^release/ ]]; then - yarn auto-changelog update --prettier --tag-prefix "${package_name}@" --rc --checkDeps --fix "$@" + yarn auto-changelog update --prettier --tag-prefix "${package_name}@" --rc "$@" else - yarn auto-changelog update --prettier --tag-prefix "${package_name}@" --checkDeps --fix "$@" + yarn auto-changelog update --prettier --tag-prefix "${package_name}@" "$@" fi diff --git a/scripts/validate-changelog.sh b/scripts/validate-changelog.sh index 74d4320e92..834e3b8674 100755 --- a/scripts/validate-changelog.sh +++ b/scripts/validate-changelog.sh @@ -10,8 +10,16 @@ fi package_name="$1" shift # remove package name from arguments +# Enable --checkDeps only on non-main branches to avoid +# "HEAD is the same as the base branch" errors on main. +branch=$(git rev-parse --abbrev-ref HEAD) +check_deps_args=() +if [[ "$branch" != "main" && "$branch" != "HEAD" ]]; then + check_deps_args=(--checkDeps) +fi + if [[ "${GITHUB_REF:-}" =~ '^release/' ]]; then - yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --rc --checkDeps "$@" + yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --rc "${check_deps_args[@]+"${check_deps_args[@]}"}" "$@" else - yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --checkDeps "$@" + yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" "${check_deps_args[@]+"${check_deps_args[@]}"}" "$@" fi From 02fd3022035bfa006c9853e8eeaaa7eb396bcb18 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Mon, 13 Apr 2026 23:48:03 +0200 Subject: [PATCH 03/34] fix: trigger fix-changelogs via @metamaskbot check-deps PR comment --- .github/workflows/fix-changelogs.yml | 61 ++++++++++++++++------------ 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index 617111ad58..f3e4c8cf58 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -1,65 +1,76 @@ name: Fix Changelogs on: - push: - branches: - - 'release/*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + issue_comment: + types: [created] permissions: contents: write + pull-requests: write jobs: fix-changelogs: name: Fix changelogs + if: > + github.event.issue.pull_request && + contains(github.event.comment.body, '@metamaskbot check-deps') runs-on: ubuntu-latest steps: + - name: Get PR head ref + id: pr + run: | + PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} --jq '{ref: .head.ref, sha: .head.sha}') + echo "ref=$(echo "$PR_DATA" | jq -r .ref)" >> "$GITHUB_OUTPUT" + echo "sha=$(echo "$PR_DATA" | jq -r .sha)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ github.token }} + + - name: React to comment + run: gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions -f content='+1' + env: + GH_TOKEN: ${{ github.token }} + - name: Checkout and setup environment uses: MetaMask/action-checkout-and-setup@v2 with: is-high-risk-environment: false cache-node-modules: true node-version: 22.x + ref: ${{ steps.pr.outputs.ref }} - name: Checkout branch by name - run: git checkout "${GITHUB_REF#refs/heads/}" + run: git checkout "${{ steps.pr.outputs.ref }}" - name: Run changelog update run: yarn changelog:update - - name: Get PR number for this branch - id: pr - run: | - PR_NUMBER=$(gh pr list --head "${GITHUB_REF#refs/heads/}" --json number --jq '.[0].number') - if [ -n "$PR_NUMBER" ]; then - echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT" - echo "Found PR #$PR_NUMBER" - else - echo "No PR found for this branch" - fi - env: - GH_TOKEN: ${{ github.token }} - - name: Fix missing dependency bump entries - if: steps.pr.outputs.number != '' run: > yarn workspaces foreach --all --no-private --parallel --interlaced --verbose - run changelog:validate --fix --currentPr "${{ steps.pr.outputs.number }}" + run changelog:validate --fix --currentPr "${{ github.event.issue.number }}" continue-on-error: true - name: Commit and push if changed + id: commit run: | if git diff --quiet; then - echo "No changelog changes detected." + echo "changed=false" >> "$GITHUB_OUTPUT" exit 0 fi - echo "Changelog changes detected:" git diff --stat git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add -A '*.md' git commit -m "fix: auto-update changelogs for release" git push + echo "changed=true" >> "$GITHUB_OUTPUT" + + - name: Comment result + run: | + if [ "${{ steps.commit.outputs.changed }}" = "true" ]; then + gh pr comment "${{ github.event.issue.number }}" --body "Changelogs updated and pushed." + else + gh pr comment "${{ github.event.issue.number }}" --body "No changelog changes needed." + fi + env: + GH_TOKEN: ${{ github.token }} From 14d02981ec476a263c93e3ae19489ad4f461e839 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Mon, 13 Apr 2026 23:50:10 +0200 Subject: [PATCH 04/34] revert: remove --checkDeps from validate-changelog.sh Keep dependency bump validation opt-in via @metamaskbot check-deps only. --- scripts/validate-changelog.sh | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/scripts/validate-changelog.sh b/scripts/validate-changelog.sh index 834e3b8674..19dabb3620 100755 --- a/scripts/validate-changelog.sh +++ b/scripts/validate-changelog.sh @@ -10,16 +10,8 @@ fi package_name="$1" shift # remove package name from arguments -# Enable --checkDeps only on non-main branches to avoid -# "HEAD is the same as the base branch" errors on main. -branch=$(git rev-parse --abbrev-ref HEAD) -check_deps_args=() -if [[ "$branch" != "main" && "$branch" != "HEAD" ]]; then - check_deps_args=(--checkDeps) -fi - if [[ "${GITHUB_REF:-}" =~ '^release/' ]]; then - yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --rc "${check_deps_args[@]+"${check_deps_args[@]}"}" "$@" + yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" --rc "$@" else - yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" "${check_deps_args[@]+"${check_deps_args[@]}"}" "$@" + yarn auto-changelog validate --prettier --tag-prefix "${package_name}@" "$@" fi From 9c0924fc97111c626cb4c8c68682aa432eed33c4 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Mon, 13 Apr 2026 23:51:37 +0200 Subject: [PATCH 05/34] fix: use env vars to prevent code injection in fix-changelogs workflow --- .github/workflows/fix-changelogs.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index f3e4c8cf58..cb172203da 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -19,16 +19,18 @@ jobs: - name: Get PR head ref id: pr run: | - PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} --jq '{ref: .head.ref, sha: .head.sha}') + PR_DATA=$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}" --jq '{ref: .head.ref, sha: .head.sha}') echo "ref=$(echo "$PR_DATA" | jq -r .ref)" >> "$GITHUB_OUTPUT" echo "sha=$(echo "$PR_DATA" | jq -r .sha)" >> "$GITHUB_OUTPUT" env: GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.issue.number }} - name: React to comment - run: gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions -f content='+1' + run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' env: GH_TOKEN: ${{ github.token }} + COMMENT_ID: ${{ github.event.comment.id }} - name: Checkout and setup environment uses: MetaMask/action-checkout-and-setup@v2 @@ -36,10 +38,12 @@ jobs: is-high-risk-environment: false cache-node-modules: true node-version: 22.x - ref: ${{ steps.pr.outputs.ref }} + ref: ${{ steps.pr.outputs.sha }} - name: Checkout branch by name - run: git checkout "${{ steps.pr.outputs.ref }}" + run: git checkout "$PR_REF" + env: + PR_REF: ${{ steps.pr.outputs.ref }} - name: Run changelog update run: yarn changelog:update @@ -47,8 +51,10 @@ jobs: - name: Fix missing dependency bump entries run: > yarn workspaces foreach --all --no-private --parallel --interlaced --verbose - run changelog:validate --fix --currentPr "${{ github.event.issue.number }}" + run changelog:validate --fix --currentPr "$PR_NUMBER" continue-on-error: true + env: + PR_NUMBER: ${{ github.event.issue.number }} - name: Commit and push if changed id: commit @@ -67,10 +73,12 @@ jobs: - name: Comment result run: | - if [ "${{ steps.commit.outputs.changed }}" = "true" ]; then - gh pr comment "${{ github.event.issue.number }}" --body "Changelogs updated and pushed." + if [ "$CHANGED" = "true" ]; then + gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed." else - gh pr comment "${{ github.event.issue.number }}" --body "No changelog changes needed." + gh pr comment "$PR_NUMBER" --body "No changelog changes needed." fi env: GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.issue.number }} + CHANGED: ${{ steps.commit.outputs.changed }} From f3192c679afbdcfda0a6daf402cafb7f550f2b2e Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 00:13:13 +0200 Subject: [PATCH 06/34] fix: skip fix-changelogs workflow on fork PRs --- .github/workflows/fix-changelogs.yml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index cb172203da..637a0f4ba7 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -9,12 +9,28 @@ permissions: pull-requests: write jobs: - fix-changelogs: - name: Fix changelogs + is-fork-pull-request: + name: Determine whether this PR is from a fork if: > github.event.issue.pull_request && contains(github.event.comment.body, '@metamaskbot check-deps') runs-on: ubuntu-latest + outputs: + IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} + steps: + - uses: actions/checkout@v4 + - name: Determine whether this PR is from a fork + id: is-fork + run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}")" >> "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number }} + + fix-changelogs: + name: Fix changelogs + needs: is-fork-pull-request + if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} + runs-on: ubuntu-latest steps: - name: Get PR head ref id: pr From 925ca1126cba99e431c29666bd132296904b565d Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 00:24:01 +0200 Subject: [PATCH 07/34] fix: address code review findings in fix-changelogs workflow - Add missing --checkDeps flag to validate step - Fix shell quoting bug in fork detection - Narrow git add to **/CHANGELOG.md only - Report validation failures in PR comment instead of swallowing them - Use chore: prefix for automated commit message --- .github/workflows/fix-changelogs.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index 637a0f4ba7..506424d6dd 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -21,7 +21,9 @@ jobs: - uses: actions/checkout@v4 - name: Determine whether this PR is from a fork id: is-fork - run: echo "IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "${PR_NUMBER}")" >> "$GITHUB_OUTPUT" + run: | + IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER") + echo "IS_FORK=$IS_FORK" >> "$GITHUB_OUTPUT" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number }} @@ -65,9 +67,10 @@ jobs: run: yarn changelog:update - name: Fix missing dependency bump entries + id: validate run: > yarn workspaces foreach --all --no-private --parallel --interlaced --verbose - run changelog:validate --fix --currentPr "$PR_NUMBER" + run changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" continue-on-error: true env: PR_NUMBER: ${{ github.event.issue.number }} @@ -82,8 +85,8 @@ jobs: git diff --stat git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add -A '*.md' - git commit -m "fix: auto-update changelogs for release" + git add -A '**/CHANGELOG.md' + git commit -m "chore: auto-update changelogs for release" git push echo "changed=true" >> "$GITHUB_OUTPUT" @@ -91,6 +94,8 @@ jobs: run: | if [ "$CHANGED" = "true" ]; then gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed." + elif [ "$VALIDATE_OUTCOME" = "failure" ]; then + gh pr comment "$PR_NUMBER" --body "Changelog validation failed. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." else gh pr comment "$PR_NUMBER" --body "No changelog changes needed." fi @@ -98,3 +103,4 @@ jobs: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.issue.number }} CHANGED: ${{ steps.commit.outputs.changed }} + VALIDATE_OUTCOME: ${{ steps.validate.outcome }} From a62d2ee0c3c54a81caa95194e22bc9941686e43d Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 00:29:33 +0200 Subject: [PATCH 08/34] fix: address review feedback for fix-changelogs workflow - Add concurrency group to prevent racing on duplicate triggers - Add if: always() to comment step so users always get feedback - Add comment explaining branch checkout purpose - Remove -A flag from git add (only staging tracked CHANGELOG.md files) - Improve step name and commit message for clarity --- .github/workflows/fix-changelogs.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index 506424d6dd..bfac08a587 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -4,6 +4,10 @@ on: issue_comment: types: [created] +concurrency: + group: fix-changelogs-${{ github.event.issue.number }} + cancel-in-progress: true + permissions: contents: write pull-requests: write @@ -58,6 +62,7 @@ jobs: node-version: 22.x ref: ${{ steps.pr.outputs.sha }} + # Checkout by branch name so update-changelog.sh can detect release branches - name: Checkout branch by name run: git checkout "$PR_REF" env: @@ -66,7 +71,7 @@ jobs: - name: Run changelog update run: yarn changelog:update - - name: Fix missing dependency bump entries + - name: Validate and fix dependency bump entries id: validate run: > yarn workspaces foreach --all --no-private --parallel --interlaced --verbose @@ -85,12 +90,13 @@ jobs: git diff --stat git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add -A '**/CHANGELOG.md' - git commit -m "chore: auto-update changelogs for release" + git add '**/CHANGELOG.md' + git commit -m "chore: auto-fix dependency bump changelog entries" git push echo "changed=true" >> "$GITHUB_OUTPUT" - name: Comment result + if: always() run: | if [ "$CHANGED" = "true" ]; then gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed." From b6cf542abe7e60f50f50e602ddc743087047316f Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 00:30:48 +0200 Subject: [PATCH 09/34] fix: remove unnecessary yarn changelog:update step --- .github/workflows/fix-changelogs.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index bfac08a587..cb1ac87d97 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -62,15 +62,12 @@ jobs: node-version: 22.x ref: ${{ steps.pr.outputs.sha }} - # Checkout by branch name so update-changelog.sh can detect release branches + # Checkout by branch name so validate-changelog.sh can detect release branches - name: Checkout branch by name run: git checkout "$PR_REF" env: PR_REF: ${{ steps.pr.outputs.ref }} - - name: Run changelog update - run: yarn changelog:update - - name: Validate and fix dependency bump entries id: validate run: > From b516c86357762ecbf04e5319fe398c8313abffb1 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 00:39:34 +0200 Subject: [PATCH 10/34] fix: move reaction step first and report push failures in comment --- .github/workflows/fix-changelogs.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index cb1ac87d97..7159b84e22 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -38,6 +38,12 @@ jobs: if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} runs-on: ubuntu-latest steps: + - name: React to comment + run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' + env: + GH_TOKEN: ${{ github.token }} + COMMENT_ID: ${{ github.event.comment.id }} + - name: Get PR head ref id: pr run: | @@ -48,12 +54,6 @@ jobs: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.issue.number }} - - name: React to comment - run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' - env: - GH_TOKEN: ${{ github.token }} - COMMENT_ID: ${{ github.event.comment.id }} - - name: Checkout and setup environment uses: MetaMask/action-checkout-and-setup@v2 with: @@ -97,6 +97,8 @@ jobs: run: | if [ "$CHANGED" = "true" ]; then gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed." + elif [ "$COMMIT_OUTCOME" = "failure" ]; then + gh pr comment "$PR_NUMBER" --body "Failed to push changelog fixes. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." elif [ "$VALIDATE_OUTCOME" = "failure" ]; then gh pr comment "$PR_NUMBER" --body "Changelog validation failed. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." else @@ -106,4 +108,5 @@ jobs: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.issue.number }} CHANGED: ${{ steps.commit.outputs.changed }} + COMMIT_OUTCOME: ${{ steps.commit.outcome }} VALIDATE_OUTCOME: ${{ steps.validate.outcome }} From 455620a060fef9eff2a5590a6d3b49c6753c947a Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 00:53:46 +0200 Subject: [PATCH 11/34] fix: remove unnecessary checkout from fork detection job --- .github/workflows/fix-changelogs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index 7159b84e22..36e1490670 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -22,7 +22,6 @@ jobs: outputs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} steps: - - uses: actions/checkout@v4 - name: Determine whether this PR is from a fork id: is-fork run: | From 9069a65735fd3fa4ccfc9b2295f2c0e4a574f353 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 13:40:27 +0200 Subject: [PATCH 12/34] feat: auto-trigger fix-changelogs on release PR open - Add pull_request opened trigger for release/* branches targeting main - Use github.event.issue.number || github.event.pull_request.number for both triggers - Conditionally show reaction only for comment triggers --- .github/workflows/fix-changelogs.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/fix-changelogs.yml index 36e1490670..e221307c98 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/fix-changelogs.yml @@ -3,9 +3,12 @@ name: Fix Changelogs on: issue_comment: types: [created] + pull_request: + branches: [main] + types: [opened] concurrency: - group: fix-changelogs-${{ github.event.issue.number }} + group: fix-changelogs-${{ github.event.issue.number || github.event.pull_request.number }} cancel-in-progress: true permissions: @@ -16,8 +19,8 @@ jobs: is-fork-pull-request: name: Determine whether this PR is from a fork if: > - github.event.issue.pull_request && - contains(github.event.comment.body, '@metamaskbot check-deps') + (github.event_name == 'pull_request' && startsWith(github.head_ref, 'release/')) || + (github.event.issue.pull_request && contains(github.event.comment.body, '@metamaskbot check-deps')) runs-on: ubuntu-latest outputs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} @@ -25,11 +28,11 @@ jobs: - name: Determine whether this PR is from a fork id: is-fork run: | - IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER") + IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER" --repo "$GITHUB_REPOSITORY") echo "IS_FORK=$IS_FORK" >> "$GITHUB_OUTPUT" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} fix-changelogs: name: Fix changelogs @@ -38,6 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: React to comment + if: github.event_name == 'issue_comment' run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' env: GH_TOKEN: ${{ github.token }} @@ -51,7 +55,7 @@ jobs: echo "sha=$(echo "$PR_DATA" | jq -r .sha)" >> "$GITHUB_OUTPUT" env: GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.issue.number }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - name: Checkout and setup environment uses: MetaMask/action-checkout-and-setup@v2 @@ -74,7 +78,7 @@ jobs: run changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" continue-on-error: true env: - PR_NUMBER: ${{ github.event.issue.number }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - name: Commit and push if changed id: commit @@ -105,7 +109,7 @@ jobs: fi env: GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.issue.number }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} CHANGED: ${{ steps.commit.outputs.changed }} COMMIT_OUTCOME: ${{ steps.commit.outcome }} VALIDATE_OUTCOME: ${{ steps.validate.outcome }} From 5a137b13b3c147f9b58a308612367919e290451b Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 13:42:40 +0200 Subject: [PATCH 13/34] fix: rename workflow to update-changelogs - Rename file from fix-changelogs.yml to update-changelogs.yml - Update workflow name, job names, and concurrency group - Rename bot command to @metamaskbot update-changelogs --- .../{fix-changelogs.yml => update-changelogs.yml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename .github/workflows/{fix-changelogs.yml => update-changelogs.yml} (95%) diff --git a/.github/workflows/fix-changelogs.yml b/.github/workflows/update-changelogs.yml similarity index 95% rename from .github/workflows/fix-changelogs.yml rename to .github/workflows/update-changelogs.yml index e221307c98..2d40924a95 100644 --- a/.github/workflows/fix-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -1,4 +1,4 @@ -name: Fix Changelogs +name: Update Changelogs on: issue_comment: @@ -8,7 +8,7 @@ on: types: [opened] concurrency: - group: fix-changelogs-${{ github.event.issue.number || github.event.pull_request.number }} + group: update-changelogs-${{ github.event.issue.number || github.event.pull_request.number }} cancel-in-progress: true permissions: @@ -20,7 +20,7 @@ jobs: name: Determine whether this PR is from a fork if: > (github.event_name == 'pull_request' && startsWith(github.head_ref, 'release/')) || - (github.event.issue.pull_request && contains(github.event.comment.body, '@metamaskbot check-deps')) + (github.event.issue.pull_request && contains(github.event.comment.body, '@metamaskbot update-changelogs')) runs-on: ubuntu-latest outputs: IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} @@ -35,7 +35,7 @@ jobs: PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} fix-changelogs: - name: Fix changelogs + name: Update changelogs needs: is-fork-pull-request if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} runs-on: ubuntu-latest From 61a4b9ebe2439c2ed38087b8065aea4aa0a495a7 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 13:52:39 +0200 Subject: [PATCH 14/34] fix: add job timeout and defensive git add separator --- .github/workflows/update-changelogs.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 2d40924a95..a8d27a8b0a 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -39,6 +39,7 @@ jobs: needs: is-fork-pull-request if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} runs-on: ubuntu-latest + timeout-minutes: 30 steps: - name: React to comment if: github.event_name == 'issue_comment' @@ -90,7 +91,7 @@ jobs: git diff --stat git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git add '**/CHANGELOG.md' + git add -- '**/CHANGELOG.md' git commit -m "chore: auto-fix dependency bump changelog entries" git push echo "changed=true" >> "$GITHUB_OUTPUT" From f4aabbbfb7bb5e787f8a9631dbe79f98359ba9a3 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Tue, 14 Apr 2026 14:16:31 +0200 Subject: [PATCH 15/34] fix: address remaining review findings - Add git fetch before branch checkout (shallow clone has no branch refs) - Handle partial fix case: report remaining errors when fixes are pushed - Handle skipped steps: detect when earlier steps fail and report accurately - Rename job ID from fix-changelogs to update-changelogs for consistency --- .github/workflows/update-changelogs.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index a8d27a8b0a..6febdaca7f 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -34,7 +34,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - fix-changelogs: + update-changelogs: name: Update changelogs needs: is-fork-pull-request if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} @@ -66,9 +66,11 @@ jobs: node-version: 22.x ref: ${{ steps.pr.outputs.sha }} - # Checkout by branch name so validate-changelog.sh can detect release branches - - name: Checkout branch by name - run: git checkout "$PR_REF" + # Fetch and checkout by branch name so git push targets the correct branch + - name: Checkout PR branch + run: | + git fetch origin "$PR_REF" + git checkout "$PR_REF" env: PR_REF: ${{ steps.pr.outputs.ref }} @@ -99,12 +101,16 @@ jobs: - name: Comment result if: always() run: | - if [ "$CHANGED" = "true" ]; then + if [ "$CHANGED" = "true" ] && [ "$VALIDATE_OUTCOME" = "failure" ]; then + gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed, but some validation errors remain. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." + elif [ "$CHANGED" = "true" ]; then gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed." elif [ "$COMMIT_OUTCOME" = "failure" ]; then gh pr comment "$PR_NUMBER" --body "Failed to push changelog fixes. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." elif [ "$VALIDATE_OUTCOME" = "failure" ]; then gh pr comment "$PR_NUMBER" --body "Changelog validation failed. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." + elif [ "$VALIDATE_OUTCOME" = "skipped" ] || [ "$COMMIT_OUTCOME" = "skipped" ]; then + gh pr comment "$PR_NUMBER" --body "Workflow failed before changelog validation. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." else gh pr comment "$PR_NUMBER" --body "No changelog changes needed." fi From e8bd7beccc98bb3d33e5ce133f3852b18d32a6f0 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 12:33:05 +0200 Subject: [PATCH 16/34] fix: fetch origin/main for --checkDeps base branch comparison Shallow clone with fetch-depth: 1 doesn't include origin/main, causing --checkDeps to fail with "could not resolve base branch". --- .github/workflows/update-changelogs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 6febdaca7f..43fc79acfa 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -66,10 +66,10 @@ jobs: node-version: 22.x ref: ${{ steps.pr.outputs.sha }} - # Fetch and checkout by branch name so git push targets the correct branch + # Fetch main for --checkDeps base comparison, and the PR branch for push - name: Checkout PR branch run: | - git fetch origin "$PR_REF" + git fetch origin main "$PR_REF" git checkout "$PR_REF" env: PR_REF: ${{ steps.pr.outputs.ref }} From 30eec0c4ffb6bfd0f1621be3332199499fb3ea4d Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 15:11:33 +0200 Subject: [PATCH 17/34] fix: use full git history and hide previous bot comments - Use fetch-depth: 0 so git merge-base can find common ancestor with main - Hide previous bot comments on rerun to reduce noise - Add emoji to comment messages for clarity --- .github/workflows/update-changelogs.yml | 29 ++++++++++++++++--------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 43fc79acfa..52912f7afd 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -65,15 +65,24 @@ jobs: cache-node-modules: true node-version: 22.x ref: ${{ steps.pr.outputs.sha }} + fetch-depth: 0 - # Fetch main for --checkDeps base comparison, and the PR branch for push - name: Checkout PR branch - run: | - git fetch origin main "$PR_REF" - git checkout "$PR_REF" + run: git checkout "$PR_REF" env: PR_REF: ${{ steps.pr.outputs.ref }} + - name: Hide previous bot comments + run: | + COMMENT_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ + --jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | test("Changelogs|Changelog|changelog"))) | .node_id] | .[]') + for NODE_ID in $COMMENT_IDS; do + gh api graphql -f query='mutation { minimizeComment(input: {subjectId: "'"$NODE_ID"'", classifier: OUTDATED}) { clientMutationId } }' + done + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + - name: Validate and fix dependency bump entries id: validate run: > @@ -102,17 +111,17 @@ jobs: if: always() run: | if [ "$CHANGED" = "true" ] && [ "$VALIDATE_OUTCOME" = "failure" ]; then - gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed, but some validation errors remain. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." + gh pr comment "$PR_NUMBER" --body "⚠️ Changelogs updated and pushed, but some validation errors remain. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." elif [ "$CHANGED" = "true" ]; then - gh pr comment "$PR_NUMBER" --body "Changelogs updated and pushed." + gh pr comment "$PR_NUMBER" --body "✅ Changelogs updated and pushed." elif [ "$COMMIT_OUTCOME" = "failure" ]; then - gh pr comment "$PR_NUMBER" --body "Failed to push changelog fixes. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." + gh pr comment "$PR_NUMBER" --body "❌ Failed to push changelog fixes. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." elif [ "$VALIDATE_OUTCOME" = "failure" ]; then - gh pr comment "$PR_NUMBER" --body "Changelog validation failed. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." + gh pr comment "$PR_NUMBER" --body "❌ Changelog validation failed. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." elif [ "$VALIDATE_OUTCOME" = "skipped" ] || [ "$COMMIT_OUTCOME" = "skipped" ]; then - gh pr comment "$PR_NUMBER" --body "Workflow failed before changelog validation. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." + gh pr comment "$PR_NUMBER" --body "❌ Workflow failed before changelog validation. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." else - gh pr comment "$PR_NUMBER" --body "No changelog changes needed." + gh pr comment "$PR_NUMBER" --body "✅ No changelog changes needed." fi env: GH_TOKEN: ${{ github.token }} From b20f53e4e63609f3654fd5728644d35e9ecda598 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 15:23:01 +0200 Subject: [PATCH 18/34] fix: improve bot comment hiding reliability - Add --paginate to handle PRs with many comments - Use precise emoji-anchored regex to match only this workflow's comments - Add continue-on-error so comment hiding doesn't block core workflow --- .github/workflows/update-changelogs.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 52912f7afd..36337051eb 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -73,9 +73,10 @@ jobs: PR_REF: ${{ steps.pr.outputs.ref }} - name: Hide previous bot comments + continue-on-error: true run: | - COMMENT_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ - --jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | test("Changelogs|Changelog|changelog"))) | .node_id] | .[]') + COMMENT_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate \ + --jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | test("^(✅|⚠️|❌) (Changelogs|Changelog|No changelog)"))) | .node_id] | .[]') for NODE_ID in $COMMENT_IDS; do gh api graphql -f query='mutation { minimizeComment(input: {subjectId: "'"$NODE_ID"'", classifier: OUTDATED}) { clientMutationId } }' done From 29a5a0472d87d6ea0abf3467179a3f53bd3af10a Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 17:08:39 +0200 Subject: [PATCH 19/34] feat: use CHANGELOG_UPDATE_TOKEN for git push to trigger CI Use patroll-managed PAT so commits pushed by this workflow trigger subsequent CI workflows (GITHUB_TOKEN commits don't trigger workflows). Depends on: https://github.com/MetaMask/patroll/pull/75 --- .github/workflows/update-changelogs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 36337051eb..860bec8fc5 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -66,6 +66,8 @@ jobs: node-version: 22.x ref: ${{ steps.pr.outputs.sha }} fetch-depth: 0 + # Use PAT to ensure the push triggers subsequent CI workflows + token: ${{ secrets.CHANGELOG_UPDATE_TOKEN }} - name: Checkout PR branch run: git checkout "$PR_REF" From d29dc62422fb7726b23763881e46ea9aafb68129 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 17:29:53 +0200 Subject: [PATCH 20/34] fix: rename secret to UPDATE_CHANGELOG_TOKEN --- .github/workflows/update-changelogs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 860bec8fc5..6dca05d8e0 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -67,7 +67,7 @@ jobs: ref: ${{ steps.pr.outputs.sha }} fetch-depth: 0 # Use PAT to ensure the push triggers subsequent CI workflows - token: ${{ secrets.CHANGELOG_UPDATE_TOKEN }} + token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - name: Checkout PR branch run: git checkout "$PR_REF" From 567a53b68aa0e2481c2fabfbb8c77195957e6fa7 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 17:40:59 +0200 Subject: [PATCH 21/34] fix: use actions/checkout with PAT directly MetaMask/action-checkout-and-setup doesn't accept a token input, so the PAT was silently ignored. Use actions/checkout with the PAT first, then gh pr checkout, then action-checkout-and-setup for node/yarn setup (it skips checkout if .git already exists). --- .github/workflows/update-changelogs.yml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 6dca05d8e0..82371595d4 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -58,21 +58,25 @@ jobs: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - - name: Checkout and setup environment - uses: MetaMask/action-checkout-and-setup@v2 + - name: Checkout repository + uses: actions/checkout@v4 with: - is-high-risk-environment: false - cache-node-modules: true - node-version: 22.x - ref: ${{ steps.pr.outputs.sha }} - fetch-depth: 0 # Use PAT to ensure the push triggers subsequent CI workflows token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + fetch-depth: 0 - - name: Checkout PR branch - run: git checkout "$PR_REF" + - name: Checkout pull request + run: gh pr checkout "$PR_NUMBER" env: - PR_REF: ${{ steps.pr.outputs.ref }} + GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + + - name: Setup environment + uses: MetaMask/action-checkout-and-setup@v2 + with: + is-high-risk-environment: false + cache-node-modules: true + node-version: 22.x - name: Hide previous bot comments continue-on-error: true From 0959eccc4912f0cb2e6ec08f5d7459f888ba520b Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 18:06:28 +0200 Subject: [PATCH 22/34] fix: address review findings - dead code, regex, token cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove unused "Get PR head ref" step (gh pr checkout handles it) - Simplify comment-hiding regex to ^(✅|⚠️|❌) to match all 6 variants - Set GITHUB_TOKEN and PR_NUMBER at job level to reduce repetition - Remove per-step env overrides that are now inherited --- .github/workflows/update-changelogs.yml | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 82371595d4..0e90897e2f 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -40,24 +40,16 @@ jobs: if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} runs-on: ubuntu-latest timeout-minutes: 30 + env: + GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} steps: - name: React to comment if: github.event_name == 'issue_comment' run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' env: - GH_TOKEN: ${{ github.token }} COMMENT_ID: ${{ github.event.comment.id }} - - name: Get PR head ref - id: pr - run: | - PR_DATA=$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}" --jq '{ref: .head.ref, sha: .head.sha}') - echo "ref=$(echo "$PR_DATA" | jq -r .ref)" >> "$GITHUB_OUTPUT" - echo "sha=$(echo "$PR_DATA" | jq -r .sha)" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - - name: Checkout repository uses: actions/checkout@v4 with: @@ -67,9 +59,6 @@ jobs: - name: Checkout pull request run: gh pr checkout "$PR_NUMBER" - env: - GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - name: Setup environment uses: MetaMask/action-checkout-and-setup@v2 @@ -82,13 +71,10 @@ jobs: continue-on-error: true run: | COMMENT_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate \ - --jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | test("^(✅|⚠️|❌) (Changelogs|Changelog|No changelog)"))) | .node_id] | .[]') + --jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | test("^(✅|⚠️|❌)"))) | .node_id] | .[]') for NODE_ID in $COMMENT_IDS; do gh api graphql -f query='mutation { minimizeComment(input: {subjectId: "'"$NODE_ID"'", classifier: OUTDATED}) { clientMutationId } }' done - env: - GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - name: Validate and fix dependency bump entries id: validate @@ -96,8 +82,6 @@ jobs: yarn workspaces foreach --all --no-private --parallel --interlaced --verbose run changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" continue-on-error: true - env: - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - name: Commit and push if changed id: commit @@ -132,7 +116,6 @@ jobs: fi env: GH_TOKEN: ${{ github.token }} - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} CHANGED: ${{ steps.commit.outputs.changed }} COMMIT_OUTCOME: ${{ steps.commit.outcome }} VALIDATE_OUTCOME: ${{ steps.validate.outcome }} From bbac60886a69ca34cc59e1e15aa7f3ad24511ae4 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Wed, 15 Apr 2026 23:06:13 +0200 Subject: [PATCH 23/34] fix: use github.token for reactions and comments, PAT only for git push The PAT lacks issues:write permission needed for reactions and comments. Override GITHUB_TOKEN with github.token on steps that interact with the GitHub API (reactions, hiding comments, posting results). --- .github/workflows/update-changelogs.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 0e90897e2f..1be526f025 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -48,6 +48,7 @@ jobs: if: github.event_name == 'issue_comment' run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' env: + GH_TOKEN: ${{ github.token }} COMMENT_ID: ${{ github.event.comment.id }} - name: Checkout repository @@ -75,6 +76,8 @@ jobs: for NODE_ID in $COMMENT_IDS; do gh api graphql -f query='mutation { minimizeComment(input: {subjectId: "'"$NODE_ID"'", classifier: OUTDATED}) { clientMutationId } }' done + env: + GH_TOKEN: ${{ github.token }} - name: Validate and fix dependency bump entries id: validate From aa78ed8405d1baa76b1f724c5cbdabca2246c795 Mon Sep 17 00:00:00 2001 From: Salah-Eddine Saakoun Date: Thu, 16 Apr 2026 05:06:24 +0200 Subject: [PATCH 24/34] fix: add continue-on-error to reaction step --- .github/workflows/update-changelogs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 1be526f025..8e25ad4745 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -46,6 +46,7 @@ jobs: steps: - name: React to comment if: github.event_name == 'issue_comment' + continue-on-error: true run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' env: GH_TOKEN: ${{ github.token }} From f0ea391cb753c81712bc6f302658e859b200c3d4 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:04:08 +0200 Subject: [PATCH 25/34] Address feedback, simplify workflow --- .github/workflows/update-changelogs.yml | 172 +++++++++++++++--------- 1 file changed, 109 insertions(+), 63 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 8e25ad4745..1046361b45 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -2,10 +2,13 @@ name: Update Changelogs on: issue_comment: - types: [created] + types: + - created pull_request: - branches: [main] - types: [opened] + branches: + - main + types: + - opened concurrency: group: update-changelogs-${{ github.event.issue.number || github.event.pull_request.number }} @@ -18,108 +21,151 @@ permissions: jobs: is-fork-pull-request: name: Determine whether this PR is from a fork - if: > - (github.event_name == 'pull_request' && startsWith(github.head_ref, 'release/')) || - (github.event.issue.pull_request && contains(github.event.comment.body, '@metamaskbot update-changelogs')) + if: github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-pr') runs-on: ubuntu-latest outputs: - IS_FORK: ${{ steps.is-fork.outputs.IS_FORK }} + is-fork: ${{ steps.is-fork.outputs.is-fork }} steps: - name: Determine whether this PR is from a fork id: is-fork run: | - IS_FORK=$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER" --repo "$GITHUB_REPOSITORY") - echo "IS_FORK=$IS_FORK" >> "$GITHUB_OUTPUT" + IS_FORK="$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER" --repo "$GITHUB_REPOSITORY")" + echo "is-fork=$IS_FORK" >> "$GITHUB_OUTPUT" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + react-to-comment: + name: React to the comment + if: ${{ needs.is-fork-pull-request.outputs.is-fork == 'false' }} + runs-on: ubuntu-latest + needs: + - is-fork-pull-request + environment: default-branch + continue-on-error: true + steps: + - name: Checkout repository + uses: actions/checkout@v6 + - name: React to the comment + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/repos/${REPO}/issues/comments/${COMMENT_ID}/reactions" \ + -f content='+1' + env: + COMMENT_ID: ${{ github.event.comment.id }} + GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + REPO: ${{ github.repository }} + update-changelogs: name: Update changelogs needs: is-fork-pull-request - if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} + if: ${{ needs.is-fork-pull-request.outputs.is-fork == 'false' }} runs-on: ubuntu-latest - timeout-minutes: 30 + environment: default-branch env: GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} steps: - - name: React to comment - if: github.event_name == 'issue_comment' - continue-on-error: true - run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' - env: - GH_TOKEN: ${{ github.token }} - COMMENT_ID: ${{ github.event.comment.id }} - - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: - # Use PAT to ensure the push triggers subsequent CI workflows token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - fetch-depth: 0 - name: Checkout pull request run: gh pr checkout "$PR_NUMBER" - name: Setup environment - uses: MetaMask/action-checkout-and-setup@v2 + uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false cache-node-modules: true - node-version: 22.x - - name: Hide previous bot comments + - name: Ensure required dependency bump entries exist across all changelogs + id: update-changelogs + run: yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" continue-on-error: true - run: | - COMMENT_IDS=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate \ - --jq '[.[] | select(.user.login == "github-actions[bot]" and (.body | test("^(✅|⚠️|❌)"))) | .node_id] | .[]') - for NODE_ID in $COMMENT_IDS; do - gh api graphql -f query='mutation { minimizeComment(input: {subjectId: "'"$NODE_ID"'", classifier: OUTDATED}) { clientMutationId } }' - done - env: - GH_TOKEN: ${{ github.token }} - - name: Validate and fix dependency bump entries - id: validate - run: > - yarn workspaces foreach --all --no-private --parallel --interlaced --verbose - run changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" - continue-on-error: true - - - name: Commit and push if changed - id: commit + - name: Commit and push updated changelogs + id: push-changes run: | if git diff --quiet; then - echo "changed=false" >> "$GITHUB_OUTPUT" + echo "changes-pushed=false" >> "$GITHUB_OUTPUT" exit 0 fi + git diff --stat git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add -- '**/CHANGELOG.md' - git commit -m "chore: auto-fix dependency bump changelog entries" + git commit -m "chore: Update dependency bump changelog entries" git push - echo "changed=true" >> "$GITHUB_OUTPUT" + + echo "changes-pushed=true" >> "$GITHUB_OUTPUT" - name: Comment result if: always() - run: | - if [ "$CHANGED" = "true" ] && [ "$VALIDATE_OUTCOME" = "failure" ]; then - gh pr comment "$PR_NUMBER" --body "⚠️ Changelogs updated and pushed, but some validation errors remain. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." - elif [ "$CHANGED" = "true" ]; then - gh pr comment "$PR_NUMBER" --body "✅ Changelogs updated and pushed." - elif [ "$COMMIT_OUTCOME" = "failure" ]; then - gh pr comment "$PR_NUMBER" --body "❌ Failed to push changelog fixes. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." - elif [ "$VALIDATE_OUTCOME" = "failure" ]; then - gh pr comment "$PR_NUMBER" --body "❌ Changelog validation failed. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." - elif [ "$VALIDATE_OUTCOME" = "skipped" ] || [ "$COMMIT_OUTCOME" = "skipped" ]; then - gh pr comment "$PR_NUMBER" --body "❌ Workflow failed before changelog validation. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." - else - gh pr comment "$PR_NUMBER" --body "✅ No changelog changes needed." - fi + uses: actions/github-script@v9 env: - GH_TOKEN: ${{ github.token }} - CHANGED: ${{ steps.commit.outputs.changed }} - COMMIT_OUTCOME: ${{ steps.commit.outcome }} - VALIDATE_OUTCOME: ${{ steps.validate.outcome }} + CHANGES_PUSHED: ${{ steps.push-changes.outputs.changes-pushed }} + PUSH_CHANGES_OUTCOME: ${{ steps.push-changes.outcome }} + UPDATE_CHANGELOGS_OUTCOME: ${{ steps.update-changelogs.outcome }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + with: + github-token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + script: | + const { + CHANGES_PUSHED, + PUSH_CHANGES_OUTCOME, + UPDATE_CHANGELOGS_OUTCOME, + PR_NUMBER, + } = process.env; + + // List and minimize any existing changelog update comments. + const comments = await github.paginate(github.rest.issues.listComments, { + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: process.env.PR_NUMBER, + }); + + for (const comment of comments) { + if (comment.body.includes('')) { + await github.graphql(` + mutation($commentId: ID!, $classifier: ReportedContentClassifiers!) { + minimizeComment(input: {subjectId: $commentId, classifier: $classifier}) { + minimizedComment { + isMinimized + } + } + } + `, { + commentId: comment.node_id, + classifier: 'OUTDATED', + }); + } + } + + function getCommentBody() { + if (CHANGES_PUSHED === 'true' && UPDATE_CHANGELOGS_OUTCOME === 'failure') { + return `⚠️ Changelogs updated and pushed, but some validation errors remain. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`; + } else if (CHANGES_PUSHED === 'true') { + return '✅ Changelogs updated and pushed.'; + } else if (PUSH_CHANGES_OUTCOME === 'failure') { + return `❌ Failed to push changelog fixes. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`; + } else if (UPDATE_CHANGELOGS_OUTCOME === 'failure') { + return `❌ Changelog validation failed. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`; + } else if (UPDATE_CHANGELOGS_OUTCOME === 'skipped' || PUSH_CHANGES_OUTCOME === 'skipped') { + return `❌ Workflow failed before changelog validation. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`; + } else { + return '✅ No changelog changes needed.'; + } + } + + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: process.env.PR_NUMBER, + body: `${getCommentBody()}\n\n`, + }); From 219277f809c467b73ade35b3d2e4efc7eec18d2f Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:14:22 +0200 Subject: [PATCH 26/34] Add release check --- .github/actions/check-release/action.yml | 2 +- .github/workflows/update-changelogs.yml | 39 ++++++++++++++++++------ 2 files changed, 31 insertions(+), 10 deletions(-) diff --git a/.github/actions/check-release/action.yml b/.github/actions/check-release/action.yml index 9e9f15f5f0..caa7c0e08a 100644 --- a/.github/actions/check-release/action.yml +++ b/.github/actions/check-release/action.yml @@ -32,7 +32,7 @@ runs: id: is-release uses: MetaMask/action-is-release@v2 with: - commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`' + commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }} commit-message: ${{ github.event.pull_request.title }} before: ${{ steps.merge-base.outputs.MERGE_BASE }} skip-checkout: true diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 1046361b45..38b2bb222e 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -19,12 +19,12 @@ permissions: pull-requests: write jobs: - is-fork-pull-request: - name: Determine whether this PR is from a fork - if: github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-pr') + is-release: + name: Determine whether this PR is a release PR + if: github.event_name == 'pull_request' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) runs-on: ubuntu-latest outputs: - is-fork: ${{ steps.is-fork.outputs.is-fork }} + is-release: ${{ steps.is-release.outputs.is-release }} steps: - name: Determine whether this PR is from a fork id: is-fork @@ -35,12 +35,33 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + - name: Get merge base + if: steps.is-fork.outputs.is-fork == 'false' + id: merge-base + shell: bash + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + run: | + set -euo pipefail + + MERGE_BASE=$(git merge-base HEAD "refs/remotes/origin/$BASE_REF") + echo "merge-base=$MERGE_BASE" >> "$GITHUB_OUTPUT" + + - name: Check if the pull request is a release + if: steps.is-fork.outputs.is-fork == 'false' + id: is-release + uses: MetaMask/action-is-release@v2 + with: + commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }} + commit-message: ${{ github.event.pull_request.title }} + before: ${{ steps.merge-base.outputs.merge-base }} + skip-checkout: true + react-to-comment: name: React to the comment - if: ${{ needs.is-fork-pull-request.outputs.is-fork == 'false' }} + needs: is-release + if: ${{ needs.is-release.outputs.is-release == 'true' }} runs-on: ubuntu-latest - needs: - - is-fork-pull-request environment: default-branch continue-on-error: true steps: @@ -61,8 +82,8 @@ jobs: update-changelogs: name: Update changelogs - needs: is-fork-pull-request - if: ${{ needs.is-fork-pull-request.outputs.is-fork == 'false' }} + needs: is-release + if: ${{ needs.is-release.outputs.is-release == 'true' }} runs-on: ubuntu-latest environment: default-branch env: From 7fc7da9e9df73f7882c4f4adffa4ae63b74fa2b6 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:17:52 +0200 Subject: [PATCH 27/34] Fix `RELEASE_COMMIT_PREFIX` var --- .github/actions/check-release/action.yml | 7 ++++++- .github/workflows/main.yml | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/actions/check-release/action.yml b/.github/actions/check-release/action.yml index caa7c0e08a..7932549b50 100644 --- a/.github/actions/check-release/action.yml +++ b/.github/actions/check-release/action.yml @@ -1,6 +1,11 @@ name: Check release description: Check for conflicts in packages being released in this PR. +inputs: + commit-starts-with: + description: "Validate that the release commit starts with a string in this comma-separated list. Use '[version]' to refer to the current release version." + required: true + runs: using: composite steps: @@ -32,7 +37,7 @@ runs: id: is-release uses: MetaMask/action-is-release@v2 with: - commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }} + commit-starts-with: ${{ inputs.commit-starts-with }} commit-message: ${{ github.event.pull_request.title }} before: ${{ steps.merge-base.outputs.MERGE_BASE }} skip-checkout: true diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index da0a7456bb..a6a84f4a55 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -90,6 +90,8 @@ jobs: - name: Check release if: github.event_name != 'push' uses: ./.github/actions/check-release + with: + commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }} is-release: name: Determine whether this is a release merge commit From d307b94ce8ec7e300309db954b7dd4a11f2f9a6c Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:19:44 +0200 Subject: [PATCH 28/34] Potential fix for pull request finding 'CodeQL / Untrusted Checkout TOCTOU' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/update-changelogs.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 38b2bb222e..35876989da 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -89,6 +89,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout repository uses: actions/checkout@v6 @@ -96,7 +97,9 @@ jobs: token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - name: Checkout pull request - run: gh pr checkout "$PR_NUMBER" + run: | + git fetch --no-tags origin "$PR_HEAD_SHA" + git checkout --detach "$PR_HEAD_SHA" - name: Setup environment uses: MetaMask/action-checkout-and-setup@v3 From 34f945bafa93598c1f2e5e478811b377bb89c6b1 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:30:58 +0200 Subject: [PATCH 29/34] Fix PR head SHA logic --- .github/workflows/update-changelogs.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 35876989da..b0d4e67590 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -89,14 +89,22 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} steps: - name: Checkout repository uses: actions/checkout@v6 with: token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + - name: Get pull request head SHA + id: pr-head-sha + run: echo "pr-head-sha=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + - name: Checkout pull request + env: + PR_HEAD_SHA: ${{ steps.pr-head-sha.outputs.pr-head-sha }} run: | git fetch --no-tags origin "$PR_HEAD_SHA" git checkout --detach "$PR_HEAD_SHA" From 3295258bde0b5df828281212a2154e5ea8693795 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:35:19 +0200 Subject: [PATCH 30/34] Fix more PR head SHA logic --- .github/workflows/update-changelogs.yml | 28 +++++++++++++++++-------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index b0d4e67590..99060d2c7f 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -25,6 +25,7 @@ jobs: runs-on: ubuntu-latest outputs: is-release: ${{ steps.is-release.outputs.is-release }} + head-sha: ${{ steps.pr-head-sha.outputs.pr-head-sha }} steps: - name: Determine whether this PR is from a fork id: is-fork @@ -35,12 +36,28 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + - name: Get pull request base ref and head SHA + if: steps.is-fork.outputs.is-fork == 'false' + id: pr-head-sha + env: + GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + run: | + echo "pr-base-ref=$(gh pr view "$PR_NUMBER" --json baseRefName --jq '.baseRefName' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" + echo "pr-head-sha=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" + + - name: Checkout repository + uses: actions/checkout@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + - name: Get merge base if: steps.is-fork.outputs.is-fork == 'false' id: merge-base shell: bash env: - BASE_REF: ${{ github.event.pull_request.base.ref }} + BASE_REF: ${{ steps.pr-head-sha.outputs.pr-base-ref }} run: | set -euo pipefail @@ -95,16 +112,9 @@ jobs: with: token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - - name: Get pull request head SHA - id: pr-head-sha - run: echo "pr-head-sha=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" - env: - GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - - name: Checkout pull request env: - PR_HEAD_SHA: ${{ steps.pr-head-sha.outputs.pr-head-sha }} + PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} run: | git fetch --no-tags origin "$PR_HEAD_SHA" git checkout --detach "$PR_HEAD_SHA" From 1cf4de8f14b168107eb29c083ee1684e27a25ce0 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 12:37:44 +0200 Subject: [PATCH 31/34] Update `is-release` step in main workflow --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a6a84f4a55..d43e59cded 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -104,7 +104,7 @@ jobs: - id: is-release uses: MetaMask/action-is-release@v2 with: - commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`' + commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }} publish-release: name: Publish release From 4f7aeb01fae5b14a1206cfe9df2395e065aeb6ce Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 13:24:23 +0200 Subject: [PATCH 32/34] Separate is-fork again --- .github/workflows/update-changelogs.yml | 28 +++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 99060d2c7f..dca5fa3636 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -19,12 +19,30 @@ permissions: pull-requests: write jobs: + is-fork: + name: Determine whether this PR is from a fork + if: github.event_name == 'pull_request' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) + runs-on: ubuntu-latest + outputs: + is-fork: ${{ steps.is-fork.outputs.is-fork }} + steps: + - name: Determine whether this PR is from a fork + id: is-fork + run: | + IS_FORK="$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER" --repo "$GITHUB_REPOSITORY")" + echo "is-fork=$IS_FORK" >> "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} + is-release: name: Determine whether this PR is a release PR - if: github.event_name == 'pull_request' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) + needs: is-fork + if: needs.is-fork.outputs.is-fork == 'false' runs-on: ubuntu-latest + environment: default-branch outputs: - is-release: ${{ steps.is-release.outputs.is-release }} + is-release: ${{ steps.is-release.outputs.IS_RELEASE }} head-sha: ${{ steps.pr-head-sha.outputs.pr-head-sha }} steps: - name: Determine whether this PR is from a fork @@ -40,7 +58,7 @@ jobs: if: steps.is-fork.outputs.is-fork == 'false' id: pr-head-sha env: - GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + GH_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} run: | echo "pr-base-ref=$(gh pr view "$PR_NUMBER" --json baseRefName --jq '.baseRefName' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" @@ -94,7 +112,7 @@ jobs: -f content='+1' env: COMMENT_ID: ${{ github.event.comment.id }} - GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} + GH_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} REPO: ${{ github.repository }} update-changelogs: @@ -104,7 +122,6 @@ jobs: runs-on: ubuntu-latest environment: default-branch env: - GITHUB_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} steps: - name: Checkout repository @@ -123,7 +140,6 @@ jobs: uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false - cache-node-modules: true - name: Ensure required dependency bump entries exist across all changelogs id: update-changelogs From ccae16b06d0d718676ad7a77cca76ec04b7bac3b Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 14:38:04 +0200 Subject: [PATCH 33/34] More fixes --- .github/workflows/update-changelogs.yml | 40 ++++++++++++------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index dca5fa3636..5e79c32224 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -43,39 +43,34 @@ jobs: environment: default-branch outputs: is-release: ${{ steps.is-release.outputs.IS_RELEASE }} - head-sha: ${{ steps.pr-head-sha.outputs.pr-head-sha }} + head-sha: ${{ steps.pr-info.outputs.pr-head-sha }} + head-ref: ${{ steps.pr-info.outputs.pr-head-ref }} + base-ref: ${{ steps.pr-info.outputs.pr-base-ref }} steps: - - name: Determine whether this PR is from a fork - id: is-fork - run: | - IS_FORK="$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER" --repo "$GITHUB_REPOSITORY")" - echo "is-fork=$IS_FORK" >> "$GITHUB_OUTPUT" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} - - - name: Get pull request base ref and head SHA - if: steps.is-fork.outputs.is-fork == 'false' - id: pr-head-sha + - name: Get pull request info + id: pr-info env: GH_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} run: | - echo "pr-base-ref=$(gh pr view "$PR_NUMBER" --json baseRefName --jq '.baseRefName' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" - echo "pr-head-sha=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid' --repo "$GITHUB_REPOSITORY")" >> "$GITHUB_OUTPUT" + gh pr view "$PR_NUMBER" \ + --repo "$GITHUB_REPOSITORY" \ + --json baseRefName,headRefOid,headRefName,title \ + --jq '"pr-base-ref=\(.baseRefName)\npr-head-sha=\(.headRefOid)\npr-head-ref=\(.headRefName)\npr-title=\(.title)"' \ + >> "$GITHUB_OUTPUT" - name: Checkout repository uses: actions/checkout@v6 with: token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 + ref: ${{ steps.pr-info.outputs.pr-head-sha }} - name: Get merge base - if: steps.is-fork.outputs.is-fork == 'false' id: merge-base shell: bash env: - BASE_REF: ${{ steps.pr-head-sha.outputs.pr-base-ref }} + BASE_REF: ${{ steps.pr-info.outputs.pr-base-ref }} run: | set -euo pipefail @@ -83,19 +78,18 @@ jobs: echo "merge-base=$MERGE_BASE" >> "$GITHUB_OUTPUT" - name: Check if the pull request is a release - if: steps.is-fork.outputs.is-fork == 'false' id: is-release uses: MetaMask/action-is-release@v2 with: commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }} - commit-message: ${{ github.event.pull_request.title }} + commit-message: ${{ steps.pr-info.outputs.pr-title }} before: ${{ steps.merge-base.outputs.merge-base }} skip-checkout: true react-to-comment: name: React to the comment needs: is-release - if: ${{ needs.is-release.outputs.is-release == 'true' }} + if: needs.is-release.outputs.is-release == 'true' && github.event_name == 'issue_comment' runs-on: ubuntu-latest environment: default-branch continue-on-error: true @@ -132,8 +126,10 @@ jobs: - name: Checkout pull request env: PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} + PR_BASE_REF: ${{ needs.is-release.outputs.base-ref }} run: | git fetch --no-tags origin "$PR_HEAD_SHA" + git fetch --no-tags origin "$PR_BASE_REF" git checkout --detach "$PR_HEAD_SHA" - name: Setup environment @@ -148,6 +144,8 @@ jobs: - name: Commit and push updated changelogs id: push-changes + env: + PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} run: | if git diff --quiet; then echo "changes-pushed=false" >> "$GITHUB_OUTPUT" @@ -159,7 +157,7 @@ jobs: git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add -- '**/CHANGELOG.md' git commit -m "chore: Update dependency bump changelog entries" - git push + git push origin "HEAD:$PR_HEAD_REF" echo "changes-pushed=true" >> "$GITHUB_OUTPUT" From c6e02fe87948964f2d722ed2b3523f82646402d0 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Mon, 20 Apr 2026 15:45:14 +0200 Subject: [PATCH 34/34] Provide merge base to `auto-changelog` --- .github/workflows/update-changelogs.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 5e79c32224..781c11acc5 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -46,6 +46,7 @@ jobs: head-sha: ${{ steps.pr-info.outputs.pr-head-sha }} head-ref: ${{ steps.pr-info.outputs.pr-head-ref }} base-ref: ${{ steps.pr-info.outputs.pr-base-ref }} + merge-base: ${{ steps.merge-base.outputs.merge-base }} steps: - name: Get pull request info id: pr-info @@ -139,7 +140,9 @@ jobs: - name: Ensure required dependency bump entries exist across all changelogs id: update-changelogs - run: yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" + env: + MERGE_BASE: ${{ needs.is-release.outputs.merge-base }} + run: yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" --fromRef "$MERGE_BASE" continue-on-error: true - name: Commit and push updated changelogs