From ee8a91d85c6e15cf730c8410ee720ad6fdb27ded Mon Sep 17 00:00:00 2001 From: Austin Valle Date: Mon, 18 May 2026 09:19:57 -0400 Subject: [PATCH] chore: Move changelog validation to `pull_request` trigger (#38607) --- .github/workflows/changelog-validation.yml | 43 +++++++++++++++++++ .../{changelog.yml => enforce-changelog.yml} | 23 +--------- 2 files changed, 44 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/changelog-validation.yml rename .github/workflows/{changelog.yml => enforce-changelog.yml} (91%) diff --git a/.github/workflows/changelog-validation.yml b/.github/workflows/changelog-validation.yml new file mode 100644 index 0000000000..8289d3a2f7 --- /dev/null +++ b/.github/workflows/changelog-validation.yml @@ -0,0 +1,43 @@ +# This workflow validates the entire changelog when combined with changie entries introduced +# by the PR. +# +# This is separate from the "enforce-changelog" workflow as it needs to run in the context of +# the PR branch, which is generally discouraged for "pull_request_target" triggered workflows. + +name: Changelog Validation + +on: + pull_request: + types: + - opened + - ready_for_review + - reopened + - synchronize + - labeled + - unlabeled + +# This workflow runs for not-yet-reviewed external contributions and so it +# intentionally has no write access and only limited read access to the +# repository. +permissions: + contents: read + +jobs: + validate-changelog: + if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-changelog-check') }} + name: "Validate Changelog" + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + sparse-checkout: | + .changie.yaml + .changes/ + sparse-checkout-cone-mode: false + + - name: Validate changie fragment is valid + uses: miniscruff/changie-action@11bcad388e7973948cbcecb10863baf024d5f607 # v3.0.0 + with: + version: latest + args: merge -u "." --dry-run \ No newline at end of file diff --git a/.github/workflows/changelog.yml b/.github/workflows/enforce-changelog.yml similarity index 91% rename from .github/workflows/changelog.yml rename to .github/workflows/enforce-changelog.yml index 510b35a2df..30b42bc724 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/enforce-changelog.yml @@ -3,7 +3,7 @@ # Do not extend this workflow to include checking out the code (e.g. for building and testing purposes) while the pull_request_target trigger is used. # Instead, see use of workflow_run in https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ -name: Changelog +name: Enforce Changelog on: # The pull_request_target trigger event allows PRs raised from forks to have write permissions and access secrets. @@ -25,27 +25,6 @@ permissions: pull-requests: write jobs: - # Validate the changelog in the pull request branch - validate-changelog-entry: - if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-changelog-check') }} - name: "Validate Changelog" - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - sparse-checkout: | - .changie.yaml - .changes/ - sparse-checkout-cone-mode: false - ref: ${{ github.head_ref }} # Head ref refers to the branch of this PR - - - name: Validate changie fragment is valid - uses: miniscruff/changie-action@11bcad388e7973948cbcecb10863baf024d5f607 # v3.0.0 - with: - version: latest - args: merge -u "." --dry-run - # Check target branch of the PR to determine if a changelog is needed and what version folder it should exist in check-changelog-entry: if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-changelog-check') }}