Skip to content

Comment changeset status in PRs#625

Open
bluwy wants to merge 13 commits into
mainfrom
comment-pr-changeset
Open

Comment changeset status in PRs#625
bluwy wants to merge 13 commits into
mainfrom
comment-pr-changeset

Conversation

@bluwy
Copy link
Copy Markdown
Member

@bluwy bluwy commented May 18, 2026
edited
Loading

You can test the action with uses: changesets/action/comment-pr-changeset@comment-pr-changeset-dist.

Example workflow setup 
# .github/workflows/comment-changeset-pr-status.yml
name: Comment changeset status in PRs

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  pr-status:
    runs-on: ubuntu-slim
    permissions:
      contents: read # to check out files in the repo
    outputs:
      commentBody: ${{ steps.pr-status.outputs.commentBody }}
    steps:
      - name: Check out repo
        uses: actions/checkout@v6

      - name: Generate status
        id: pr-status
        uses: changesets/action/pr-status@v1

  comment:
    needs: pr-status
    runs-on: ubuntu-slim
    permissions:
      pull-requests: write # to create and update comments on PRs
    steps:
      - name: Comment on PR
        uses: mshick/add-pr-comment@v3
        with:
          message-id: changeset-pr-status
          message: ${{ needs.pr-status.outputs.commentBody }}

See this action ... in action: bluwy/changesets-playground#1 (feel free to send PRs from forks for testing)

This actions focuses only on generating the comment, and defer the commenting to other actions. This is because we want to use reduced permissions for generating the comment to prevent risks of executing untrusted code and accessing the elevated github token. When changesets generate a release plan, we cannot guarantee in the future it will not execute code because of hooks/plugins or such.

When you have this workflow in your repo, you should disable the changeset bot for the repo so messages don't get reported twice. For this action, you should get the exact behaviour and messages from a bot. I didn't change the message for now.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 18, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: d288cad

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@bluwy bluwy marked this pull request as ready for review May 19, 2026 02:36
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread src/pr-status/message.ts
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread rolldown.config.js Outdated
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread src/comment-pr-changeset/index.ts Outdated
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread src/pr-status-comment/index.ts Outdated
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread comment-pr-changeset/README.md Outdated
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread pr-status-comment/README.md Outdated
@Andarist Andarist requested a review from emmatown May 19, 2026 06:54
mihkeleidast
mihkeleidast reviewed May 19, 2026
View reviewed changes
Comment thread comment-pr-changeset/README.md Outdated
Andarist
Andarist reviewed May 19, 2026
View reviewed changes
Comment thread comment-pr-changeset/README.md Outdated
@Andarist Andarist mentioned this pull request May 24, 2026
Open
Andarist and others added 2 commits May 25, 2026 14:10
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 25, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedmarkdown-table@​3.0.410010010080100

View full report

@bluwy bluwy mentioned this pull request May 25, 2026
Open
@bluwy
Copy link
Copy Markdown
Member Author

bluwy commented May 25, 2026
edited
Loading

This is now ready again. The action now works slightly differently to prevent token leaks when generating the release plan. See the PR description and the added README for more info. I also renamed it as changesets/action/pr-status instead of pr-status-comment (maybe just check would be cool?)

I was also considering adding a simple comment action so we don't have to recommend a third-party action, but I don't want to widen the scope for now.

mihkeleidast
mihkeleidast reviewed May 26, 2026
View reviewed changes
Comment thread pr-status/README.md
pull-requests: write # to create and update comments on PRs
steps:
- name: Comment on PR
uses: mshick/add-pr-comment@v3
Copy link
Copy Markdown

@mihkeleidast mihkeleidast May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm. I like that this is split into two now security-wise, however... I was looking forward to using this new action at work in GHES, as we can't use the bot there. But we also have that nasty requirement that all third party actions must be from verified orgs on GitHub. Given this particular action is from an individual account, we definitely can't use it, so we'd still have to fork and own a copy.

Would be super nice if there was an alternative from a verified org, or if this was still provided as a changesets sub-action. Given all the supply chain security issues lately, I'd be much more comfortable using something directly from changesets and not bring in another variable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Andarist Andarist Andarist left review comments

@emmatown emmatown Awaiting requested review from emmatown

+1 more reviewer

@mihkeleidast mihkeleidast mihkeleidast left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bluwy @mihkeleidast @Andarist