fix(workflows): rewrite unreleased-changelog-trigger.yml#5281
Conversation
The previous version was failing on every push with no jobs running —
GitHub's API was reporting the workflow's "name" as the file path
rather than the configured `name:` field, indicating a startup-level
parse/validation failure (likely from the actions/github-script step
with a nested ${{}} expression containing double-quoted strings).
Rewrite from scratch with a smaller, simpler structure:
- Single job (drop the redundant check-permissions job; gate via the
job-level `if:` against github.actor instead).
- Allow github-actions[bot] as an actor (it's the committer that
auto-changelog-v3.yml uses to push the changelog entry, which is the
push that should fire this workflow).
- Use `gh workflow run` rather than actions/github-script to dispatch
nightly-release-v3.yml — fewer moving parts, no JS interpolation.
- Fetch UNRELEASED_CHANGELOG.md via the contents API instead of a full
git checkout.
Net: 138 lines -> 55 lines, same intended behaviour, no startup_failure.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughReplaces a two-job workflow with a single job gated by an allowlist of Changes
Sequence Diagram(s)sequenceDiagram
participant Repo as Repository (push)
participant Runner as Actions Runner
participant GitHubAPI as GitHub Contents API
participant CLI as GitHub CLI (gh)
participant Nightly as nightly-release-v3.yml
Repo->>Runner: workflow triggered (paths include workflow file)
Runner->>Runner: evaluate job-level `if` (trusted github.actor)
alt actor trusted
Runner->>GitHubAPI: GET v3/UNRELEASED_CHANGELOG.md (contents API, ref=master)
GitHubAPI-->>Runner: file content
Runner->>Runner: grep for bullet entries ("- " or similar)
alt bullets found
Runner->>CLI: run `gh workflow run nightly-release-v3.yml` inputs: force_release=true, dry_run=...
CLI-->>Nightly: dispatch workflow run
else no bullets
Runner-->>Runner: skip dispatch (no content)
end
else actor not trusted
Runner-->>Runner: job skipped by `if`
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 5/8 reviews remaining, refill in 15 minutes and 41 seconds.Comment |
There was a problem hiding this comment.
Pull request overview
Rewrites the unreleased-changelog-trigger GitHub Actions workflow to reliably trigger the v3 nightly release workflow when v3/UNRELEASED_CHANGELOG.md is updated, avoiding the prior workflow’s apparent startup/parse failures.
Changes:
- Simplifies to a single gated job (trusted actors only) and removes the separate permissions-check job.
- Fetches
v3/UNRELEASED_CHANGELOG.mdvia the GitHub Contents API (no checkout) and checks for bullet content. - Dispatches
nightly-release-v3.ymlviagh workflow runinstead ofactions/github-script.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| curl -fsSL \ | ||
| -H "Accept: application/vnd.github.raw" \ | ||
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/contents/v3/UNRELEASED_CHANGELOG.md?ref=master" \ | ||
| > /tmp/UNRELEASED_CHANGELOG.md |
There was a problem hiding this comment.
curl -fsSL will fail the step (and the entire job) on transient GitHub API/network errors. Since this runs on every qualifying push, adding a small retry/backoff (or handling non-2xx responses with a clearer message) would reduce flaky failures unrelated to changelog content.
| curl -fsSL \ | |
| -H "Accept: application/vnd.github.raw" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/contents/v3/UNRELEASED_CHANGELOG.md?ref=master" \ | |
| > /tmp/UNRELEASED_CHANGELOG.md | |
| if ! curl -fsSL \ | |
| --retry 3 \ | |
| --retry-delay 2 \ | |
| --retry-all-errors \ | |
| --connect-timeout 10 \ | |
| --max-time 60 \ | |
| -H "Accept: application/vnd.github.raw" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/contents/v3/UNRELEASED_CHANGELOG.md?ref=master" \ | |
| > /tmp/UNRELEASED_CHANGELOG.md; then | |
| echo "::error::Failed to fetch v3/UNRELEASED_CHANGELOG.md from the GitHub API after retries." | |
| exit 1 | |
| fi |
| branches: [master] | ||
| paths: | ||
| - 'v3/UNRELEASED_CHANGELOG.md' | ||
| - '.github/workflows/unreleased-changelog-trigger.yml' |
There was a problem hiding this comment.
Including .github/workflows/unreleased-changelog-trigger.yml in on.push.paths means a workflow-only change can still dispatch nightly-release-v3.yml as long as v3/UNRELEASED_CHANGELOG.md currently contains any bullet content. This is a behavior change from “release only when changelog is updated” and can trigger an unintended release run when editing the workflow itself. Consider removing this path filter entry, or add an additional guard (e.g., a job/step if:) so dispatch only occurs when the changelog file was part of the pushed changes.
| - '.github/workflows/unreleased-changelog-trigger.yml' |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/unreleased-changelog-trigger.yml:
- Line 8: The workflow currently includes its own file in the push paths list
which can cause accidental releases when the workflow file is edited; remove the
entry referencing '.github/workflows/unreleased-changelog-trigger.yml' from the
paths trigger so the workflow only responds to changes to
UNRELEASED_CHANGELOG.md (keep workflow_dispatch intact for manual tests),
ensuring the existing actor allowlist and the force_release=true dispatch logic
are not invoked by edits to the workflow file itself.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 483b3a59-2cc7-4875-b381-e81ffb465cd6
📒 Files selected for processing (1)
.github/workflows/unreleased-changelog-trigger.yml
Functionally identical, but easier to read at a glance — no contains-on-array vs contains-on-string semantics to remember. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/unreleased-changelog-trigger.yml (1)
8-8:⚠️ Potential issue | 🟠 MajorRemove workflow self-trigger path to avoid unintended releases
Line 8 allows this workflow to run when this workflow file itself changes. That can still dispatch
nightly-release-v3.ymlduring maintenance edits if the changelog currently has bullet entries. Please remove this path and keep triggering only onv3/UNRELEASED_CHANGELOG.md(manualworkflow_dispatchremains available).Suggested change
push: branches: [master] paths: - 'v3/UNRELEASED_CHANGELOG.md' - - '.github/workflows/unreleased-changelog-trigger.yml'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/unreleased-changelog-trigger.yml at line 8, Remove the self-trigger path entry currently present in the workflow's "paths" list (the string '.github/workflows/unreleased-changelog-trigger.yml') so the workflow no longer runs when its own file is edited; leave the path filter that targets 'v3/UNRELEASED_CHANGELOG.md' intact and keep the existing manual 'workflow_dispatch' trigger. Update the paths array in .github/workflows/unreleased-changelog-trigger.yml to exclude the workflow file name and ensure only changes to v3/UNRELEASED_CHANGELOG.md (and manual dispatch) can trigger the run.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/unreleased-changelog-trigger.yml:
- Line 8: Remove the self-trigger path entry currently present in the workflow's
"paths" list (the string '.github/workflows/unreleased-changelog-trigger.yml')
so the workflow no longer runs when its own file is edited; leave the path
filter that targets 'v3/UNRELEASED_CHANGELOG.md' intact and keep the existing
manual 'workflow_dispatch' trigger. Update the paths array in
.github/workflows/unreleased-changelog-trigger.yml to exclude the workflow file
name and ensure only changes to v3/UNRELEASED_CHANGELOG.md (and manual dispatch)
can trigger the run.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 997eac00-a871-43ec-afdb-23ae4cdfdff3
📒 Files selected for processing (1)
.github/workflows/unreleased-changelog-trigger.yml
- Drop the workflow file itself from `on.push.paths`. Including it meant a workflow-only edit could dispatch a release as long as the changelog already had bullet content (behavior change from "release only when changelog updates"). Reverting to the original semantics. - Add `--retry 3 --retry-delay 2 --retry-connrefused` to the curl fetch of UNRELEASED_CHANGELOG.md so transient API/network errors don't fail the whole job and silently miss a release trigger. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…): rewrite unreleased-changelog-trigger.yml
Summary
The previous version was failing on every push with zero job output — GitHub's API reported the workflow's
nameas the file path rather than the configuredname:field, indicating a startup-level parse/validation failure (likely from theactions/github-scriptstep with a nested${{ ... || "false" }}expression containing double-quoted strings).Rather than chase the YAML/expression mess, rewrite from scratch with a smaller, simpler structure.
Changes
check-permissionsjob; gate via job-levelif:againstgithub.actor).github-actions[bot]as an actor (the committer thatauto-changelog-v3.ymluses to push the changelog entry — i.e. the very push that should fire this trigger).gh workflow runinstead ofactions/github-scriptto dispatchnightly-release-v3.yml— fewer moving parts, no JS interpolation.UNRELEASED_CHANGELOG.mdvia the contents API instead of a full git checkout (saves a checkout on every push).Net: 138 lines → 55 lines, same intended behaviour, no startup_failure.
Test plan
namefield reads "Auto Release on Changelog Update", not the file path).auto-changelog-v3.ymlPR-merge commit that touchesv3/UNRELEASED_CHANGELOG.md, this workflow runs and dispatchesnightly-release-v3.yml.workflow_dispatchwithdry_run: truesucceeds.🤖 Generated with Claude Code
Summary by CodeRabbit