Skip to content

feat: add Update Changelogs workflow with auto-changelog v6 --checkDeps #8443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mrtenz merged 34 commits into from
Apr 22, 2026
Merged

feat: add Update Changelogs workflow with auto-changelog v6 --checkDeps #8443

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
61175c2
feat: adopt auto-changelog v6 --checkDeps for dependency bump validation
cryptodev-2s Apr 13, 2026
a83983a
fix: correct --checkDeps usage and handle main branch
cryptodev-2s Apr 13, 2026
02fd302
fix: trigger fix-changelogs via @metamaskbot check-deps PR comment
cryptodev-2s Apr 13, 2026
14d0298
revert: remove --checkDeps from validate-changelog.sh
cryptodev-2s Apr 13, 2026
9c0924f
fix: use env vars to prevent code injection in fix-changelogs workflow
cryptodev-2s Apr 13, 2026
f3192c6
fix: skip fix-changelogs workflow on fork PRs
cryptodev-2s Apr 13, 2026
925ca11
fix: address code review findings in fix-changelogs workflow
cryptodev-2s Apr 13, 2026
a62d2ee
fix: address review feedback for fix-changelogs workflow
cryptodev-2s Apr 13, 2026
b6cf542
fix: remove unnecessary yarn changelog:update step
cryptodev-2s Apr 13, 2026
b516c86
fix: move reaction step first and report push failures in comment
cryptodev-2s Apr 13, 2026
455620a
fix: remove unnecessary checkout from fork detection job
cryptodev-2s Apr 13, 2026
9069a65
feat: auto-trigger fix-changelogs on release PR open
cryptodev-2s Apr 14, 2026
5a137b1
fix: rename workflow to update-changelogs
cryptodev-2s Apr 14, 2026
61a4b9e
fix: add job timeout and defensive git add separator
cryptodev-2s Apr 14, 2026
f4aabbb
fix: address remaining review findings
cryptodev-2s Apr 14, 2026
e8bd7be
fix: fetch origin/main for --checkDeps base branch comparison
cryptodev-2s Apr 15, 2026
30eec0c
fix: use full git history and hide previous bot comments
cryptodev-2s Apr 15, 2026
b20f53e
fix: improve bot comment hiding reliability
cryptodev-2s Apr 15, 2026
29a5a04
feat: use CHANGELOG_UPDATE_TOKEN for git push to trigger CI
cryptodev-2s Apr 15, 2026
d29dc62
fix: rename secret to UPDATE_CHANGELOG_TOKEN
cryptodev-2s Apr 15, 2026
567a53b
fix: use actions/checkout with PAT directly
cryptodev-2s Apr 15, 2026
0959ecc
fix: address review findings - dead code, regex, token cleanup
cryptodev-2s Apr 15, 2026
bbac608
fix: use github.token for reactions and comments, PAT only for git push
cryptodev-2s Apr 15, 2026
aa78ed8
fix: add continue-on-error to reaction step
cryptodev-2s Apr 16, 2026
f0ea391
Address feedback, simplify workflow
Mrtenz Apr 20, 2026
219277f
Add release check
Mrtenz Apr 20, 2026
7fc7da9
Fix `RELEASE_COMMIT_PREFIX` var
Mrtenz Apr 20, 2026
d307b94
Potential fix for pull request finding 'CodeQL / Untrusted Checkout T…
Mrtenz Apr 20, 2026
34f945b
Fix PR head SHA logic
Mrtenz Apr 20, 2026
3295258
Fix more PR head SHA logic
Mrtenz Apr 20, 2026
1cf4de8
Update `is-release` step in main workflow
Mrtenz Apr 20, 2026
4f7aeb0
Separate is-fork again
Mrtenz Apr 20, 2026
ccae16b
More fixes
Mrtenz Apr 20, 2026
c6e02fe
Provide merge base to `auto-changelog`
Mrtenz Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/actions/check-release/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
name: Check release
description: Check for conflicts in packages being released in this PR.

inputs:
commit-starts-with:
description: "Validate that the release commit starts with a string in this comma-separated list. Use '[version]' to refer to the current release version."
required: true
Comment on lines +4 to +7
Copy link
Copy Markdown
Member

@Mrtenz Mrtenz Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actions don't have access to vars directly.


runs:
using: composite
steps:
Expand Down Expand Up @@ -32,7 +37,7 @@ runs:
id: is-release
uses: MetaMask/action-is-release@v2
with:
commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
commit-starts-with: ${{ inputs.commit-starts-with }}
commit-message: ${{ github.event.pull_request.title }}
before: ${{ steps.merge-base.outputs.MERGE_BASE }}
skip-checkout: true
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ jobs:
- name: Check release
if: github.event_name != 'push'
uses: ./.github/actions/check-release
with:
commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }}

is-release:
name: Determine whether this is a release merge commit
Expand All @@ -102,7 +104,7 @@ jobs:
- id: is-release
uses: MetaMask/action-is-release@v2
with:
commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }}

publish-release:
name: Publish release
Expand Down
230 changes: 230 additions & 0 deletions .github/workflows/update-changelogs.yml
View file
Open in desktop
Comment thread
mcmire marked this conversation as resolved.
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
name: Update Changelogs

on:
issue_comment:
types:
- created
pull_request:
branches:
- main
types:
- opened

concurrency:
group: update-changelogs-${{ github.event.issue.number || github.event.pull_request.number }}
cancel-in-progress: true

permissions:
contents: write
pull-requests: write

jobs:
is-fork:
name: Determine whether this PR is from a fork
if: github.event_name == 'pull_request' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs'))
runs-on: ubuntu-latest
outputs:
is-fork: ${{ steps.is-fork.outputs.is-fork }}
steps:
- name: Determine whether this PR is from a fork
id: is-fork
run: |
IS_FORK="$(gh pr view --json isCrossRepository --jq '.isCrossRepository' "$PR_NUMBER" --repo "$GITHUB_REPOSITORY")"
echo "is-fork=$IS_FORK" >> "$GITHUB_OUTPUT"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}

is-release:
name: Determine whether this PR is a release PR
needs: is-fork
if: needs.is-fork.outputs.is-fork == 'false'
runs-on: ubuntu-latest
environment: default-branch
outputs:
is-release: ${{ steps.is-release.outputs.IS_RELEASE }}
head-sha: ${{ steps.pr-info.outputs.pr-head-sha }}
head-ref: ${{ steps.pr-info.outputs.pr-head-ref }}
base-ref: ${{ steps.pr-info.outputs.pr-base-ref }}
merge-base: ${{ steps.merge-base.outputs.merge-base }}
steps:
- name: Get pull request info
id: pr-info
env:
GH_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }}
PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
run: |
gh pr view "$PR_NUMBER" \
--repo "$GITHUB_REPOSITORY" \
--json baseRefName,headRefOid,headRefName,title \
--jq '"pr-base-ref=\(.baseRefName)\npr-head-sha=\(.headRefOid)\npr-head-ref=\(.headRefName)\npr-title=\(.title)"' \
>> "$GITHUB_OUTPUT"

- name: Checkout repository
uses: actions/checkout@v6
with:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
ref: ${{ steps.pr-info.outputs.pr-head-sha }}

- name: Get merge base
Comment thread
Mrtenz marked this conversation as resolved.
Dismissed
Comment thread
Mrtenz marked this conversation as resolved.
Dismissed
id: merge-base
shell: bash
env:
BASE_REF: ${{ steps.pr-info.outputs.pr-base-ref }}
run: |
set -euo pipefail

MERGE_BASE=$(git merge-base HEAD "refs/remotes/origin/$BASE_REF")
echo "merge-base=$MERGE_BASE" >> "$GITHUB_OUTPUT"
Comment thread
cursor[bot] marked this conversation as resolved.
Copy link
Copy Markdown
Member

@Mrtenz Mrtenz Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merge base is needed to determine the before commit for action-is-release.

Copy link
Copy Markdown
Contributor

@mcmire mcmire Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. auto-changelog also takes a "before" commit via a --from option. If this is not given it will calculate its own merge base: https://github.com/MetaMask/auto-changelog/blob/902c1f9b54dd3c61f938475400da46ac1cb04e4c/src/get-dependency-changes.ts#L198. So now we have two places that perform this step (in two different ways). Maybe we should capture the result of this step and pass it to auto-changelog via --from so that we're using the same approach?

Copy link
Copy Markdown
Member

@Mrtenz Mrtenz Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense!


- name: Check if the pull request is a release
id: is-release
uses: MetaMask/action-is-release@v2
with:
commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }}
commit-message: ${{ steps.pr-info.outputs.pr-title }}
before: ${{ steps.merge-base.outputs.merge-base }}
skip-checkout: true

react-to-comment:
name: React to the comment
needs: is-release
if: needs.is-release.outputs.is-release == 'true' && github.event_name == 'issue_comment'
runs-on: ubuntu-latest
environment: default-branch
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: React to the comment
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${REPO}/issues/comments/${COMMENT_ID}/reactions" \
-f content='+1'
env:
COMMENT_ID: ${{ github.event.comment.id }}
GH_TOKEN: ${{ secrets.UPDATE_CHANGELOG_TOKEN }}
REPO: ${{ github.repository }}

update-changelogs:
name: Update changelogs
needs: is-release
if: ${{ needs.is-release.outputs.is-release == 'true' }}
runs-on: ubuntu-latest
environment: default-branch
env:
PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }}

- name: Checkout pull request
env:
PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }}
PR_BASE_REF: ${{ needs.is-release.outputs.base-ref }}
run: |
git fetch --no-tags origin "$PR_HEAD_SHA"
git fetch --no-tags origin "$PR_BASE_REF"
git checkout --detach "$PR_HEAD_SHA"
Copy link
Copy Markdown
Member

@Mrtenz Mrtenz Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommended by CodeQL.


- name: Setup environment
uses: MetaMask/action-checkout-and-setup@v3
with:
is-high-risk-environment: false

- name: Ensure required dependency bump entries exist across all changelogs
id: update-changelogs
env:
MERGE_BASE: ${{ needs.is-release.outputs.merge-base }}
run: yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" --fromRef "$MERGE_BASE"
continue-on-error: true

- name: Commit and push updated changelogs
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
id: push-changes
env:
PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }}
run: |
if git diff --quiet; then
Comment thread
mcmire marked this conversation as resolved.
echo "changes-pushed=false" >> "$GITHUB_OUTPUT"
exit 0
fi

git diff --stat
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
Comment thread
Mrtenz marked this conversation as resolved.
git add -- '**/CHANGELOG.md'
git commit -m "chore: Update dependency bump changelog entries"
git push origin "HEAD:$PR_HEAD_REF"

echo "changes-pushed=true" >> "$GITHUB_OUTPUT"

- name: Comment result
if: always()
uses: actions/github-script@v9
env:
CHANGES_PUSHED: ${{ steps.push-changes.outputs.changes-pushed }}
PUSH_CHANGES_OUTCOME: ${{ steps.push-changes.outcome }}
UPDATE_CHANGELOGS_OUTCOME: ${{ steps.update-changelogs.outcome }}
PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }}
with:
github-token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }}
script: |
const {
CHANGES_PUSHED,
PUSH_CHANGES_OUTCOME,
UPDATE_CHANGELOGS_OUTCOME,
PR_NUMBER,
} = process.env;

// List and minimize any existing changelog update comments.
const comments = await github.paginate(github.rest.issues.listComments, {
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: process.env.PR_NUMBER,
});

for (const comment of comments) {
if (comment.body.includes('<!-- Changelog update comment -->')) {
await github.graphql(`
mutation($commentId: ID!, $classifier: ReportedContentClassifiers!) {
minimizeComment(input: {subjectId: $commentId, classifier: $classifier}) {
minimizedComment {
isMinimized
}
}
}
`, {
commentId: comment.node_id,
classifier: 'OUTDATED',
});
}
}

function getCommentBody() {
if (CHANGES_PUSHED === 'true' && UPDATE_CHANGELOGS_OUTCOME === 'failure') {
return `⚠️ Changelogs updated and pushed, but some validation errors remain. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`;
} else if (CHANGES_PUSHED === 'true') {
return '✅ Changelogs updated and pushed.';
} else if (PUSH_CHANGES_OUTCOME === 'failure') {
return `❌ Failed to push changelog fixes. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`;
} else if (UPDATE_CHANGELOGS_OUTCOME === 'failure') {
return `❌ Changelog validation failed. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`;
} else if (UPDATE_CHANGELOGS_OUTCOME === 'skipped' || PUSH_CHANGES_OUTCOME === 'skipped') {
return `❌ Workflow failed before changelog validation. Check the [workflow run](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`;
} else {
return '✅ No changelog changes needed.';
}
}

await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: process.env.PR_NUMBER,
body: `${getCommentBody()}\n\n<!-- Changelog update comment -->`,
});
Comment thread
Mrtenz marked this conversation as resolved.
Loading