changelog checker #54
Conversation
|
New and updated dependencies detected. Learn more about Socket for GitHub ↗︎
|
|
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is new author?A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package. Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. What is a deprecated package?The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed. Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
| console.log("🔍 Diff between base and feature '[Unreleased]' sections:"); | ||
|
|
||
| if (removedLines.length > 0) { | ||
| console.log('❌ Removed:'); |
| .github/workflows/changelog-check.yml: | ||
| ignore: | ||
| # Ignore SC2086 warnings related to shell commands | ||
| - 'SC2086:.+' |
There was a problem hiding this comment.
Why ignore these warnings? String splitting is the cause of many Bash script bugs
There was a problem hiding this comment.
It's because the shell gh actions scripts yml is handling expansion of github variables which in the context of running github action's can't be done syntactically without triggering these warnings, the CI check for these is assuming you're running a vanilla shell script but in GH actions the expansion of variables is done before it's passed to shell but the linter doesn't / cant know that so it flags
| filePath?: string; | ||
| text?: string; | ||
| // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires | ||
| }) => Promise<Changelog> = require('changelog-parser'); |
There was a problem hiding this comment.
Why bring in a third-party library for parsing changelogs when we have our own? @metamask/auto-changelog can do this, and is written specifically for the format we use
There was a problem hiding this comment.
The parsing and validation becomes trivial with auto-changelog, we could remove most of this script.
Parsing would essentially become
const unreleasedChanges = parseChangelog({ changelogContent, repoUrl }).getReleaseChanges('Unreleased')
(keyed by category, but you can Object.values(...).flat() to get an array of string change entries).
No need for a custom changelog library or diff library.
| `❌ Error fetching CHANGELOG.md from ${branch} on ${repo}:`, | ||
| error, | ||
| ); | ||
| return ''; |
There was a problem hiding this comment.
Nit: Why return here rather than throw? It looks like this empty string would get passed along to `parseChangelog, which maybe would fail if given an empty string, not sure. But even there the error is caught and logged, letting the script continue.
We can't check a changelog that doesn't exist
|
|
||
| if (baseChanges === featureChanges) { | ||
| console.log( | ||
| "❌ No new entries detected under '## Unreleased'. Please update the changelog.", |
There was a problem hiding this comment.
Two suggestions related to this:
- This suggests that updating the changelog is the recommended way to address this error, but that's not necessarily true. We really don't want junk entries for non user-facing changes, that would make releases much more difficult rather than easier. We should be suggesting that the contributor either document user-facing changes, or add
no-changelogto bypass the check if there are no user-facing changes. - Have you considered putting this in a comment rather than the console output? It will be much easier to see this feedback if it's in a comment, particularly as we first roll out this workflow.
| echo "Merge group event detected, auto-succeeding." | ||
| exit 0 | ||
| fi | ||
| echo "Proceeding with pull request checks." |
There was a problem hiding this comment.
Why are we running it on the merge group event, if it is always skipped? Let's just run it only on PR instead?
There was a problem hiding this comment.
It's an unfortunate side effect of pull_request and merge_group event types, if you run in only on pull_request but have merge queue enabled on your repository you won't be able to make it a required check as it will fail in the merge_group as an unresolved/omitted check.
There was a problem hiding this comment.
If we don't want this to be a required check in the future then we can safely remove all the merge_group references
| type: string | ||
| event-type: | ||
| required: true | ||
| type: string |
There was a problem hiding this comment.
All of the inputs are already part of the gh context, they do not need to be passed down as inputs
There was a problem hiding this comment.
not all context is propagated on workflow calls as it would normally be if you're running a typical job, this is a side effect of using workflow_call based flows
| if: ${{ inputs.event-type == 'pull_request' }} | ||
| run: yarn --immutable | ||
| shell: bash | ||
| working-directory: ./github-tools |
There was a problem hiding this comment.
Instead of all these steps, we could use the checkout and setup reusable workflow?
There was a problem hiding this comment.
If unclear how it works, reach out to @HowardBraham
There was a problem hiding this comment.
It would require some changes checkout-and-setup particularly around handing the directories/ .nvmrc files which was a bit more work then I originally wanted to sign up for and that one was being rolled out with it's new features while this one was under development. One of the challenges with these re-useable workflows that have code executed and especially if they need to perform work on the invoking repository's files is that we have multiple github repositories and codebases in context. I think the current checkout-and-setup has a 1 repository in mind approach which i think is correct that's generally the normal usage.
| with: | ||
| repository: MetaMask/github-tools | ||
| ref: changelog-checker | ||
| path: github-tools |
There was a problem hiding this comment.
Why is it in a subfolder instead of root?
There was a problem hiding this comment.
Because you have two repositories in context invoking repository and the github-tools repo/base
| const token = process.env.GITHUB_TOKEN ?? ''; | ||
|
|
||
| try { | ||
| const response = await axios.get(url, { |
There was a problem hiding this comment.
why are we using axios instead of fetch? it would be nice if we could remove this unnecessary dependency (unless there is a very good reason to use it, that I cannot think about)
| const featureChangelogContent = await fetchChangelogFromGitHub( | ||
| repo, | ||
| featureBranch, | ||
| ); |
There was a problem hiding this comment.
these two should be able to be fetched in parallel:
await Promise.all([...])|
|
||
| if (!featureChangelogContent) { | ||
| console.error('❌ CHANGELOG.md is missing in the feature branch.'); | ||
| throw new Error('❌ CHANGELOG.md is missing in the feature branch.'); |
There was a problem hiding this comment.
Why is the same message displayed twice?
|
|
||
| // Parse the changelogs | ||
| const baseChanges = await parseChangelog(baseChangelogContent); | ||
| const featureChanges = await parseChangelog(featureChangelogContent); |
There was a problem hiding this comment.
these two should be able to be parsed in parallel:
await Promise.all([...])
Co-authored-by: Norbert Elter <[email protected]>
Co-authored-by: Norbert Elter <[email protected]>
|
@Gudahtt @itsyoboieltr I’ve opened a PR in Core for this same workflow action: MetaMask/core#5575. |
This Change introduces a new shared workflow that will be confused by metamask-mobile and metamask-extension.
It will enforce that incoming PRs have either a modification to the Unreleased Section of the README or a label on the PR ( no-changelog ) which will indicate theres no external facing changes users need to know about
https://github.com/MetaMask/MetaMask-planning/issues/3678