chore(deps): bump the cargo-weekly group across 1 directory with 6 updates #230
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Changelog Generate | |
| # pull_request_target runs in the context of the base branch, giving access | |
| # to secrets even for fork PRs. This is safe here because the workflow | |
| # definition comes from the base branch (can't be modified by the fork) and | |
| # we never execute code from the PR — we only read the diff. | |
| on: | |
| pull_request_target: | |
| types: [labeled] | |
| concurrency: ${{ github.workflow }}-${{ github.event.number }} | |
| permissions: {} | |
| jobs: | |
| generate: | |
| if: startsWith(github.event.label.name, 'changelog:') | |
| runs-on: ubuntu-latest | |
| environment: release | |
| permissions: {} | |
| steps: | |
| - name: Determine PR source | |
| id: source | |
| env: | |
| HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | |
| THIS_REPO: ${{ github.repository }} | |
| run: | | |
| if [ "$HEAD_REPO" = "$THIS_REPO" ]; then | |
| echo "same_repo=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "same_repo=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Validate branch ref | |
| if: steps.source.outputs.same_repo == 'true' | |
| id: ref | |
| env: | |
| HEAD_REF: ${{ github.event.pull_request.head.ref }} | |
| run: | | |
| set -euo pipefail | |
| REF="$HEAD_REF" | |
| if [[ ! "$REF" =~ ^[A-Za-z0-9._/-]+$ ]]; then | |
| echo "Invalid branch ref: $REF" >&2 | |
| exit 1 | |
| fi | |
| echo "ref=$REF" >> "$GITHUB_OUTPUT" | |
| - name: Mint scoped app token | |
| if: steps.source.outputs.same_repo == 'true' | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| client-id: ${{ vars.RELEASE_BOT_APP_ID || secrets.RELEASE_BOT_APP_ID }} | |
| private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }} | |
| owner: tempoxyz | |
| repositories: wallet | |
| permission-contents: write | |
| permission-pull-requests: write | |
| permission-metadata: read | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: steps.source.outputs.same_repo == 'true' | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| token: ${{ steps.app-token.outputs.token }} | |
| persist-credentials: false | |
| - name: Fetch base branch for diff comparison | |
| if: steps.source.outputs.same_repo == 'true' | |
| env: | |
| BASE_REF: ${{ github.base_ref }} | |
| run: | | |
| git fetch origin "$BASE_REF" | |
| - name: Check for existing changelog | |
| if: steps.source.outputs.same_repo == 'true' | |
| id: existing | |
| env: | |
| BASE_REF: ${{ github.base_ref }} | |
| run: | | |
| if git diff "origin/${BASE_REF}...HEAD" --name-only | grep -q '^\.changelog/.*\.md$'; then | |
| echo "found=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "found=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Install changelogs | |
| if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false' | |
| run: | | |
| EXPECTED_SHA256="34bca37144e400d167f936d83c092da4b032591a74ae8c0175c3a42d716cc54c" | |
| CHANGELOGS_BIN="$RUNNER_TEMP/changelogs" | |
| curl -fsSL "https://github.com/tempoxyz/changelogs/releases/download/changelogs%400.6.2/changelogs-linux-amd64" -o "$CHANGELOGS_BIN" | |
| ACTUAL_SHA256=$(sha256sum "$CHANGELOGS_BIN" | cut -d' ' -f1) | |
| if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then | |
| echo "::error::changelogs checksum mismatch: expected $EXPECTED_SHA256, got $ACTUAL_SHA256" | |
| exit 1 | |
| fi | |
| chmod +x "$CHANGELOGS_BIN" | |
| - name: Install claude | |
| if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false' | |
| run: npm install -g @anthropic-ai/claude-code@1.0.3 | |
| - name: Extract bump level from label | |
| if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false' | |
| id: bump | |
| run: echo "level=${LABEL#changelog:}" >> "$GITHUB_OUTPUT" | |
| env: | |
| LABEL: ${{ github.event.label.name }} | |
| - name: Generate changelog | |
| if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false' | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| BUMP_LEVEL: ${{ steps.bump.outputs.level }} | |
| BASE_REF: ${{ github.base_ref }} | |
| run: | | |
| CHANGELOGS_BIN="$RUNNER_TEMP/changelogs" | |
| cat > /tmp/changelog-instructions.md << 'PROMPT' | |
| Generate a changelog entry for this git diff. | |
| Available packages: {packages} | |
| Respond with ONLY a markdown file in this exact format (no explanation, no code fences): | |
| --- | |
| <package-name>: BUMP_LEVEL | |
| --- | |
| Brief description of changes. | |
| Rules: | |
| - Replace <package-name> with actual package names from the list above | |
| - Include ONLY packages that had actual code changes in the frontmatter | |
| - Use "BUMP_LEVEL" as the bump level for all packages. Do not use a higher bump level. | |
| - Keep the summary concise (1-3 sentences) | |
| - Do NOT wrap the output in code fences | |
| Git diff: | |
| {diff} | |
| PROMPT | |
| sed -i "s/BUMP_LEVEL/$BUMP_LEVEL/g" /tmp/changelog-instructions.md | |
| "$CHANGELOGS_BIN" add --ai "claude -p" --ref "origin/${BASE_REF}" \ | |
| --instructions "$(cat /tmp/changelog-instructions.md)" | |
| - name: Commit and push changelog | |
| if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false' | |
| env: | |
| VALIDATED_REF: ${{ steps.ref.outputs.ref }} | |
| APP_TOKEN: ${{ steps.app-token.outputs.token }} | |
| run: | | |
| set -euo pipefail | |
| git config user.name "github-actions[bot]" | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git add .changelog/ | |
| git commit -m "chore: add changelog" | |
| git push "https://x-access-token:${APP_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "HEAD:${VALIDATED_REF}" | |
| pr-feedback: | |
| name: PR feedback | |
| needs: generate | |
| if: always() && startsWith(github.event.label.name, 'changelog:') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Comment for fork PRs | |
| if: github.event.pull_request.head.repo.full_name != github.repository | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| gh pr comment "$PR_NUMBER" --repo "$REPO" --body "Changelog auto-generation is only supported for same-repo branches. For fork PRs, please add a changelog file manually under .changelog/." | |
| - name: Remove label | |
| if: always() | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| REPO: ${{ github.repository }} | |
| LABEL: ${{ github.event.label.name }} | |
| run: gh pr edit "$PR_NUMBER" --repo "$REPO" --remove-label "$LABEL" |