Skip to content

chore(deps): bump the actions-weekly group across 1 directory with 2 updates #216

chore(deps): bump the actions-weekly group across 1 directory with 2 updates

chore(deps): bump the actions-weekly group across 1 directory with 2 updates #216

name: Changelog Generate
# pull_request_target runs in the context of the base branch, giving access
# to secrets even for fork PRs. This is safe here because the workflow
# definition comes from the base branch (can't be modified by the fork) and
# we never execute code from the PR — we only read the diff.
on:
pull_request_target:
types: [labeled]
concurrency: ${{ github.workflow }}-${{ github.event.number }}
permissions: {}
jobs:
generate:
if: startsWith(github.event.label.name, 'changelog:')
runs-on: ubuntu-latest
environment: release
permissions: {}
steps:
- name: Determine PR source
id: source
env:
HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
THIS_REPO: ${{ github.repository }}
run: |
if [ "$HEAD_REPO" = "$THIS_REPO" ]; then
echo "same_repo=true" >> "$GITHUB_OUTPUT"
else
echo "same_repo=false" >> "$GITHUB_OUTPUT"
fi
- name: Validate branch ref
if: steps.source.outputs.same_repo == 'true'
id: ref
env:
HEAD_REF: ${{ github.event.pull_request.head.ref }}
run: |
set -euo pipefail
REF="$HEAD_REF"
if [[ ! "$REF" =~ ^[A-Za-z0-9._/-]+$ ]]; then
echo "Invalid branch ref: $REF" >&2
exit 1
fi
echo "ref=$REF" >> "$GITHUB_OUTPUT"
- name: Mint scoped app token
if: steps.source.outputs.same_repo == 'true'
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.RELEASE_BOT_APP_ID || secrets.RELEASE_BOT_APP_ID }}
private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
owner: tempoxyz
repositories: wallet
permission-contents: write
permission-pull-requests: write
permission-metadata: read
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: steps.source.outputs.same_repo == 'true'
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
persist-credentials: false
- name: Fetch base branch for diff comparison
if: steps.source.outputs.same_repo == 'true'
env:
BASE_REF: ${{ github.base_ref }}
run: |
git fetch origin "$BASE_REF"
- name: Check for existing changelog
if: steps.source.outputs.same_repo == 'true'
id: existing
env:
BASE_REF: ${{ github.base_ref }}
run: |
if git diff "origin/${BASE_REF}...HEAD" --name-only | grep -q '^\.changelog/.*\.md$'; then
echo "found=true" >> "$GITHUB_OUTPUT"
else
echo "found=false" >> "$GITHUB_OUTPUT"
fi
- name: Install changelogs
if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
run: |
EXPECTED_SHA256="34bca37144e400d167f936d83c092da4b032591a74ae8c0175c3a42d716cc54c"
CHANGELOGS_BIN="$RUNNER_TEMP/changelogs"
curl -fsSL "https://github.com/tempoxyz/changelogs/releases/download/changelogs%400.6.2/changelogs-linux-amd64" -o "$CHANGELOGS_BIN"
ACTUAL_SHA256=$(sha256sum "$CHANGELOGS_BIN" | cut -d' ' -f1)
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
echo "::error::changelogs checksum mismatch: expected $EXPECTED_SHA256, got $ACTUAL_SHA256"
exit 1
fi
chmod +x "$CHANGELOGS_BIN"
- name: Install claude
if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
run: npm install -g @anthropic-ai/claude-code@1.0.3
- name: Extract bump level from label
if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
id: bump
run: echo "level=${LABEL#changelog:}" >> "$GITHUB_OUTPUT"
env:
LABEL: ${{ github.event.label.name }}
- name: Generate changelog
if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
BUMP_LEVEL: ${{ steps.bump.outputs.level }}
BASE_REF: ${{ github.base_ref }}
run: |
CHANGELOGS_BIN="$RUNNER_TEMP/changelogs"
cat > /tmp/changelog-instructions.md << 'PROMPT'
Generate a changelog entry for this git diff.
Available packages: {packages}
Respond with ONLY a markdown file in this exact format (no explanation, no code fences):
---
<package-name>: BUMP_LEVEL
---
Brief description of changes.
Rules:
- Replace <package-name> with actual package names from the list above
- Include ONLY packages that had actual code changes in the frontmatter
- Use "BUMP_LEVEL" as the bump level for all packages. Do not use a higher bump level.
- Keep the summary concise (1-3 sentences)
- Do NOT wrap the output in code fences
Git diff:
{diff}
PROMPT
sed -i "s/BUMP_LEVEL/$BUMP_LEVEL/g" /tmp/changelog-instructions.md
"$CHANGELOGS_BIN" add --ai "claude -p" --ref "origin/${BASE_REF}" \
--instructions "$(cat /tmp/changelog-instructions.md)"
- name: Commit and push changelog
if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
env:
VALIDATED_REF: ${{ steps.ref.outputs.ref }}
APP_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
set -euo pipefail
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add .changelog/
git commit -m "chore: add changelog"
git push "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:${VALIDATED_REF}"
pr-feedback:
name: PR feedback
needs: generate
if: always() && startsWith(github.event.label.name, 'changelog:')
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Comment for fork PRs
if: github.event.pull_request.head.repo.full_name != github.repository
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.number }}
REPO: ${{ github.repository }}
run: |
gh pr comment "$PR_NUMBER" --repo "$REPO" --body "Changelog auto-generation is only supported for same-repo branches. For fork PRs, please add a changelog file manually under .changelog/."
- name: Remove label
if: always()
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.number }}
REPO: ${{ github.repository }}
LABEL: ${{ github.event.label.name }}
run: gh pr edit "$PR_NUMBER" --repo "$REPO" --remove-label "$LABEL"