Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
158 changes: 11 additions & 147 deletions .github/workflows/changelog.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,162 +12,26 @@
# ============================================================
name: Changelog

permissions:
contents: read

on:
push:
branches: [ main ]
branches: [main]
paths-ignore:
- "CHANGELOG.md" # don't re-trigger after the bot commit
- "CHANGELOG.md"
- "**.md"
- "LICENSE"
pull_request:
branches: [ main ]
branches: [main]
paths-ignore:
- "CHANGELOG.md"
- "LICENSE"

permissions:
contents: read
pull-requests: read

# ──────────────────────────────────────────────────────────────
jobs:

# ── Update CHANGELOG.md on main ───────────────────────────
update-changelog:
name: πŸ“ Update CHANGELOG.md
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
permissions:
contents: read # KTESTIFY_CHANGELOG_PAT handles the push to main
pull-requests: read # fetch PR metadata for git-cliff

steps:
- name: Checkout (full history for cliff)
uses: actions/checkout@v7
with:
fetch-depth: 0
token: ${{ secrets.KTESTIFY_CHANGELOG_PAT }}

- name: Generate CHANGELOG.md with git-cliff
uses: orhun/git-cliff-action@v4
with:
config: cliff.toml
env:
OUTPUT: CHANGELOG.md
GITHUB_REPO: ${{ github.repository }}
GITHUB_TOKEN: ${{ secrets.KTESTIFY_CHANGELOG_PAT }}

- name: Commit updated CHANGELOG.md
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
# Only commit if the file actually changed
if git diff --quiet CHANGELOG.md; then
echo "CHANGELOG.md is already up-to-date β€” nothing to commit."
else
git add CHANGELOG.md
git commit -m "chore(release): update CHANGELOG.md [skip ci]"
git push
fi

# ── PR preview (read-only, no push) ───────────────────────
preview-changelog:
name: πŸ” Preview changelog (unreleased)
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
changelog:
permissions:
contents: read
pull-requests: write # post / update the sticky preview comment

steps:
- name: Checkout (full history for cliff)
uses: actions/checkout@v7
with:
fetch-depth: 0

- name: Generate unreleased changelog preview
uses: orhun/git-cliff-action@v4
with:
config: cliff.toml
# Only show unreleased (since last tag)
args: --verbose --unreleased
env:
OUTPUT: CHANGELOG-preview.md
GITHUB_REPO: ${{ github.repository }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload preview artifact
uses: actions/upload-artifact@v7
with:
name: changelog-preview-${{ github.run_id }}
path: CHANGELOG-preview.md
retention-days: 7

# ── Write preview to job summary ─────────────────────
- name: πŸ“‹ Write changelog preview to job summary
run: |
echo "## πŸ“‹ Unreleased Changelog Preview" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -s CHANGELOG-preview.md ]; then
cat CHANGELOG-preview.md >> $GITHUB_STEP_SUMMARY
else
echo "_No unreleased changes found since the last tag._" >> $GITHUB_STEP_SUMMARY
fi

# ── Sticky PR comment ─────────────────────────────────
# Updates the same comment on every push to keep the PR clean.
- name: πŸ’¬ Post changelog preview to PR
uses: actions/github-script@v9
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const marker = '<!-- ktestify-changelog-preview -->';
const runUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`;

let preview = '_No unreleased changes found since the last tag._';
if (fs.existsSync('CHANGELOG-preview.md')) {
const raw = fs.readFileSync('CHANGELOG-preview.md', 'utf8').trim();
if (raw.length > 0) preview = raw;
}

const body = [
marker,
'## πŸ“‹ Unreleased Changelog Preview',
'',
'> This is what the next release notes will look like based on commits in this PR.',
'',
preview,
'',
'---',
`*πŸ”„ [Run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}) Β· ${new Date().toUTCString()}*`,
].join('\n');

const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
per_page: 100,
});

const existing = comments.find(c => c.body?.includes(marker));

if (existing) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: existing.id,
body,
});
console.log(`βœ… Updated changelog preview comment #${existing.id}`);
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body,
});
console.log('βœ… Created changelog preview comment');
}


contents: write
uses: ktestify/.github/.github/workflows/reusable-changelog.yml@main
secrets:
KTESTIFY_CHANGELOG_PAT: ${{ secrets.KTESTIFY_CHANGELOG_PAT }}
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
47 changes: 4 additions & 43 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,51 +12,12 @@ name: Dependency Review

on:
pull_request:
branches: [ main ]
branches: [main]

permissions:
contents: read
pull-requests: write # needed to post an inline PR comment
pull-requests: read

# ──────────────────────────────────────────────────────────────
jobs:
dependency-review:
name: πŸ”’ Dependency Review
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # post the summary comment on the PR

steps:
- name: Checkout
uses: actions/checkout@v7 # v6: credentials stored in $RUNNER_TEMP

- name: Dependency Review
uses: actions/dependency-review-action@v5
with:
# Fail the check for any vulnerability rated moderate or above
fail-on-severity: moderate

# Post a detailed summary as a PR comment
comment-summary-in-pr: always

# Security checks
vulnerability-check: true

# Licence checks β€” allow common open-source-compatible licences
license-check: true
allow-licenses: >-
Apache-2.0,
MIT,
BSD-2-Clause,
BSD-3-Clause,
ISC,
LGPL-2.0-only,
LGPL-2.1-only,
LGPL-2.1-or-later,
EPL-1.0,
EPL-2.0,
CDDL-1.0,
CC0-1.0


review:
uses: ktestify/.github/.github/workflows/reusable-dependency-review.yml@main
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Loading
Loading