Add CI enforcement of Chronus change descriptions for SDK packages

[Copilot]

see https://github.com/Azure/azure-sdk-for-python/blob/main/doc/dev/changelog_updates.md

Need to ping partner teams b4 merging

[l0lawrence]

@copilot this should be run for any packages touched that have a pyproject.toml

[Copilot]

@copilot this should be run for any packages touched that have a pyproject.toml

Updated the paths filter from sdk/*/*/pyproject.toml to sdk/*/*/** (commit 1b2f57b). The workflow now triggers for any file change inside a package directory, and npx chronus verify uses .chronus/config.yaml to determine whether a changelog entry is actually required for those changes.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• scanning-api.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[l0lawrence]

@copilot can we try changing something in azure-keyvault-keys and azure-mgmt-eventgrid pkgs to test this ci change

[Copilot]

@copilot can we try changing something in azure-keyvault-keys and azure-mgmt-eventgrid pkgs to test this ci change

Added test comments (commit 539f511c) to:

• sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_sdk_moniker.py — dataplane package with full pyproject.toml
• sdk/eventgrid/azure-mgmt-eventgrid/azure/mgmt/eventgrid/_patch.py — mgmt package that also has a pyproject.toml

Both changes are Python source files, which are NOT excluded by chronus's changedFiles filter, so npx chronus verify should require changelog entries for both and fail — demonstrating CI enforcement is active. Note: azure-mgmt-eventgrid does have a pyproject.toml (build-tool config only), so the workflow will trigger for it too.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• scanning-api.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[l0lawrence]

@copilot Run npx chronus verify
npm error could not determine executable to run
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2026-03-19T20_20_58_912Z-debug-0.log
Error: Process completed with exit code 1.

[Copilot]

@copilot Run npx chronus verify
npm error could not determine executable to run
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2026-03-19T20_20_58_91...

Fixed in commit 40ed920a. The error occurred because there's no package.json in the repo root, so npx chronus couldn't resolve the package. Added an explicit npm install -g @chronus/chronus step before running chronus verify.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• registry.npmjs.org
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/_temp/ghcca-node/node/bin/npm show chronus version (dns block)
• scanning-api.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[l0lawrence]

@copilot add documentation under doc/dev that advises on how to use chronus

[Copilot]

@copilot add documentation under doc/dev that advises on how to use chronus

The documentation already exists in the repo at doc/dev/changelog_updates.md (added in commit 77b28992). It covers prerequisites, chronus add, change kinds table, chronus verify, chronus status, and links to further reading. The doc/dev/README.md also already links to it under the "Changelog" entry.

[l0lawrence]

Discussion: How will this interact/impact [auto-prs] for mgmt-* pkgs, do we want this to trigger on them? Should we put in a default chronus entry in the auto-pr as well that says "generation" or uses the commits from the rest-api-specs pr to create the chronus entry?

[Copilot]

Pull request overview

Adds GitHub Actions CI enforcement for Chronus change descriptions by running chronus verify on pull requests that modify files under sdk/*/*/**, leveraging the existing .chronus/config.yaml to decide when a change description is required.

Changes:

• Added a new GitHub Actions workflow to run Chronus verification on relevant PRs.
• Added “CI test” marker comments in one dataplane file and one mgmt file to exercise the workflow trigger.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/chronus-verify.yml	New workflow to run Chronus verification on PRs touching SDK package directories.
sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_sdk_moniker.py	Adds a CI-test comment intended to trigger the workflow.
sdk/eventgrid/azure-mgmt-eventgrid/azure/mgmt/eventgrid/_patch.py	Replaces copyright header line with a CI-test comment to trigger the workflow.

[Copilot]

The PR description says enforcement is scoped to SDK packages that use pyproject.toml / dataplane packages, but this workflow triggers on any changes under sdk///** (including mgmt packages). Either narrow the paths filter (e.g., to pyproject.toml changes) or update the PR description/intent to reflect that mgmt packages will also be subject to Chronus verification (per .chronus/config.yaml’s sdk// package glob).

[Copilot]

Remove this CI-test-only comment. This module is part of the shipped library surface (even if internal), and leaving workflow-validation notes in product code adds long-lived noise and complicates future diffs/blame. Prefer validating the workflow via a PR that only touches workflow/config files (or use workflow_dispatch) rather than adding sentinel edits in SDK source.

Suggested change

# CI test: verifying chronus-verify workflow triggers for dataplane packages

[Copilot]

This change removes the file’s copyright header and replaces it with a CI-test note. Please restore the original copyright line (and keep the license header intact) and avoid embedding workflow-validation comments in SDK source files.

Suggested change

	# CI test: verifying chronus-verify workflow triggers for mgmt packages
	#
	# Copyright (c) Microsoft Corporation. All rights reserved.

[Copilot]

Installing Chronus globally (npm install -g) is more fragile in CI (can fail due to npm global prefix permissions) and makes the executed Chronus version implicit. Prefer invoking Chronus via npx (optionally pinned to a specific version) so the workflow is reproducible and doesn’t depend on global PATH mutations.

Suggested change

	- name: Install chronus
	run: npm install -g @chronus/chronus
	- name: Run chronus verify
	run: chronus verify
	- name: Run chronus verify
	run: npx -y @chronus/chronus@latest verify

[l0lawrence]

@copilot can we have our gh workflow reference the doc on failure

[Copilot]

@copilot can we have our gh workflow reference the doc on failure

Done in commit c17e43fa. The workflow now uses npx -y @chronus/chronus verify (dropping the separate install step, as the reviewer suggested) and adds a failure step that emits two ::error:: annotations — one telling contributors to run npx chronus add, and one linking to doc/dev/changelog_updates.md.

Discussion: How will this interact/impact [auto-prs] for mgmt-* pkgs, do we want this to trigger on them? Should we put in a default chronus entry in the auto-pr as well that says "generation" or uses...

Good question. The .chronus/config.yaml covers sdk/*/* (all packages), so mgmt-* packages are included by design — they need changelog entries for releases too. For auto-PRs that regenerate mgmt clients from REST API specs, the cleanest approach would be to have the auto-PR generation script automatically add a .chronus/changes/<pkg>-<hash>.md file with changeKind: feature (or internal for pure regenerations) using the spec PR title/description as the change description. That way CI passes immediately without any manual intervention. Whether to default to feature vs internal probably depends on whether the spec PR introduces new API surface — could be inferred from the commit messages or spec PR labels.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• scanning-api.github.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[mikeharder]

pin version of chronus and all transitive deps

pinned