A simple GitHub action that enforces that a maintained changelog is kept up to date.
License: MIT License
I'm a husband, dad, software engineer, and outdoor enthusiast.
I'm also helping software devs build their teams. I have a ๐ฐ newsletter, a โ๏ธ blog, and a few projects (๐) to help teams do just that.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
The current usage example already omits some of the available configurations, like missingUpdateErrorMessage and expectedLatestVersion. Since CHANGELOG.md seems to be pretty common for changelog files, and is already the default value for changeLogPath, maybe it could be omitted as well, to simplify the example code?
Additionally, perhaps the on.pull_request.types field could be removed as well, and mentioned in the documentation as a possible customization, since the default behavior for on.pull_request seems to sufficient for most use cases (it gets triggered in the opened, synchronize and reopened events), and the extra complexity of adding the types field might not be warranted for a "getting started" example.
Both changes would greatly improve the experience of first-time users (in particular, GitHub Actions beginners), since every extra line of config introduces concepts and complexity that quickly add up and make the hurdle of adopting this action a little bit harder. (On that note, thanks for the already excellent and comprehensive documentation!)
Describe the bug
A changelog modification is incorrectly detected if it only exists on the target branch.
To Reproduce
Expected behavior
The changelog enforcer should fail.
** Actual behavior**
The changelog enforcer does not fail.
This is due to the way how the diff is generated which takes into account changes on both sides (source and target branch).
A link to or sample of your workflow
https://github.com/Adobe-Consulting-Services/acs-aem-commons/runs/3352468125?check_suite_focus=true
Describe the bug
I recently tried adding the Changelog Enforcer to a repo and was doing the usual "Will it fail without a changelog change?" test and in the action output I saw:
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Thought I'd let you know.
To Reproduce
I think this should happen all the time as it's GitHub itself issuing the warning.
Expected behavior
I suppose no warning? ๐
A link to or sample of your workflow
name: "Enforce Changelog"
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
jobs:
# Enforces the update of a changelog file on every pull request
changelog:
runs-on: ubuntu-latest
steps:
- uses: dangoslen/changelog-enforcer@v3
with:
changeLogPath: 'ChangeLog.md'
skipLabels: 'skip changelog'
missingUpdateErrorMessage: >
No update to ChangeLog.md found! Please add a changelog
entry to it describing your change. Please note that the
keepachangelog (https://keepachangelog.com) format is
used. If your change is very trivial not applicable for a
changelog entry, add a 'Skip Changelog' label to the pull
request to skip the changelog enforcer.Is your feature request related to a problem? Please describe.
While the check already has a pretty clear error message (Error: No update to CHANGELOG.md found!) I'd like to customize it. In my use case I also want to let other contributors know what the expectation is by e.g. adding a link to keep a changelog to the error message or something alike.
Describe the solution you'd like
I'd like to have an additional param next to skipLabels etc. to customize the error message and have the current message as the default in case it was not set.
Describe alternatives you've considered
Alternatively I added a follow up action step to the workflow that echo's that message if the check fails but that feels like a painful workaround.
It's not immediately clear what the versionPattern field is needed for. I understand that in the surface it allows the tool to identify each version section in the CHANGELOG.md file, but why does it need to do that? I thought this action just checked whether the CHANGELOG.md file is edited in a PR.
Also, and perhaps more importantly, the line "Your regex should match the version as the 2nd match group" in the versionPattern documentation doesn't seem correct. I'm not sure exactly what is meant there, but for example, the regex we use here doesn't even have a 2nd group (since we didn't use the (v|V)? part of the default regex).
Another question for @dangoslen: does the enforcer allow multiple labels to skip the changelog?
I currently have my repo using something a la "trivial" but I might also want a label that is "skip changelog" for those times when we are doing an operation which isn't trivial, but is so structural that the changelog isn't needed (we have multiple protected branches which makes GitHub "fun" at times).
Describe the bug
When executed against our master branch off a push trigger, this job fails with the following error:
Run dangoslen/[email protected]
Skip Labels: skip-changelog
Changelog Path: CHANGELOG.md
Missing Update Error Message: No update to CHANGELOG.md found!
Expected Latest Version:
Version Pattern: ^## \[((v|V)?\d*\.\d*\.\d*-?\w*|unreleased|Unreleased|UNRELEASED)\]
Error: Cannot read property 'labels' of undefined
To Reproduce
Steps to reproduce the behavior:
push ... and this job will fail.Expected behavior
According to the documentation:
The Changelog Enforcer is designed to be used with the pull_request or pull_request_target event types.
Using this action on any other event type will result in a warning logged and the action succeeding (as to
not block the rest of a workflow).
However, this does not succeed.
https://github.com/seejohnrun/ice_cube/runs/3999206056?check_suite_focus=true
Describe the bug
Recently, a group I work with in trying to enforce our own order for Github Labels, added emojis as a workaround (since Github sees them as text underneath) so we can move, say, "Non 0 Diff" early in the label dropdown.
The issue is that it looks like changelog-enforcer doesn't handle Github emojis. For example, I have in my yaml file:
- uses: dangoslen/changelog-enforcer@v3
with:
changeLogPath: 'CHANGELOG.md'
skipLabels: "Changelog Skip,0 Diff Trivial,:wrench: Github Actions"
missingUpdateErrorMessage: >
No update to CHANGELOG.md found! Please add a changelog
entry to it describing your change. Please note that the
keepachangelog (https://keepachangelog.com) format is
used. If your change is very trivial not applicable for a
changelog entry, add a 'Changelog Skip' label to the pull
request to skip the changelog enforcer.But it looks like when the enforcer runs, the colons around :wrench: are stripped...maybe:
Run dangoslen/changelog-enforcer@v3
with:
changeLogPath: CHANGELOG.md
skipLabels: Changelog Skip,0 Diff Trivial,:wrench: Github Actions
...
Skip Labels: Changelog Skip,0 Diff Trivial,wrench,Github Actions
So :wrench: Github Actions is now wrench,Github Actions
Expected behavior
That it recognizes the emoji'd labels.
A link to or sample of your workflow
You can see my testing here:
Describe the bug
I used to have a setting of skipLabel: 'no changelog entry needed' in my config file. I cannot upgrade to v1.6.0 because the new version parses a setting of skipLabels: 'no changelog entry needed' as Skip Labels: no,changelog,entry,needed (as per the job log).
To Reproduce
name: Changelog Check
on:
pull_request:
branches: [ master ]
types: [ opened, synchronize, reopened, ready_for_review, labeled, unlabeled ]
jobs:
check-changelog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# Gives an error if there's no change in the changelog (except using label)
- name: Changelog check
uses: dangoslen/[email protected]
with:
changeLogPath: 'CHANGELOG.md'
skipLabels: 'no changelog entry needed'Expected behavior
I thought the new behaviour was to only split on comma, not on spaces too.
A link to or sample of your workflow
https://github.com/robotty/simple-process-stats/blob/7ed34ca9718b82e942e4a6483b20fd3a5faa1332/.github/workflows/changelog-check.yml
robotty/simple-process-stats#9
https://github.com/robotty/simple-process-stats/pull/9/checks?check_run_id=1563404236
Describe the bug
In some repositories (organization repositories, and my private testing repo), possibly due to SSO, the retrieval of the changelog fails with a 404.
To Reproduce
debug output from workflow:
##[debug]Downloading page 1 of pull request files from /repos/rstevens-bw/Changelog-testing/pulls/3/files
##[debug]Downloaded page 1 of pull request files
##[debug]Filtering for changelog
##[debug]Downloading changelog from https://github.com/rstevens-bw/Changelog-testing/raw/d768094e515b4b725c66fb555b42691101feb58d/CHANGELOG.md
::set-output name=errorMessage::Got a 404 response from GitHub API
##[debug]='Got a 404 response from GitHub API'
Error: Got a 404 response from GitHub API
The file is there, but the raw_url pulled from https://api.github.com/repos/rstevens-bw/Changelog-testing/pulls/3/files
"redirects" to https://raw.githubusercontent.com/rstevens-bw/Changelog-testing/e201647094851659c49fd1958481f01afb35e98d/CHANGELOG.md?token=blah
for some reason this doesn't work in the workflows, and I've seen the same behavior using postman with a bearer token.
I can successfully get https://api.github.com/repos/rstevens-bw/Changelog-testing/pulls/3/files, and the contents of the changelog with
https://raw.githubusercontent.com/rstevens-bw/Changelog-testing/e201647094851659c49fd1958481f01afb35e98d/CHANGELOG.md using the same bearer token, but
get a 404 when attempting to do a get to the raw_url: https://github.com/rstevens-bw/Changelog-testing/raw/d768094e515b4b725c66fb555b42691101feb58d/CHANGELOG.md
Expected behavior
Changelog enforcer is able to retrieve the contents of the changelog
A link to or sample of your workflow
# Issue this action only pull request events
on:
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
- labeled
- unlabeled
jobs:
enforce-changelog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2 #Checks out the repository in a detached head state for the ref supplied by the PR
- name: get version
id: get-version
run: |
echo "::set-output name=version::$(cat VERSION)"
- uses: dangoslen/changelog-enforcer@v3
with:
skipLabels: 'skip-changelog'
expectedLatestVersion: ${{ steps.get-version.outputs.version }}
proposed fix
to avoid the redirect I am using the contents_url returned by https://api.github.com/repos/rstevens-bw/Changelog-testing/pulls/3/files, instead of the raw_url, with an additional header: 'Accept: application/vnd.github.VERSION.raw' which works (at least for me)
Is your feature request related to a problem? Please describe.
currently, push event isn't supported
Describe the solution you'd like
implement support for push event
Describe alternatives you've considered
n/a
Additional context
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push
Is your feature request related to a problem? Please describe.
I'd like to skip the changelog enforcement when some labels are applied and some other are not.
Example: there may be cases where a PR contains a mix of changes that require changelog updates and changes that do not. In this case the Pr would contain a mix of labels that would enforce changelog updates and some that would not.
Describe the solution you'd like
Add a new field "includeLabels" accepting a comma separated list of labels.
Is your feature request related to a problem? Please describe.
My project includes multiple crates in a workspace, each with separate changelogs.
Describe the solution you'd like
I'd like for there to be a match key that accepts a directory to search for changes in, alongside the changeLogPath key.
Describe alternatives you've considered
I've tried to use this in a reusable workflow, but I can not get the action to only run in a subdirectory, since those check out their own sources.
Is your feature request related to a problem? Please describe.
The poject uses an outdated version of uglify-js (version 1.3.5, from dist which is an 11 year old package not developed any more). It is affected by CVE-2015-8857.
Describe the solution you'd like
The dependency on the package with a critical vulnerability should be removed. Either by replacing the dist package with a newer version, or using the newer version of uglify-js for this package.
Describe the bug
Getting the following errors on my builds:
Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
[15](https://github.com/ZebraIO/zebra/actions/runs/3864056928/jobs/6586622639#step:2:16)
Error: Got a 403 response from GitHub API
To Reproduce
Steps to reproduce the behavior:
name: "Changelog Checker"
on:
pull_request:
# The specific activity types are listed here to include "labeled" and "unlabeled"
# (which are not included by default for the "pull_request" trigger).
# This is needed to allow skipping enforcement of the changelog in PRs with specific labels,
# as defined in the (optional) "skipLabels" property.
types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
jobs:
# Enforces the update of a changelog file on every pull request
changelog:
runs-on: ubuntu-latest
steps:
- uses: dangoslen/[email protected]
with:
expectedLatestVersion: UnreleasedExpected behavior
Completes OK
A link to or sample of your workflow
N/A
Is your feature request related to a problem? Please describe.
In some cases, a CHANGELOG.md might be created for an upcoming version such that the version is known. In other cases, the version is often put as UNRELEASED until the version is ready.
In either case, it would be good to know that the version expected is in the CHANGELOG.md file and is the latest version as well.
This can help in the case of a new version (say v1.6.0) is being prepared and the package manager (mvn, npm, etc) has v1.6.0 as the version (or a -SNAPSHOT of that version). If the CHANGELOG.md does not have a v1.6.0 version listed, then it should fail.
Describe the solution you'd like
Add a new input of expectedLatestVersion that when set verifies the CHANGELOG.md contains that version and it is the latest. By default, the value is set to empty and no validation occurs.
Teams could use UNRELEASED as well based on their workflows needs of when they actually cut versions if they wanted to.
Describe the bug
Changelog enforcer is unable to run on pushes to main, but it still tries.
To Reproduce
If I want the other steps in my job to still run if somebody pushes to main, I might put something like this:
name: Pull Request Workflow
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
push:
branches:
- mainUnfortunately changelog-enforcer fails with the error:
Error: Cannot read property 'labels' of undefined
Expected behavior
Likely fail because the CHANGELOG.md hasn't changed.
Workaround
Making changelog-enforcer conditional works around the issue:
- if: ${{ github.event_name == 'pull_request' }}
uses: dangoslen/changelog-enforcer@v2
with:
changeLogPath: 'CHANGELOG.md'
skipLabels: 'no changelog'Is your feature request related to a problem? Please describe.
Dependabot PRs can often become overwhelming and then don't automatically keep a record of their existence.
This feature is to combine the Changelog Enforcer's ability to see if a change was made to the ChangeLog, to add an auto-entry from a Dependabot PR.
Describe the solution you'd like
Ideally, this would be an opt-in feature where an action workflow can say that they want to add Dependabot Changelog Entries to their Changelog. Some ideas include using labels where an argument - dependabotUpdateLabel - would update the changelog when that label is present. Many Dependabot users add auto-labels to their PRs via dependabot.yml config files, so this would tie well into that pattern.
As far as the entry itself, Dependabot can configure the commit message, so simply using that message from the PR would suffice as the entry.
Describe alternatives you've considered
Another option would be to look for the pull request author, but there may be times that a team doesn't want to do a Dependabot Changelog Entry, but they do for others. Labels allow this easily since Dependabot can add different labels for different eco-systems, etc.
Describe the solution you'd like
This action currently only makes sure that the file specified has changed. However, it would be useful to validate a few things about the changelog such that it conforms to standards or formats already known.
The most common is Keep a Changelog. However, I know other teams have used this with simplified formats, so they would need to be able to skip validation or provide their own validate...
To me, focusing on minimal format is important. Keep a Changelog itself is more a convention over a standard. Teams should be able to add details they believe are relevant to their changelog as needed.
Describe alternatives you've considered
An alternative could be providing output from the changelog to the caller to be verified by their own script. Perhaps a combination of both this and the previous are good approaches?
Additional context
Being able to validate that changelog could be important, but it could easily become burdensome.
As Node 16 is now the new default at GitHub Actions in hosted runners and Node 12 reached EOL April 2022 this action should run with Node 16 by default.
Similar changes were implemented e.g. for codecov-action, checkout or setup-java.
Is your feature request related to a problem? Please describe.
In some cases, a CHANGELOG.md might be created for an upcoming version such that the version is known. In other cases, the version is often put as UNRELEASED until the version is ready.
In either case, it would be good to know that the version expected is in the CHANGELOG.md file and is the latest version as well.
This can help in the case of a new version (say v1.6.0) is being prepared and the package manager (mvn, npm, etc) has v1.6.0 as the version (or a -SNAPSHOT of that version). If the CHANGELOG.md does not have a v1.6.0 version listed, then it should fail.
Describe the solution you'd like
Add a new input of expectedLatestVersion that when set verifies the CHANGELOG.md contains that version and it is the latest. By default, the value is set to empty and no validation occurs.
Teams could use UNRELEASED as well based on their workflows needs of when they actually cut versions if they wanted to.
Describe the bug
Adding the skipLabel to a PR after the changelog-enforcer action has failed once doesn't cause subsequent reruns of the action to succeed.
To Reproduce
Steps to reproduce the behavior:
Skip-Changelog label to the PR.Expected behavior
The Check CHANGELOG action succeeds.
A link to or sample of your workflow
Here is our workflow and here is an example of a PR exhibiting this bug.
Although a proper skip label is set (e.g. in Adobe-Consulting-Services/acs-aem-commons#2756), it is not evaluated, i.e. the changelog enforcer is not skipped.
Not sure if this related to using the event "pull_request_target" or missing permissions (https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/77104988d6971e7d43aa973f859bcdf5a9596f25/.github/workflows/maven.yml#L16).
Describe the bug
This might not be a bug, but an FYI. I accidentally typed:
- uses: actions/checkout@v2when adding this to a repo I help manage and this action is not happy (at 1.2.0). Not sure why.
To Reproduce
Try to use with actions/checkout@v2, and Github throws an error
Expected behavior
The behavior with actions/checkout@v1 saying you need to change the Changelog.
(NOTE: This might be also be due to my repo? Not sure...)
This is a weird one for the guru, @dangoslen. I've been happily using changelog enforcer but a recent foray into "automatic" PRs with action-pull-request by @ChristophShyper has led to an oddity. Namely, when an automatic PR to develop is triggered, see here:
for some reason, the changelog enforcer gets...stuck. It's like the action never gets triggered. Whether or not there is a changelog update, it doesn't run. I tried to solve it by always adding a "Skip Changelog" to the auto PR (since, well, this sort of PR doesn't matter for changelog in truth), but even then, it doesn't skip. I can "fix" it by just removing/relabeling with some label like "Skip Changelog" and then the action is triggered.
I'm wondering if you have any ideas. Perhaps there is some weird combination between action-pull-request and changelog-enforcer? It's baffling me.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.