docs: implement changelog generation audit findings (#7522)#7667
docs: implement changelog generation audit findings (#7522)#7667
Conversation
jongio
requested review from
danieljurek,
rajeshkamal5050,
tg-msft,
vhvb1989 and
wbreza
as code owners
There was a problem hiding this comment.
Pull request overview
This PR updates the changelog-generation skill documentation to incorporate the audit findings from #7522 (rules/validation gates around PR number selection, deduplication, alpha/beta gating, and inclusion defaults) and adds a standalone Go-based audit tool under .github/skills/changelog-generation/audit/ to retroactively check recent releases and emit a Markdown report.
Changes:
- Extend
SKILL.mdandreferences/pr-processing.mdwith new rules/validation steps for deduplication, PR-link validation, alpha/beta gating, and “borderline include” guidance. - Add a Go audit tool (
main.go+go.mod) with docs and a generatedreport.mdexample output. - Add minimal repo hygiene for the tool (
.gitignorefor Windows executables).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
.github/skills/changelog-generation/SKILL.md |
Adds cross-release dedup + PR-link validation + commit-range cross-check steps to the skill workflow. |
.github/skills/changelog-generation/references/pr-processing.md |
Adds dual-PR-number extraction guidance and expands exclusion/include heuristics (alpha/beta + borderline defaults). |
.github/skills/changelog-generation/audit/main.go |
Implements the audit engine, report generator, and “side-by-side diff” rendering. |
.github/skills/changelog-generation/audit/README.md |
Documents running the audit tool and explains checks/flags. |
.github/skills/changelog-generation/audit/report.md |
Adds a generated sample audit report for reviewers. |
.github/skills/changelog-generation/audit/go.mod |
Introduces a standalone Go module for the audit tool. |
.github/skills/changelog-generation/audit/.gitignore |
Ignores Windows .exe outputs in the audit tool folder. |
jongio
force-pushed
the
fix/changelog-audit-findings
branch
from
458b726 to
b97690a
Compare
jongio
added
area/docs
wbreza
left a comment
wbreza
left a comment
There was a problem hiding this comment.
Code Review — PR #7667: Changelog Generation Audit Findings
Verdict: 💬 Suggestions for clarification — High-quality contribution. Audit tool is well-designed, 20-release backtesting is thorough, SKILL.md improvements are substantial. A few ambiguities worth tightening up.
Findings
🟠 1. Dual PR rule needs disambiguation (pr-processing.md)
The rule says "use the last PR number" but this is ambiguous for subjects like Backport fix (#7233) to (#7235). Suggest clarifying: "Rightmost (#NNNN) match in the commit subject line is canonical."
🟠 2. Step 4 batch processing semantics unclear (SKILL.md)
States "do not batch or abbreviate" but earlier instructions reference processing commits. Unclear: does each commit always map to exactly one PR? How are merge commits with multiple logical changes handled?
🟠 3. Borderline exclusion guidance is subjective (pr-processing.md)
"When uncertain, include it" is reasonable but could use concrete examples. Suggestion: add 2-3 examples like "UX improvement to help text → Include. Typo fix in internal docs → Exclude. Improved error message → Include."
🟠 4. Phantom entry (F6) findings lack resolution guidance (findings.md)
F6 flags like "PR #7343 in changelog but not found in commit range" are clear, but don't explain why or how to resolve. Are these backports? Cherry-picks? Manual entries? A one-line explanation per F6 finding would help future auditors.
🟡 5. Multi-scope PR handling missing (pr-processing.md)
No guidance for PRs that touch both core CLI and extensions. Should they appear in both CHANGELOGs? Only core?
What's Good
- ✅ Audit tool methodology is sound — deterministic, conservative corrections (only removes provably-wrong entries)
- ✅ 20-release backtesting validates F1-F6 rules without false positives
- ✅ All 40 audit files follow consistent markdown structure
- ✅ SKILL.md workflow is comprehensive with edge cases, dedup, and spell check
- ✅ findings.md is well-structured with per-release detail and summary tables
Great work on the audit infrastructure — this is a solid foundation for changelog quality. 👍
jongio
force-pushed
the
fix/changelog-audit-findings
branch
from
b97690a to
573de84
Compare
|
Thanks for the thorough review! All 5 suggestions addressed:
Fixed — changed "last" to "rightmost (#NNNN) match in the commit subject line" for precision.
Fixed — added clarification that each commit maps to exactly one canonical PR via the extraction rules in
Fixed — added a quick-reference examples table (Include: improved error messages, help text changes, flag parsing fixes. Exclude: internal doc typos, pure refactors).
Fixed — F6 descriptions now note "likely a backport, cherry-pick, or manual addition" to help auditors understand why phantom entries occur.
Fixed — added guidance: PRs touching both core and extensions go in the core changelog only if there are meaningful core changes; the extension changelog references the PR independently. |
Address all 6 findings from the changelog generation audit: 1. Dual PR number extraction - use last PR number as canonical reference 2. Enforce PR links on every changelog entry in Step 5 validation 3. Cross-release deduplication check in Step 4 (PR + issue numbers) 4. Document alpha/beta feature gating in exclusion rules 5. Default borderline user-facing changes to included 6. Post-generation cross-reference validation against commit range Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add a Go tool that retroactively audits past changelog releases against the updated generation rules, producing a side-by-side comparison report. The tool checks for: - F1: Dual PR number extraction (use last as canonical) - F2: Missing PR links on changelog entries - F2b: Issue links used instead of PR links - F3/F3b: Cross-release and intra-release duplicate entries - F4: Alpha/beta feature gating verification - F5: Borderline excluded commits that should be included - F6: Phantom entries (PRs not in commit range) - F6b: Link text/URL number mismatches Results across 20 releases (1.22.2-1.23.15): - 9 errors (all missing PR links in 1.23.9, 1.23.13) - 18 warnings (phantoms, borderline exclusions, duplicates) - 2 info (alpha/beta gating checks) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Enhance the changelog audit tool to generate GitHub-renderable diff blocks showing exactly how each release section would change under the new rules. Each corrected line includes annotations (e.g., ← F2: add missing PR link) so reviewers can see the rule justification at a glance. Changes: - Add correctRelease() engine that mechanically applies all 6 finding rules - Add renderUnifiedDiff() that produces unified diff with annotations - Finding struct now carries LineNumber, OldPR, NewPR for precise corrections - Report regenerated with diff blocks for all 20 audited releases Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace monolithic report.md with per-release comparison files: - published/<version>.md: verbatim changelog extract from CHANGELOG.md - corrected/<version>.md: deterministic corrections only (F1, F2b, F3, F6, F6b) - findings.md: clean findings report without embedded diffs Key improvements: - No more fake [[#???]] placeholders — only apply corrections when the right answer is provable (e.g., F1 PR swap, F6 phantom removal) - Per-release files are small and diffable with standard tools - Findings use indented code blocks to avoid backtick nesting issues - 5 of 20 releases have corrections; 15 are identical Reviewers: diff -ru published/ corrected/ to see all corrections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Reorder PR extraction rules: check dual PR numbers first (before single-match squash merge) to avoid ambiguity when multiple (#NNNN) patterns are present - Add warning log when changelog entries contain multiple PR links (only first is tracked; affects F3/F6 accuracy for older releases) - Regenerate findings.md with updated commit range display Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Clarify dual-PR rule: 'rightmost' instead of 'last' for precision - Clarify Step 4 commit-to-PR mapping (each commit -> one canonical PR) - Add quick-reference examples table for borderline exclusion decisions - Add resolution hint to F6 phantom entry findings (backport/cherry-pick) - Add multi-scope PR guidance (core vs extension changelog ownership) - Regenerate audit findings with updated F6 descriptions Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio
force-pushed
the
fix/changelog-audit-findings
branch
from
02513f2 to
d7602be
Compare
Before/After: how the new rules would have changed our last two non-clean releasesThe audit tool included in this PR catches real issues from recent releases. Here are concrete before/after diffs for the two most recent releases that have findings under the new rules: 1.23.14 and 1.23.13. (1.23.15 was clean — no changes needed.) Full report: 1.23.14 — 2 phantom entries removed (rule F6) + 1 alpha/beta verification flag (F4) ## 1.23.14 (2026-04-03)
### Bugs Fixed
- [[#7314]](https://github.com/Azure/azure-dev/pull/7314) Fix environment variable leak ...
- - [[#7343]](https://github.com/Azure/azure-dev/pull/7343) Fix nil pointer panic when `azure.yaml` contains services, resources, or hooks with empty definitions; reports all issues in a single actionable error message.
- [[#7356]](https://github.com/Azure/azure-dev/pull/7356) Fix panic when `azd auth token` ...
...
### Other Changes
- [[#7456]](https://github.com/Azure/azure-dev/pull/7456) Update bundled GitHub CLI to v2.89.0.
- - [[#7299]](https://github.com/Azure/azure-dev/pull/7299) Add command-specific telemetry attributes for `auth login`, `env list`, `hooks run`, `pipeline config`, and `infra generate` commands.
- [[#7396]](https://github.com/Azure/azure-dev/pull/7396) Add telemetry instrumentation for preflight validation ...Why: PRs #7343 and #7299 are not in the 1.23.13 — 6 missing PR links (F2), 1 issues→pull link fix (F2b), 2 phantom entries (F6) ## 1.23.13 (2026-03-26)
### Features Added
- [[#7247]](https://github.com/Azure/azure-dev/pull/7247) Add actionable suggestion ...
- [[#7236]](https://github.com/Azure/azure-dev/pull/7236) Improve `azd auth status --output json` ...
- - [[#2743]](https://github.com/Azure/azure-dev/issues/2743) Support deploying Container App Jobs ...
- - Add `ConfigHelper` for typed, ergonomic access to azd user and environment configuration ...
- - Add `Pager[T]` generic pagination helper with SSRF-safe nextLink validation ...
- - Add `ResilientClient` hardening: exponential backoff with jitter ...
- - Add `SSRFGuard` standalone SSRF protection with metadata endpoint blocking ...
- - Add atomic file operations (`WriteFileAtomic`, `CopyFileAtomic`, `BackupFile`, `EnsureDir`) ...
- - Add runtime process utilities for cross-platform process management ...
### Bugs Fixed
...
### Other Changes
- [[#7235]](https://github.com/Azure/azure-dev/pull/7235) Fix auth error telemetry classification ...
- - [[#7330]](https://github.com/Azure/azure-dev/pull/7330) Add `azure.yaml` schema metadata to enable automatic schema association ...Why:
Aggregate impact across the last 20 releases
5 of 20 releases (1.23.0, 1.23.4, 1.23.12, 1.23.13, 1.23.14) would have changed under the new rules. The rest were already clean. |
|
/check-enforcer override |
Summary
Implements the 6 audit findings from #7522, which audited 10 releases (1.23.5–1.23.14) and identified systematic issues in changelog generation.
What Changed
Skill Rule Updates
pr-processing.md — 3 new rules:
SKILL.md — 3 new validation steps:
[[#NNN]](url)PR link before outputBacktesting Audit Tool
A standalone Go tool at
.github/skills/changelog-generation/audit/that retroactively audits the last 20 releases against all 6 rules and generates a detailed report with:The diff blocks render with GitHub's syntax highlighting (red/green coloring) and include rule annotations (e.g.,
← F2: add missing PR link) so reviewers can see the justification for each change at a glance.Key Findings from 20-Release Audit
How to Review
pr-processing.mdandSKILL.mddiffs for the 6 new rulesaudit/report.mdand scroll to any release's Side-by-Side Diff section to see how the rules would have changed that release's changelogaudit/main.gofor the backtesting logicHow to Run the Audit Tool
Closes #7522