Skip to content

ci: derive changelog labels from PR titles + add Dependabot#114

Merged
gmaclennan merged 4 commits into
mainfrom
ci/pr-title-changelog-dependabot
Jun 22, 2026
Merged

ci: derive changelog labels from PR titles + add Dependabot#114
gmaclennan merged 4 commits into
mainfrom
ci/pr-title-changelog-dependabot

Conversation

@gmaclennan

@gmaclennan gmaclennan commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Member

What

Wires up a PR-title → changelog-label → release-notes pipeline, and adds Dependabot.

pr-title.yml

  • Lint conventional-commit titles with amannn/action-semantic-pull-request (SHA-pinned), read-only permissions.
  • Label job (separate, least-privilege pull-requests: write) maps type / deps scope / breaking marker to a managed changelog label and removes stale ones when a title is edited.
  • Breaking changes detected via the title ! or a BREAKING CHANGE: body footer.
  • Dev-dependency scope deps-dev is matched alongside deps, so Dependabot dev bumps land in the right category.

release.yml

Changelog categories keyed off those labels, consumed by GitHub's generated release notes.

dependabot.yml (new)

  • npm (5 package roots) + github-actions.
  • 3-day cooldown on all update types: no release younger than 72h is adopted, reducing exposure to compromised/broken fresh publishes (the trade: security patches are also delayed 3 days).
  • Emits chore(deps) / ci(deps) titles, so updates flow through the same lint + labelling path.
  • Minor/patch grouped into one PR per directory; majors stay individual.

Security notes

  • pull_request_target is required (the label job needs write, which fork PRs don't get under pull_request) and safe: title-only, never checks out PR code, no untrusted input reaches a shell. Workflow logic always runs from main.
  • Both third-party-reachable actions are SHA-pinned.

Labels

The 7 managed labels (breaking, feature, fix, performance, documentation, dependencies, maintenance) have been created in the repo with colours.

🤖 Generated with Claude Code

Docs (follow-up commit)

Added CONTRIBUTING.md documenting the dev setup, test entry points, and the full conventional-commit → changelog-label → Dependabot → optic release flow. Trimmed the duplicated contributor section out of the README (pointing it at CONTRIBUTING.md + agents.md) and corrected the stale example/ paths to apps/example/.

gmaclennan and others added 4 commits June 22, 2026 13:26
@gmaclennan @claude
ci: derive changelog labels from PR titles + add Dependabot
fa685fe 
Add a PR-title pipeline that lints conventional-commit titles and
derives a changelog label from them, which `.github/release.yml` groups
into GitHub's generated release notes.

- pr-title.yml: lint title (amannn, SHA-pinned), then a least-privilege
  label job maps type/scope/`!` to a managed label. Title-only, no
  checkout, so pull_request_target is safe. Detects breaking changes via
  the title `!` or a `BREAKING CHANGE:` body footer.
- release.yml: changelog categories keyed off those labels.
- dependabot.yml: npm + github-actions with a 3-day cooldown so no
  release younger than 72h is adopted (supply-chain safety). Emits
  `chore(deps)` titles so updates flow through the same labelling path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gmaclennan @claude
docs: add CONTRIBUTING.md covering dev setup and release flow
3407cf5 
Document the development setup, test entry points, and the conventional-
commit / changelog-label / Dependabot / optic release flow added in this
PR. Move the contributor-facing layout and test instructions out of the
README into CONTRIBUTING.md (and correct the stale `example/` paths to
`apps/example/`); link agents.md for the deep architecture reference.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gmaclennan @claude
docs: note PRs use merge commits, not squash
ad5d84a 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@gmaclennan
Merge branch 'main' into ci/pr-title-changelog-dependabot
e8a4f75
@gmaclennan gmaclennan enabled auto-merge June 22, 2026 12:36
@gmaclennan gmaclennan merged commit d63cbea into main Jun 22, 2026
12 checks passed
@gmaclennan gmaclennan deleted the ci/pr-title-changelog-dependabot branch June 22, 2026 12:58
@optic-release-automation optic-release-automation Bot mentioned this pull request Jun 22, 2026
Merged
gmaclennan added a commit that referenced this pull request Jun 22, 2026
@gmaclennan
[OPTIC-RELEASE-AUTOMATION] release/v1.0.0-pre.2 (#133)
20a3454 
## Optic Release Automation

This **draft** PR is opened by Github action
[optic-release-automation-action](https://github.com/nearform-actions/optic-release-automation-action).

A new **draft** GitHub release
[v1.0.0-pre.2](https://github.com/digidem/comapeo-core-react-native/releases/tag/untagged-352a6c41c12fd02dec37)
has been created.

Release author: @gmaclennan

#### If you want to go ahead with the release, please merge this PR.
When you merge:

- The GitHub release will be published

- The npm package with tag pre will be published according to the
publishing rules you have configured



- No major or minor tags will be updated as configured


#### If you close the PR

- The new draft release will be deleted and nothing will change

<!-- Release notes generated using configuration in .github/release.yml
at 7fe80b4 -->

## What's Changed
### 🚀 Features
* Integrate @comapeo/core via IPC over Unix sockets by @gmaclennan in
#5
* Add iOS support & test infrastructure by @gmaclennan in
#6
* iOS Phase 1: unified JS bundle + smoke test (simulator-only) by
@gmaclennan in
#15
* iOS Phase 2: xcframework Embed & Sign for native addons by @gmaclennan
in #16
* Phase 2 Android: jniLibs packaging + unified rollup loader plugin by
@gmaclennan in
#17
* android: read abiFilters from reactNativeArchitectures (#30) by
@gmaclennan in
#35
* Add rootkey persistence and lifecycle state management by @gmaclennan
in #36
* Sentry integration: Phase 1 + Phase 2a + Phase 2b by @gmaclennan in
#54
* feat(backend): polywasm-backed undici on iOS, re-enable maps plugin by
@gmaclennan in
#62
* feat(sentry): land Phase 3 — backend loader + RPC tracing by
@gmaclennan in
#63
* feat(sentry): land Phases 6 + 7a — Android exit reasons & iOS
MetricKit app-exit telemetry by @gmaclennan in
#72
* feat(sentry): migrate to @sentry/react-native v8; exit telemetry as
Application Metrics by @gmaclennan in
#73
* Map server integration by @gmaclennan in
#86
* feat(config): let the consuming app supply the default project config
by @gmaclennan in
#95
### 🐛 Bug Fixes
* fix(android): drop setUnlockedDeviceRequired from rootkey wrapper key
by @gmaclennan in
#57
* fix(backend): cache stopping/error frames for late joiners by
@gmaclennan in
#58
* fix(ios-tests): wait for STOPPING before signalling node exit by
@gmaclennan in
#59
* fix(android): drain JNI stdio pumps before returning from node::Start
by @gmaclennan in
#60
* fix(ios-tests): serialise STOPPING/STOPPED observers in
testFullLifecycleStateTransitions by @gmaclennan in
#71
* fix(sentry): make exit telemetry lossless and stop cross-process
clobbering by @gmaclennan in
#84
* fix: start fastify listening by @gmaclennan in
#93
* fix(ci): ignore-scripts in ios npm installs by @gmaclennan in
#96
* fix(ci): replace --ignore-scripts with npm strict-allow-scripts
allowlist by @gmaclennan in
#106
* fix(release): stop `npm pack --dry-run` leaking dry-run into backend
install by @gmaclennan in
#129
### ⚡ Performance
* perf(backend): switch bundler from rollup to rolldown by @gmaclennan
in #94
### ⬆️ Dependencies
* update some native deps used in backend by @achou11 in
#14
* chore(deps): upgrade to Expo SDK 56 (React Native 0.85) by @gmaclennan
in #87
### 🏗️ Maintenance
* Android Testing Infrastructure & Bug Fixes by @gmaclennan in
#3
* chore: prebuild example/android; harden instrumented tests by
@gmaclennan in
#10
* chore: adjust repo setup by @achou11 in
#12
* chore: minor fixes based on expo-doctor by @achou11 in
#13
* chore: add architecture docs & plans by @gmaclennan in
#11
* chore: post-Phase-2 cleanup — comments, plan docs, agents.md by
@gmaclennan in
#33
* refactor: simplify build-backend.ts; rollup writes directly to native
asset trees by @gmaclennan in
#34
* chore: fix eslint configuration by @achou11 in
#41
* android: audit 16 KB page alignment on every shipped .so by
@gmaclennan in
#43
* chore: move example app into apps directory by @achou11 in
#18
* refactor: per-component lifecycle state with derived ComapeoState by
@gmaclennan in
#47
* android: fold waitForFile into connect retry loop by @gmaclennan in
#52
* chore: add e2e testing app by @achou11 in
#49
* ci: drop unreliable Android emulator snapshot caching by @gmaclennan
in #64
* use npm list instead of custom traversal to get native module versions
by @achou11 in
#70
* chore(e2e): add e2e tests on browserstack via Maestro by @achou11 in
#56
* chore(ci): add release workflow by @gmaclennan in
#90
* chore: fix npm script and release build script by @gmaclennan in
#91
* chore(pack): don't try to package build files by @gmaclennan in
#92
* chore(release): merge prerelease branch. by @gmaclennan in
#110
* ci(e2e): retry BrowserStack builds on infra-class flakes by
@gmaclennan in
#113
### Other Changes
* ci: derive changelog labels from PR titles + add Dependabot by
@gmaclennan in
#114

## New Contributors
* @achou11 made their first contribution in
#12
* @optic-release-automation[bot] made their first contribution in
#112

**Full Changelog**:
https://github.com/digidem/comapeo-core-react-native/commits/v1.0.0-pre.2

<!--

<release-meta>{"id":342970724,"version":"v1.0.0-pre.2","npmTag":"pre","opticUrl":"https://optic-zf3votdk5a-ew.a.run.app/api/generate/"}</release-meta>
-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gmaclennan