feat: add Update Changelogs workflow with auto-changelog v6 --checkDeps#8443
feat: add Update Changelogs workflow with auto-changelog v6 --checkDeps#8443cryptodev-2s wants to merge 23 commits intomainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
cryptodev-2s
changed the title
- Add --checkDeps to validate-changelog.sh to catch missing dep entries - Add --checkDeps --fix to update-changelog.sh to auto-generate dep entries - Add fix-changelogs workflow to auto-fix changelogs on release branches
- --checkDeps/--fix are validate-only flags, revert from update-changelog.sh - Skip --checkDeps on main branch to avoid "HEAD is same as base" error - Workflow uses validate --checkDeps --fix with PR number for auto-fixing
Keep dependency bump validation opt-in via @metamaskbot check-deps only.
- Add missing --checkDeps flag to validate step - Fix shell quoting bug in fork detection - Narrow git add to **/CHANGELOG.md only - Report validation failures in PR comment instead of swallowing them - Use chore: prefix for automated commit message
- Add concurrency group to prevent racing on duplicate triggers - Add if: always() to comment step so users always get feedback - Add comment explaining branch checkout purpose - Remove -A flag from git add (only staging tracked CHANGELOG.md files) - Improve step name and commit message for clarity
- Add pull_request opened trigger for release/* branches targeting main - Use github.event.issue.number || github.event.pull_request.number for both triggers - Conditionally show reaction only for comment triggers
- Rename file from fix-changelogs.yml to update-changelogs.yml - Update workflow name, job names, and concurrency group - Rename bot command to @metamaskbot update-changelogs
- Add git fetch before branch checkout (shallow clone has no branch refs) - Handle partial fix case: report remaining errors when fixes are pushed - Handle skipped steps: detect when earlier steps fail and report accurately - Rename job ID from fix-changelogs to update-changelogs for consistency
cryptodev-2s
force-pushed
the
feat/auto-changelog-check-deps
branch
from
772928a to
f4aabbb
Compare
Shallow clone with fetch-depth: 1 doesn't include origin/main, causing --checkDeps to fail with "could not resolve base branch".
- Use fetch-depth: 0 so git merge-base can find common ancestor with main - Hide previous bot comments on rerun to reduce noise - Add emoji to comment messages for clarity
- Add --paginate to handle PRs with many comments - Use precise emoji-anchored regex to match only this workflow's comments - Add continue-on-error so comment hiding doesn't block core workflow
Use patroll-managed PAT so commits pushed by this workflow trigger subsequent CI workflows (GITHUB_TOKEN commits don't trigger workflows). Depends on: MetaMask/patroll#75
MetaMask/action-checkout-and-setup doesn't accept a token input, so the PAT was silently ignored. Use actions/checkout with the PAT first, then gh pr checkout, then action-checkout-and-setup for node/yarn setup (it skips checkout if .git already exists).
- Remove unused "Get PR head ref" step (gh pr checkout handles it) - Simplify comment-hiding regex to ^(✅|⚠️ |❌) to match all 6 variants - Set GITHUB_TOKEN and PR_NUMBER at job level to reduce repetition - Remove per-step env overrides that are now inherited
The PAT lacks issues:write permission needed for reactions and comments. Override GITHUB_TOKEN with github.token on steps that interact with the GitHub API (reactions, hiding comments, posting results).
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit bbac608. Configure here.
| run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| COMMENT_ID: ${{ github.event.comment.id }} |
There was a problem hiding this comment.
Missing continue-on-error on reaction step blocks workflow
Medium Severity
The "React to comment" step lacks continue-on-error: true, so a transient API failure or rate-limit when adding the 👍 reaction will abort the entire job. All subsequent steps (checkout, validate, fix, commit, push) are skipped, and the comment step reports a misleading "Workflow failed before changelog validation." The "Hide previous bot comments" step at line 72 correctly uses continue-on-error: true for a similarly non-critical API call, but this step does not.
Reviewed by Cursor Bugbot for commit bbac608. Configure here.
There was a problem hiding this comment.
I guess this is true, yes. We should probably add this.
| is-fork-pull-request: | ||
| name: Determine whether this PR is from a fork | ||
| if: > | ||
| (github.event_name == 'pull_request' && startsWith(github.head_ref, 'release/')) || |
There was a problem hiding this comment.
Release branches aren't required to start with release/. We used to check for release branches this way, but now we have a more sophisticated check. You should be able to use the is-release action to determine this. See how we do this in main.yml:
core/.github/workflows/main.yml
Lines 94 to 105 in 09d5bda
(Maybe we want to extract this step to a separate internal action so we don't have to repeat the list of commit patterns?)
| needs: is-fork-pull-request | ||
| if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 |
There was a problem hiding this comment.
I thought jobs automatically timed out? I see that you borrowed this from the extension repo, but we haven't been specifying timeouts in this repo so I'm curious if it's really necessary.
| timeout-minutes: 30 |
| run: gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}/reactions" -f content='+1' | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| COMMENT_ID: ${{ github.event.comment.id }} |
There was a problem hiding this comment.
I guess this is true, yes. We should probably add this.
| git config user.name "github-actions[bot]" | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" |
There was a problem hiding this comment.
Is this necessary? I thought using the token to check out the repo automatically sets the user name and email.
| cache-node-modules: true | ||
| node-version: 22.x | ||
|
|
||
| - name: Hide previous bot comments |
There was a problem hiding this comment.
Maybe we should only do this once we've confirmed that we need to post a new comment?
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| CHANGED: ${{ steps.commit.outputs.changed }} | ||
| COMMIT_OUTCOME: ${{ steps.commit.outcome }} |
There was a problem hiding this comment.
Nit: Should we use a more descriptive name for this step?
| COMMIT_OUTCOME: ${{ steps.commit.outcome }} | |
| PUSH_CHANGES_OUTCOME: ${{ steps.push-changes.outcome }} |
| continue-on-error: true | ||
|
|
||
| - name: Commit and push if changed | ||
| id: commit |
There was a problem hiding this comment.
Nit: Should we use a more descriptive step ID?
| id: commit | |
| id: push-changes |
| id: commit | ||
| run: | | ||
| if git diff --quiet; then | ||
| echo "changed=false" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
The name of this output seems to indicate that tracks whether there were changes, but this is inaccurate. This tracks not only whether there were changes, but also whether they were pushed. Maybe this should be:
| echo "changed=false" >> "$GITHUB_OUTPUT" | |
| echo "changes_pushed=false" >> "$GITHUB_OUTPUT" |
| git add -- '**/CHANGELOG.md' | ||
| git commit -m "chore: auto-fix dependency bump changelog entries" | ||
| git push | ||
| echo "changed=true" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| echo "changes_pushed=true" >> "$GITHUB_OUTPUT" |
| if: always() | ||
| run: | | ||
| if [ "$CHANGED" = "true" ] && [ "$VALIDATE_OUTCOME" = "failure" ]; then | ||
| gh pr comment "$PR_NUMBER" --body "⚠️ Changelogs updated and pushed, but some validation errors remain. Check the [workflow run]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID) for details." |
There was a problem hiding this comment.
I wonder how this could happen 🤔 This would seem to indicate that changes were pushed when they were not supposed to be.
3 participants
Explanation
Adds an Update Changelogs workflow that uses
@metamask/auto-changelogv6's--checkDeps --fixfeature to automatically validate and fix missing dependency bump changelog entries.Triggers:
release/*branch) is opened targetingmain@metamaskbot update-changelogson any non-fork PRWhat it does:
changelog:validate --checkDeps --fix --currentPr <PR#>across all packagesSecurity:
isCrossRepositorycheck${{ }}inrun:blocks)References
Checklist
Note
Medium Risk
Introduces an automated workflow that runs on PR events/comments and uses a write-scoped token to commit/push changes; misconfiguration could lead to unintended updates or token exposure, though fork PRs are explicitly skipped.
Overview
Adds a new GitHub Actions workflow
update-changelogs.ymlthat can be triggered on release PR open (branchrelease/*targetingmain) or via an@metamaskbot update-changelogsPR comment to runchangelog:validate --checkDeps --fixacross workspaces.If the PR is not from a fork, the workflow checks out the PR, minimizes prior bot status comments, commits and pushes any
**/CHANGELOG.mdfixes back to the branch usingUPDATE_CHANGELOG_TOKEN, then posts a success/warning/failure status comment on the PR.Reviewed by Cursor Bugbot for commit bbac608. Bugbot is set up for automated code reviews on this repo. Configure here.