chore: Move changelog validation to `pull_request` trigger (#38607)

4 days ago · ee8a91d85c
parent d174972029
commit ee8a91d85c
2 changed files with 44 additions and 22 deletions
--- a/.github/workflows/changelog-validation.yml
+++ b/.github/workflows/changelog-validation.yml
@ -0,0 +1,43 @@
+# This workflow validates the entire changelog when combined with changie entries introduced
+# by the PR.
+#
+# This is separate from the "enforce-changelog" workflow as it needs to run in the context of
+# the PR branch, which is generally discouraged for "pull_request_target" triggered workflows.
+
+name: Changelog Validation
+
+on:
+  pull_request:
+    types:
+      - opened
+      - ready_for_review
+      - reopened
+      - synchronize
+      - labeled
+      - unlabeled
+
+# This workflow runs for not-yet-reviewed external contributions and so it
+# intentionally has no write access and only limited read access to the
+# repository.
+permissions:
+  contents: read
+
+jobs:
+  validate-changelog:
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-changelog-check') }}
+      name: "Validate Changelog"
+      runs-on: ubuntu-latest
+
+      steps:
+          - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            with:
+                sparse-checkout: |
+                    .changie.yaml
+                    .changes/
+                sparse-checkout-cone-mode: false
+
+          - name: Validate changie fragment is valid
+            uses: miniscruff/changie-action@11bcad388e7973948cbcecb10863baf024d5f607 # v3.0.0
+            with:
+                version: latest
+                args: merge -u "." --dry-run
--- a/.github/workflows/enforce-changelog.yml
+++ b/.github/workflows/enforce-changelog.yml
@ -3,7 +3,7 @@
 # Do not extend this workflow to include checking out the code (e.g. for building and testing purposes) while the pull_request_target trigger is used.
 # Instead, see use of workflow_run in https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

-name: Changelog
+name: Enforce Changelog

 on:
    # The pull_request_target trigger event allows PRs raised from forks to have write permissions and access secrets.
@ -25,27 +25,6 @@ permissions:
    pull-requests: write

 jobs:
-    # Validate the changelog in the pull request branch
-    validate-changelog-entry:
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-changelog-check') }}
-        name: "Validate Changelog"
-        runs-on: ubuntu-latest
-
-        steps:
-            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-              with:
-                  sparse-checkout: |
-                      .changie.yaml
-                      .changes/
-                  sparse-checkout-cone-mode: false
-                  ref: ${{ github.head_ref }} # Head ref refers to the branch of this PR
-
-            - name: Validate changie fragment is valid
-              uses: miniscruff/changie-action@11bcad388e7973948cbcecb10863baf024d5f607 # v3.0.0
-              with:
-                  version: latest
-                  args: merge -u "." --dry-run
-
    # Check target branch of the PR to determine if a changelog is needed and what version folder it should exist in
    check-changelog-entry:
        if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-changelog-check') }}